From 085c8b9cfa03340288379b32fae44202f442dac5 Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Sat, 11 Apr 2026 18:01:59 +0000
Subject: [PATCH 1/4] fix(GRO-545): switch OAuth state to cookie storage and
 add login error display
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The OAuth callback was failing with "please_restart_the_process" because
Better-Auth's default DB-backed state (verification table) was unreliable —
the UAT hourly reset wipes all tables including verification records. Switch
to cookie-based state storage so the encrypted state survives in the browser
cookie across the redirect flow.

Also removes explicit redirectURI from socialProviders (Better-Auth derives
it from baseURL) and adds visible error feedback on the login page when
OAuth callbacks fail.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/lib/auth.ts |  7 +++----
 apps/web/src/App.tsx     | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts
index f77dcbf..fc9f2e2 100644
--- a/apps/api/src/lib/auth.ts
+++ b/apps/api/src/lib/auth.ts
@@ -170,8 +170,6 @@ export async function initAuth(): Promise<void> {
     const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
     const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
 
-    const callbackBase = `${BETTER_AUTH_URL}/api/auth/callback`;
-
     // Build Better-Auth instance using resolved config
     authInstance = betterAuth({
       database: drizzleAdapter(db, {
@@ -179,6 +177,9 @@ export async function initAuth(): Promise<void> {
       }),
       secret: BETTER_AUTH_SECRET,
       baseURL: BETTER_AUTH_URL,
+      account: {
+        storeStateStrategy: "cookie" as const,
+      },
       plugins: [
         genericOAuth({
           config: [
@@ -205,14 +206,12 @@ export async function initAuth(): Promise<void> {
           google: {
             clientId: process.env.GOOGLE_CLIENT_ID!,
             clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/google`,
           },
         } : {}),
         ...(hasGitHub ? {
           github: {
             clientId: process.env.GITHUB_CLIENT_ID!,
             clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/github`,
           },
         } : {}),
       },
diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index efaefd3..bf34c03 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -23,17 +23,26 @@ import { useSession, signIn } from "./lib/auth-client.js";
 function LoginPage() {
   const [isLoading, setIsLoading] = useState(false);
   const [providers, setProviders] = useState<string[]>([]);
+  const [error, setError] = useState<string | null>(null);
 
   useEffect(() => {
     fetch("/api/auth/providers")
       .then((r) => r.json())
       .then((data) => setProviders(data.providers ?? []))
       .catch(() => setProviders([]));
+    const params = new URLSearchParams(window.location.search);
+    const authError = params.get("error");
+    if (authError) setError(authError.replace(/_/g, " "));
   }, []);
 
   const handleSocialLogin = async (provider: string) => {
     setIsLoading(true);
-    await signIn.social({ provider, callbackURL: window.location.origin });
+    setError(null);
+    const result = await signIn.social({ provider, callbackURL: window.location.origin });
+    if (result?.error) {
+      setError(result.error.message ?? "Sign-in failed");
+      setIsLoading(false);
+    }
   };
 
   const isGoogle = providers.includes("google");
@@ -65,6 +74,11 @@ function LoginPage() {
         <p style={{ color: "#6b7280", marginBottom: "1.5rem", fontSize: 14 }}>
           Sign in to continue
         </p>
+        {error && (
+          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 6, padding: "0.5rem 0.75rem", marginBottom: "1rem", color: "#991b1b", fontSize: 13 }}>
+            {error}
+          </div>
+        )}
         {isGoogle && (
           <button
             onClick={() => handleSocialLogin("google")}

From 88e6845027b3bd6d384f87e0dcfd750c04a9cecc Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Sat, 11 Apr 2026 18:13:24 +0000
Subject: [PATCH 2/4] chore: update infra submodule to include social auth env
 vars (GRO-545)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 infra | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra b/infra
index 49575eb..d6c0d13 160000
--- a/infra
+++ b/infra
@@ -1 +1 @@
-Subproject commit 49575eb4f69715d22c8517339a7c0d388f339f9b
+Subproject commit d6c0d13d0256cb9209acb9445f0fdf44fa9801ad

From 8002a3db962caef75be4c0e2feaacbf9997f520b Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Sat, 11 Apr 2026 20:35:10 +0000
Subject: [PATCH 3/4] fix(GRO-563): stabilize OAuth login - upgrade
 better-auth, fix service worker, add 503 handling

- apps/web: upgrade better-auth from ^1.0.0 to ^1.5.6 (matches API)
- apps/web/vite.config.ts: exclude /api/auth/* from service worker caching
- apps/api/index.ts: return 503 when auth not configured
- apps/api/middleware/auth.ts: return 503 when auth not initialized

