groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): dev login 403 — resolve staff by id, not oidcSub (GRO-150)

Browse Source 
The DevLoginSelector stores the staff database id in localStorage and
sends it as X-Dev-User-Id. The resolveStaffMiddleware incorrectly
looked up staff by oidcSub instead of id, causing all API endpoints
to return 403 for every user in dev mode.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
The Dogfather
2026-03-28 01:23:10 +00:00
parent 317fe57703
commit b78e45b5c5
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/__tests__/rbac.test.ts
+1 -1
View File
@@ -165,7 +165,7 @@ describe("resolveStaffMiddleware", () => {
}); });
const res = await app.request("/test", { const res = await app.request("/test", {
headers: { "X-Dev-User-Id": GROOMER.oidcSub! }, headers: { "X-Dev-User-Id": GROOMER.id },
}); });
expect(res.status).toBe(200); expect(res.status).toBe(200);
expect(capturedStaff!.role).toBe("groomer"); expect(capturedStaff!.role).toBe("groomer");
apps/api/src/middleware/rbac.ts
+2 -2
View File
@@ -41,11 +41,11 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
await next(); await next();
return; return;
} }
// Treat X-Dev-User-Id as the oidcSub // Treat X-Dev-User-Id as the staff database id (the frontend stores staff.id)
const [row] = await db const [row] = await db
.select() .select()
.from(staff) .from(staff)
.where(eq(staff.oidcSub, devUserId)); .where(eq(staff.id, devUserId));
if (!row) { if (!row) {
return c.json( return c.json(
{ error: "Forbidden: no staff record found for X-Dev-User-Id" }, { error: "Forbidden: no staff record found for X-Dev-User-Id" },