groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): dev login 403 — resolve staff by id, not oidcSub (GRO-150)

Browse Source 
The DevLoginSelector stores the staff database id in localStorage and
sends it as X-Dev-User-Id. The resolveStaffMiddleware incorrectly
looked up staff by oidcSub instead of id, causing all API endpoints
to return 403 for every user in dev mode.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
The Dogfather
2026-03-28 01:23:10 +00:00
parent 317fe57703
commit b78e45b5c5
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/__tests__/rbac.test.ts
+1 -1
View File
@@ -165,7 +165,7 @@ describe("resolveStaffMiddleware", () => {
});
const res = await app.request("/test", {
headers: { "X-Dev-User-Id": GROOMER.oidcSub! },
headers: { "X-Dev-User-Id": GROOMER.id },
});
expect(res.status).toBe(200);
expect(capturedStaff!.role).toBe("groomer");