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/index.ts           |  8 +++++++-
 apps/api/src/middleware/auth.ts | 10 ++++++++--
 apps/web/package.json           |  2 +-
 apps/web/vite.config.ts         |  4 ++--
 pnpm-lock.yaml                  |  2 +-
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 1b146b9..6cf62ac 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -105,7 +105,13 @@ api.use("*", resolveStaffMiddleware);
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
 const authRouter = new Hono();
-authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
+authRouter.all("/*", (c) => {
+  try {
+    return getAuth().handler(c.req.raw);
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+});
 api.route("/auth", authRouter);
 
 // ── Role guards ────────────────────────────────────────────────────────────────
diff --git a/apps/api/src/middleware/auth.ts b/apps/api/src/middleware/auth.ts
index 1417614..906f505 100644
--- a/apps/api/src/middleware/auth.ts
+++ b/apps/api/src/middleware/auth.ts
@@ -23,7 +23,6 @@ if (process.env.AUTH_DISABLED === "true") {
 }
 
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
   if (c.req.path.startsWith("/api/auth/")) {
     await next();
     return;
@@ -37,7 +36,14 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
     return;
   }
 
-  const session = await getAuth().api.getSession({
+  let auth;
+  try {
+    auth = getAuth();
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+
+  const session = await auth.api.getSession({
     headers: c.req.raw.headers,
   });
 
diff --git a/apps/web/package.json b/apps/web/package.json
index 2cf5416..3c9d044 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -15,7 +15,7 @@
   "dependencies": {
     "@groombook/types": "workspace:*",
     "@tailwindcss/vite": "^4.2.2",
-    "better-auth": "^1.0.0",
+    "better-auth": "^1.5.6",
     "lucide-react": "^0.577.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
diff --git a/apps/web/vite.config.ts b/apps/web/vite.config.ts
index 7beaaa5..d73c18d 100644
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@@ -41,11 +41,11 @@ export default defineConfig({
       workbox: {
         globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
         navigateFallbackDenylist: [
-          /^\/api\/auth\/oauth2\/callback\//,
+          /^\/api\/auth\//,
         ],
         runtimeCaching: [
           {
-            urlPattern: /^http.*\/api\/.*/i,
+            urlPattern: /^http.*\/api\/(?!auth\/).*/i,
             handler: "NetworkFirst",
             options: {
               cacheName: "api-cache",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 81bbed5..faa203f 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -87,7 +87,7 @@ importers:
         specifier: ^4.2.2
         version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
       better-auth:
-        specifier: ^1.0.0
+        specifier: ^1.5.6
         version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
       lucide-react:
         specifier: ^0.577.0

From 1380d5a9d32c46d17949b514a55e6437ed25ce4b Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Sat, 11 Apr 2026 22:53:00 +0000
Subject: [PATCH 4/4] feat(GRO-564): Better Auth Phase 2 security hardening

- Add logout button to admin layout header (signOut from better-auth)
- AUTH_DISABLED production guard already present in auth.ts middleware
- Remove automatic email-based staff-user linking (security fix)
- Add PATCH /api/staff/:id/link-user endpoint for manual linking by admins
- Add rate limiting to Better Auth (10 req/min, database storage)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/lib/auth.ts        | 12 ++++++++++++
 apps/api/src/middleware/rbac.ts | 21 +--------------------
 apps/api/src/routes/staff.ts    | 30 ++++++++++++++++++++++++++++++
 apps/web/src/App.tsx            | 24 ++++++++++++++++++++++--
 4 files changed, 65 insertions(+), 22 deletions(-)

diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts
index fc9f2e2..bb68b23 100644
--- a/apps/api/src/lib/auth.ts
+++ b/apps/api/src/lib/auth.ts
@@ -90,6 +90,12 @@ export async function initAuth(): Promise<void> {
         database: drizzleAdapter(getDb(), { provider: "pg" }),
         secret: BETTER_AUTH_SECRET ?? "placeholder-secret-do-not-use-in-prod",
         baseURL: BETTER_AUTH_URL,
+        rateLimit: {
+          enabled: true,
+          max: 10,
+          window: 60,
+          storage: "database",
+        },
         plugins: [
           genericOAuth({
             config: [
@@ -177,6 +183,12 @@ export async function initAuth(): Promise<void> {
       }),
       secret: BETTER_AUTH_SECRET,
       baseURL: BETTER_AUTH_URL,
+      rateLimit: {
+        enabled: true,
+        max: 10,
+        window: 60,
+        storage: "database",
+      },
       account: {
         storeStateStrategy: "cookie" as const,
       },
diff --git a/apps/api/src/middleware/rbac.ts b/apps/api/src/middleware/rbac.ts
index 786fdbc..b8473e8 100644
--- a/apps/api/src/middleware/rbac.ts
+++ b/apps/api/src/middleware/rbac.ts
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { and, eq, getDb, isNull, staff } from "@groombook/db";
+import { eq, getDb, staff } from "@groombook/db";
 
