feat: add RBAC middleware with role-based route guards (GRO-103)

- New `apps/api/src/middleware/rbac.ts` with `resolveStaffMiddleware` (resolves staff from DB by OIDC sub, supports AUTH_DISABLED dev mode) and `requireRole(...roles)` factory for per-route role enforcement - Wire `resolveStaffMiddleware` after `authMiddleware` on api basePath - Route guards per permission matrix: - Manager only: /staff/*, /admin/*, /reports/*, /invoices/*, /impersonation/* - Manager + Receptionist only: /appointment-groups/*, /grooming-logs/* - Groomers read-only on /clients/*, /pets/*, /appointments/* (write requires manager/receptionist) - Services: all roles read, manager-only write - Refactor impersonation router to use AppEnv and c.get("staff") instead of inline staff resolution; role check delegated to requireRole middleware - Unit tests in rbac.test.ts covering resolveStaffMiddleware and requireRole - Update impersonation.test.ts to inject staff directly via context Closes #88 (Phase 1) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-21 15:50:45 +00:00
parent 1ac037a20d
commit 93a9ae4461
5 changed files with 434 additions and 91 deletions
@@ -0,0 +1,101 @@
+import type { MiddlewareHandler } from "hono";
+import { eq, getDb, staff } from "@groombook/db";
+import type { JwtPayload } from "./auth.js";
+
+export type StaffRole = "groomer" | "receptionist" | "manager";
+export type StaffRow = typeof staff.$inferSelect;
+
+export interface AppEnv {
+  Variables: {
+    jwtPayload: JwtPayload;
+    staff: StaffRow;
+  };
+}
+
+/**
+ * Resolves the authenticated staff record from the DB and stores it in context.
+ * Must be applied after authMiddleware on all protected routes.
+ *
+ * Dev mode (AUTH_DISABLED=true): resolves staff by X-Dev-User-Id header (treated
+ * as oidcSub), or falls back to the first manager in the DB.
+ */
+export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
+  c,
+  next
+) => {
+  const db = getDb();
+
+  if (process.env.AUTH_DISABLED === "true") {
+    const devUserId = c.req.header("X-Dev-User-Id");
+    if (!devUserId) {
+      // No header — fall back to first manager
+      const [manager] = await db
+        .select()
+        .from(staff)
+        .where(eq(staff.role, "manager"))
+        .limit(1);
+      if (!manager) {
+        return c.json({ error: "Forbidden: no staff records found" }, 403);
+      }
+      c.set("staff", manager);
+      await next();
+      return;
+    }
+    // Treat X-Dev-User-Id as the oidcSub
+    const [row] = await db
+      .select()
+      .from(staff)
+      .where(eq(staff.oidcSub, devUserId));
+    if (!row) {
+      return c.json(
+        { error: "Forbidden: no staff record found for X-Dev-User-Id" },
+        403
+      );
+    }
+    c.set("staff", row);
+    await next();
+    return;
+  }
+
+  const jwt = c.get("jwtPayload");
+  const [row] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.oidcSub, jwt.sub));
+  if (!row) {
+    return c.json(
+      { error: "Forbidden: no staff record found for authenticated user" },
+      403
+    );
+  }
+  c.set("staff", row);
+  await next();
+};
+
+/**
+ * Middleware factory that enforces one of the allowed roles.
+ * Must be applied after resolveStaffMiddleware.
+ *
+ * @example
+ *   api.use("/staff/*", requireRole("manager"));
+ *   api.use("/reports/*", requireRole("manager"));
+ */
+export function requireRole(
+  ...allowedRoles: StaffRole[]
+): MiddlewareHandler<AppEnv> {
+  return async (c, next) => {
+    const staffRow = c.get("staff");
+    if (!staffRow) {
+      return c.json({ error: "Forbidden: staff record not resolved" }, 403);
+    }
+    if (!(allowedRoles as string[]).includes(staffRow.role)) {
+      return c.json(
+        {
+          error: `Forbidden: role '${staffRow.role}' is not permitted to access this resource`,
+        },
+        403
+      );
+    }
+    await next();
+  };
+}