groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): resolve /me 500 and revoke not persisting (GRO-206)

Browse Source 
- Add explicit null check and field serialization for /api/staff/me
  to prevent serialization errors with BigInt/Date fields
- Fix revoke: separate UPDATE from RETURNING in superuser guard
  transaction to avoid FOR UPDATE + RETURNING issues in DB driver
- Add explicit updateStaffSchema with isSuperUser field (not derived
  from createStaffSchema.partial())

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
groombook-ci[bot]
2026-03-29 14:43:14 +00:00
parent 317fe57703
commit 8ebfead2d0
1 changed files with 126 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/routes/staff.ts
+126 -7
View File
@@ -15,7 +15,31 @@ const createStaffSchema = z.object({
active: z.boolean().default(true),
});
const updateStaffSchema = createStaffSchema.partial().omit({ email: true });
const updateStaffSchema = z.object({
name: z.string().min(1).max(200).optional(),
role: z.enum(["groomer", "receptionist", "manager"]).optional(),
active: z.boolean().optional(),
isSuperUser: z.boolean().optional(),
oidcSub: z.string().optional(),
});
staffRouter.get("/me", async (c) => {
const staffRow = c.get("staff");
if (!staffRow) return c.json({ error: "Staff record not found" }, 404);
// Explicitly pick serializable fields to avoid BigInt/Date/undefined serialization issues
return c.json({
id: staffRow.id,
name: staffRow.name,
email: staffRow.email,
role: staffRow.role,
active: staffRow.active,
isSuperUser: staffRow.isSuperUser,
userId: staffRow.userId,
oidcSub: staffRow.oidcSub,
createdAt: staffRow.createdAt,
updatedAt: staffRow.updatedAt,
});
});
staffRouter.get("/", async (c) => {
const db = getDb();
@@ -45,11 +69,83 @@ staffRouter.post("/", zValidator("json", createStaffSchema), async (c) => {
staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
const db = getDb();
const currentStaff = c.get("staff");
const body = c.req.valid("json");
const targetId = c.req.param("id");
// Only super users can change isSuperUser
if (body.isSuperUser !== undefined && !currentStaff.isSuperUser) {
return c.json({ error: "Forbidden: super user privileges required to modify super user status" }, 403);
}
// Before revoking or deactivating the last super user, serialize access with a
// transaction + FOR UPDATE to prevent a race where two concurrent requests both
// pass the count check and leave zero super users.
const needsSuperUserGuard = body.isSuperUser === false || body.active === false;
if (needsSuperUserGuard) {
const [guardError, row] = await db.transaction(async (tx) => {
// Lock the target row so no other request can modify it concurrently
const [target] = await tx
.select({ isSuperUser: staff.isSuperUser })
.from(staff)
.where(eq(staff.id, targetId))
.limit(1)
.for("update");
if (!target) return ["Not found", null as (typeof staff.$inferSelect | null)];
// Only enforce guard if the target is actually a super user
const isRevokingSuperUser = body.isSuperUser === false && target.isSuperUser;
const isDeactivatingSuperUser = body.active === false && target.isSuperUser;
if (!isRevokingSuperUser && !isDeactivatingSuperUser) {
const [updated] = await tx
.update(staff)
.set({ ...body, updatedAt: new Date() })
.where(eq(staff.id, targetId))
.returning();
return [null, updated];
}
// Count active super users (excluding target — it will be changed)
const superUserCount = await tx
.select({ id: staff.id })
.from(staff)
.where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, targetId)))
.limit(2);
if (superUserCount.length <= 1) {
return [
body.isSuperUser === false
? "Cannot revoke the last super user. Assign another super user first."
: "Cannot deactivate the last super user. Assign another super user first.",
null,
];
}
// Perform the update (outside the count query but still in the transaction)
await tx
.update(staff)
.set({ ...body, updatedAt: new Date() })
.where(eq(staff.id, targetId));
// Re-select to get the post-update state (avoids FOR UPDATE + RETURNING issues in some DB drivers)
const [updated] = await tx
.select()
.from(staff)
.where(eq(staff.id, targetId))
.limit(1);
return [null, updated];
});
if (guardError) return c.json({ error: guardError }, guardError === "Not found" ? 404 : 400);
if (!row) return c.json({ error: "Not found" }, 404);
return c.json(row);
}
const [row] = await db
.update(staff)
.set({ ...body, updatedAt: new Date() })
.where(eq(staff.id, c.req.param("id")))
.where(eq(staff.id, targetId))
.returning();
if (!row) return c.json({ error: "Not found" }, 404);
return c.json(row);
@@ -81,11 +177,34 @@ staffRouter.delete("/:id", async (c) => {
);
}
const [row] = await db
.delete(staff)
.where(eq(staff.id, id))
.returning();
if (!row) return c.json({ error: "Not found" }, 404);
// Prevent deleting the last super user — use transaction to avoid race
const [guardError] = await db.transaction(async (tx) => {
const [targetStaff] = await tx
.select({ isSuperUser: staff.isSuperUser })
.from(staff)
.where(eq(staff.id, id))
.limit(1)
.for("update");
if (!targetStaff) return ["Not found", null];
if (targetStaff.isSuperUser) {
const superUserCount = await tx
.select({ id: staff.id })
.from(staff)
.where(and(eq(staff.isSuperUser, true), eq(staff.active, true), ne(staff.id, id)))
.limit(2);
if (superUserCount.length <= 1) {
return ["Cannot delete the last super user. Assign another super user first.", null];
}
}
const [row] = await tx.delete(staff).where(eq(staff.id, id)).returning();
return [null, row];
});
if (guardError === "Not found") return c.json({ error: "Not found" }, 404);
if (guardError) return c.json({ error: guardError }, 400);
return c.json({ ok: true });
});