 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -90,25 +90,6 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
     .from(staff)
     .where(eq(staff.oidcSub, jwt.sub));
   if (!fallbackRow) {
-    // Auto-link: staff record exists with matching email but no userId — link it now
-    if (jwt.email) {
-      const [linkedStaff] = await db
-        .select()
-        .from(staff)
-        .where(and(eq(staff.email, jwt.email), isNull(staff.userId)));
-      if (linkedStaff) {
-        await db
-          .update(staff)
-          .set({ userId: jwt.sub })
-          .where(eq(staff.id, linkedStaff.id));
-        console.log(
-          `[rbac] Auto-linked staff ${linkedStaff.id} to Better-Auth user ${jwt.sub} via email ${jwt.email}`
-        );
-        c.set("staff", linkedStaff);
-        await next();
-        return;
-      }
-    }
     return c.json(
       { error: "Forbidden: no staff record found for authenticated user" },
       403
diff --git a/apps/api/src/routes/staff.ts b/apps/api/src/routes/staff.ts
index bf5c8c2..813bd62 100644
--- a/apps/api/src/routes/staff.ts
+++ b/apps/api/src/routes/staff.ts
@@ -18,6 +18,10 @@ const createStaffSchema = z.object({
 
 const updateStaffSchema = createStaffSchema.partial().omit({ email: true });
 
+const linkUserSchema = z.object({
+  userId: z.string().min(1),
+});
+
 staffRouter.get("/me", async (c) => {
   const staffRow = c.get("staff");
   return c.json(staffRow);
@@ -106,6 +110,32 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
   return c.json(row);
 });
 
+staffRouter.patch("/:id/link-user", zValidator("json", linkUserSchema), async (c) => {
+  const db = getDb();
+  const targetId = c.req.param("id");
+  const body = c.req.valid("json");
+  const currentStaff = c.get("staff");
+
+  if (currentStaff.role !== "manager" && !currentStaff.isSuperUser) {
+    return c.json({ error: "Forbidden: only managers or super users can link staff to users" }, 403);
+  }
+
+  const [existing] = await db
+    .select()
+    .from(staff)
+    .where(eq(staff.id, targetId))
+    .limit(1);
+  if (!existing) return c.json({ error: "Not found" }, 404);
+
+  const [updated] = await db
+    .update(staff)
+    .set({ userId: body.userId, updatedAt: new Date() })
+    .where(eq(staff.id, targetId))
+    .returning();
+
+  return c.json(updated);
+});
+
 staffRouter.delete("/:id", async (c) => {
   const db = getDb();
   const id = c.req.param("id");
diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index bf34c03..11a436c 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -1,4 +1,4 @@
-import { Routes, Route, Link, useLocation, Navigate } from "react-router-dom";
+import { Routes, Route, Link, useLocation, Navigate, useNavigate } from "react-router-dom";
 import { useEffect, useState } from "react";
 import { AppointmentsPage } from "./pages/Appointments.js";
 import { ClientsPage } from "./pages/Clients.js";
@@ -18,7 +18,7 @@ import { DevLoginSelector, getDevUser } from "./pages/DevLoginSelector.js";
 import { DevSessionIndicator } from "./components/DevSessionIndicator.js";
 import { BrandingProvider, useBranding } from "./BrandingContext.js";
 import { GlobalSearch } from "./components/GlobalSearch.js";
-import { useSession, signIn } from "./lib/auth-client.js";
+import { useSession, signIn, signOut } from "./lib/auth-client.js";
 
 function LoginPage() {
   const [isLoading, setIsLoading] = useState(false);
@@ -181,6 +181,7 @@ const NAV_LINKS = [
 
 function AdminLayout() {
   const location = useLocation();
+  const navigate = useNavigate();
   const { branding } = useBranding();
 
   const logoSrc = branding.logoBase64 && branding.logoMimeType
@@ -261,6 +262,25 @@ function AdminLayout() {
             </Link>
           );
         })}
+        <button
+          onClick={async () => {
+            await signOut();
+            navigate("/login");
+          }}
+          style={{
+            marginLeft: "auto",
+            padding: "0.4rem 0.85rem",
+            borderRadius: 6,
+            border: "1px solid #e2e8f0",
+            background: "#fff",
+            color: "#4b5563",
+            fontSize: 13,
+            fontWeight: 500,
+            cursor: "pointer",
+          }}
+        >
+          Logout
+        </button>
       </nav>
       <main style={{ padding: "1.25rem 1.5rem" }}>
         <Routes>