groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): update resolveStaffMiddleware for Better-Auth userId (GRO-118)

Browse Source 
- Remove JwtPayload import; use inline type in AppEnv
- Production and dev mode lookups now use staff.userId (not oidcSub)
- Backward compat: jwtPayload.sub now = Better-Auth user ID

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Paperclip
2026-03-27 20:41:19 +00:00
parent ec61b3ae4a
commit d235e44f8c
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/middleware/rbac.ts
+6 -7
View File
@@ -1,13 +1,12 @@
import type { MiddlewareHandler } from "hono"; import type { MiddlewareHandler } from "hono";
import { eq, getDb, staff } from "@groombook/db"; import { eq, getDb, staff } from "@groombook/db";
import type { JwtPayload } from "./auth.js";
export type StaffRole = "groomer" | "receptionist" | "manager"; export type StaffRole = "groomer" | "receptionist" | "manager";
export type StaffRow = typeof staff.$inferSelect; export type StaffRow = typeof staff.$inferSelect;
export interface AppEnv { export interface AppEnv {
Variables: { Variables: {
jwtPayload: JwtPayload; jwtPayload: { sub: string; email?: string; name?: string };
staff: StaffRow; staff: StaffRow;
}; };
} }
@@ -16,8 +15,8 @@ export interface AppEnv {
* Resolves the authenticated staff record from the DB and stores it in context. * Resolves the authenticated staff record from the DB and stores it in context.
* Must be applied after authMiddleware on all protected routes. * Must be applied after authMiddleware on all protected routes.
* *
* Dev mode (AUTH_DISABLED=true): resolves staff by X-Dev-User-Id header (treated * Dev mode (AUTH_DISABLED=true): resolves staff by X-Dev-User-Id header (Better-Auth
* as oidcSub), or falls back to the first manager in the DB. * user ID), or falls back to the first manager in the DB.
*/ */
export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async ( export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
c, c,
@@ -41,11 +40,11 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
await next(); await next();
return; return;
} }
// Treat X-Dev-User-Id as the oidcSub // Treat X-Dev-User-Id as the Better-Auth user ID
const [row] = await db const [row] = await db
.select() .select()
.from(staff) .from(staff)
.where(eq(staff.oidcSub, devUserId)); .where(eq(staff.userId, devUserId));
if (!row) { if (!row) {
return c.json( return c.json(
{ error: "Forbidden: no staff record found for X-Dev-User-Id" }, { error: "Forbidden: no staff record found for X-Dev-User-Id" },
@@ -61,7 +60,7 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
const [row] = await db const [row] = await db
.select() .select()
.from(staff) .from(staff)
.where(eq(staff.oidcSub, jwt.sub)); .where(eq(staff.userId, jwt.sub));
if (!row) { if (!row) {
return c.json( return c.json(
{ error: "Forbidden: no staff record found for authenticated user" }, { error: "Forbidden: no staff record found for authenticated user" },