groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-634): atomic confirmation token in book.ts, correct RBAC error message

Browse Source 
- Replace SELECT-then-UPDATE with atomic UPDATE ... WHERE token=? AND status='pending' RETURNING *
  to prevent confirmation token replay attacks (TOCTOU race condition)
- Fix requireRoleOrSuperUser() error message: swap the conditional branches so
  'Forbidden: super user privileges required' is returned when user lacks role,
  and 'Forbidden: role X is not permitted' when user is not superuser
- Add 'and' mock export to confirmation.test.ts and rbac.test.ts for new query patterns
- Update test expectations to match corrected error message semantics
This commit is contained in:
Flea Flicker
2026-04-14 23:12:41 +00:00
parent 1cce354413
commit f7b8b7e668
4 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/__tests__/confirmation.test.ts
+1
View File
@@ -68,6 +68,7 @@ vi.mock("@groombook/db", () => {
}),
appointments,
eq: () => ({}),
and: (...clauses: unknown[]) => ({}),
};
});