fix(e2e): use domcontentloaded instead of networkidle in admin invoices test

The networkidle wait causes flakiness in CI due to slow external resource loading. Use domcontentloaded which fires earlier and is sufficient for SPA navigation checks. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-11 16:43:45 +00:00
22 changed files with 84 additions and 459 deletions
@@ -11,12 +11,6 @@ AUTH_DISABLED=false
 OIDC_ISSUER=https://authentik.example.com
 OIDC_AUDIENCE=groombook

-# ── Setup Wizard ─────────────────────────────────────────────────────────────
-# When SKIP_OOBE=true, the setup wizard is bypassed regardless of whether a
-# super user exists in the database. Useful in dev/test environments where the
-# database has data but the setup wizard would otherwise block access.
-SKIP_OOBE=false
-
 # ── API ───────────────────────────────────────────────────────────────────────
 PORT=3000
 CORS_ORIGIN=http://localhost:8080
@@ -22,7 +22,6 @@
    "hono": "^4.6.17",
    "node-cron": "^3.0.3",
    "nodemailer": "^6.9.16",
-    "stripe": "^22.0.0",
    "zod": "^4.3.6"
  },
  "devDependencies": {
@@ -418,48 +418,6 @@ describe("GET /setup/status — OOBE bootstrap logic", () => {
    expect(body.showAuthProviderStep).toBe(false); // DB config already exists
    expect(body.authConfigExists).toBe(true);
  });
-
-  it("SKIP_OOBE=true bypasses setup check regardless of DB state", async () => {
-    dbStaffRows = []; // no super user
-    dbAuthConfigRows = [];
-    process.env.SKIP_OOBE = "true";
-
-    const app = makeApp();
-    const { status, body } = await getStatus(app);
-
-    expect(status).toBe(200);
-    expect(body.needsSetup).toBe(false);
-    expect(body.showAuthProviderStep).toBe(false);
-    expect(body.authConfigExists).toBe(false);
-    expect(body.authEnvVarsSet).toBe(false);
-    expect(body.skipped).toBe(true);
-  });
-
-  it("SKIP_OOBE=1 also bypasses setup check", async () => {
-    dbStaffRows = [];
-    dbAuthConfigRows = [];
-    process.env.SKIP_OOBE = "1";
-
-    const app = makeApp();
-    const { status, body } = await getStatus(app);
-
-    expect(status).toBe(200);
-    expect(body.needsSetup).toBe(false);
-    expect(body.skipped).toBe(true);
-  });
-
-  it("SKIP_OOBE=yes also bypasses setup check", async () => {
-    dbStaffRows = [];
-    dbAuthConfigRows = [];
-    process.env.SKIP_OOBE = "yes";
-
-    const app = makeApp();
-    const { status, body } = await getStatus(app);
-
-    expect(status).toBe(200);
-    expect(body.needsSetup).toBe(false);
-    expect(body.skipped).toBe(true);
-  });
 });

 describe("POST /setup/auth-provider — OOBE bootstrap", () => {
@@ -28,7 +28,6 @@ import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSup
 import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
-import { webhooksRouter } from "./routes/stripe-webhooks.js";

 const app = new Hono();

@@ -51,9 +50,6 @@ app.route("/api/book", bookRouter);
 // Public portal routes — client-facing, authenticated via impersonation session header
 app.route("/api/portal", portalRouter);

-// Public Stripe webhook endpoint — signature-verified, no auth required
-app.route("/api/webhooks/stripe", webhooksRouter);
-
 // Dev/demo routes — config is always public, users endpoint is guarded internally
 app.route("/api/dev", devRouter);

@@ -109,13 +105,7 @@ api.use("*", resolveStaffMiddleware);
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
 const authRouter = new Hono();
-authRouter.all("/*", (c) => {
-  try {
-    return getAuth().handler(c.req.raw);
-  } catch {
-    return c.json({ error: "Authentication not configured" }, 503);
-  }
-});
+authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
 api.route("/auth", authRouter);

 // ── Role guards ────────────────────────────────────────────────────────────────
@@ -3,7 +3,6 @@ import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { genericOAuth } from "better-auth/plugins";
 import { getDb, authProviderConfig, eq } from "@groombook/db";
 import { decryptSecret } from "@groombook/db";
-import { sendEmail } from "../services/email.js";

 const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
 const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://localhost:3000";
@@ -91,12 +90,6 @@ export async function initAuth(): Promise<void> {
        database: drizzleAdapter(getDb(), { provider: "pg" }),
        secret: BETTER_AUTH_SECRET ?? "placeholder-secret-do-not-use-in-prod",
        baseURL: BETTER_AUTH_URL,
-        rateLimit: {
-          enabled: true,
-          max: 10,
-          window: 60,
-          storage: "memory",
-        },
        plugins: [
          genericOAuth({
            config: [
@@ -177,51 +170,7 @@ export async function initAuth(): Promise<void> {
    const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
    const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);

