fix(api): exempt OOBE setup from staff middleware and auto-create staff (GRO-485)

Exempt POST /api/setup from resolveStaffMiddleware so OOBE users (with no pre-existing staff record) can complete the out-of-box experience without getting blocked by the "no staff record found" 403 error. Changes: - rbac.ts: add /api/setup to path exemption alongside /api/auth/ - setup.ts POST /: add find-or-create logic that: - Looks up existing staff by userId from JWT - Auto-links legacy staff records by email if userId is null - Creates a new staff record if none exists (OOBE case) - Returns 400 if JWT has no email and no staff record found - setup.test.ts: add regression tests for all scenarios Fixes GRO-485 (OOBE regression introduced by GRO-480). Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-05 19:37:23 +00:00
parent 6819bff2bf
commit fa18c41677
3 changed files with 360 additions and 31 deletions
@@ -23,7 +23,8 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
  next
 ) => {
  // Better-Auth's own routes handle their own auth — skip staff resolution
-  if (c.req.path.startsWith("/api/auth/")) {
+  // OOBE setup routes also handle their own auth — staff record is created during setup
+  if (c.req.path.startsWith("/api/auth/") || c.req.path.startsWith("/api/setup")) {
    await next();
    return;
  }