-    // Fetch OIDC discovery document to derive canonical provider URLs.
-    // Replace the host of token/userinfo endpoints with internalBaseUrl when set,
-    // while keeping authorizationUrl public for browser redirects.
-    const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
-    let oidcConfig: Record<string, string> = {};
-    try {
-      const discoveryRes = await fetch(discoveryUrlStr);
-      if (discoveryRes.ok) {
-        const discovery = await discoveryRes.json() as {
-          authorization_endpoint?: string;
-          token_endpoint?: string;
-          userinfo_endpoint?: string;
-        };
-        const replaceHost = (url: string, newHost: string) => {
-          try {
-            const parsed = new URL(url);
-            const newParsed = new URL(newHost);
-            return `${newParsed.origin}${parsed.pathname}${parsed.search}`;
-          } catch {
-            return url;
-          }
-        };
-        const authzUrl = discovery.authorization_endpoint;
-        const tokenUrl = discovery.token_endpoint;
-        const userInfoUrl = discovery.userinfo_endpoint;
-        if (authzUrl && tokenUrl && userInfoUrl) {
-          oidcConfig = {
-            authorizationUrl: authzUrl,
-            tokenUrl: providerConfig.internalBaseUrl
-              ? replaceHost(tokenUrl, providerConfig.internalBaseUrl)
-              : tokenUrl,
-            userInfoUrl: providerConfig.internalBaseUrl
-              ? replaceHost(userInfoUrl, providerConfig.internalBaseUrl)
-              : userInfoUrl,
-          };
-          console.log("[auth] OIDC discovery successful, provider:", providerConfig.providerId);
-        } else {
-          console.warn("[auth] OIDC discovery missing required endpoints, using discoveryUrl only");
-        }
-      } else {
-        console.warn(`[auth] OIDC discovery failed (${discoveryRes.status}), using discoveryUrl only`);
-      }
-    } catch (err) {
-      console.warn(`[auth] OIDC discovery fetch failed: ${err}, using discoveryUrl only`);
-    }
+    const callbackBase = `${BETTER_AUTH_URL}/api/auth/callback`;

    // Build Better-Auth instance using resolved config
    authInstance = betterAuth({
@@ -230,28 +179,6 @@ export async function initAuth(): Promise<void> {
      }),
      secret: BETTER_AUTH_SECRET,
      baseURL: BETTER_AUTH_URL,
-      rateLimit: {
-        enabled: true,
-        max: 10,
-        window: 60,
-        storage: "memory",
-      },
-      account: {
-        storeStateStrategy: "cookie" as const,
-      },
-      emailAndPassword: {
-        enabled: true,
-        emailVerification: {
-          sendVerificationEmail: async ({ user, url }: { user: { email: string }; url: string }) => {
-            await sendEmail({
-              to: user.email,
-              subject: "Verify your GroomBook email",
-              text: `Click the link to verify your email: ${url}`,
-              html: `<p>Click the link to verify your email:</p><a href="${url}">${url}</a>`,
-            });
-          },
-        },
-      },
      plugins: [
        genericOAuth({
          config: [
@@ -259,8 +186,15 @@ export async function initAuth(): Promise<void> {
              providerId: providerConfig.providerId,
              clientId: providerConfig.clientId,
              clientSecret: providerConfig.clientSecret,
-              discoveryUrl: discoveryUrlStr,
-              ...(Object.keys(oidcConfig).length > 0 ? oidcConfig : {}),
+              ...(providerConfig.internalBaseUrl
+                ? {
+                    authorizationUrl: `${new URL(providerConfig.issuerUrl).origin}/application/o/authorize/`,
+                    tokenUrl: `${providerConfig.internalBaseUrl}/application/o/token/`,
+                    userInfoUrl: `${providerConfig.internalBaseUrl}/application/o/userinfo/`,
+                  }
+                : {
+                    discoveryUrl: `${providerConfig.issuerUrl}/.well-known/openid-configuration`,
+                  }),
              scopes: providerConfig.scopes.split(" ").filter(Boolean),
            },
          ],
@@ -271,12 +205,14 @@ export async function initAuth(): Promise<void> {
          google: {
            clientId: process.env.GOOGLE_CLIENT_ID!,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+            redirectURI: `${callbackBase}/google`,
          },
        } : {}),
        ...(hasGitHub ? {
          github: {
            clientId: process.env.GITHUB_CLIENT_ID!,
            clientSecret: process.env.GITHUB_CLIENT_SECRET!,
+            redirectURI: `${callbackBase}/github`,
          },
        } : {}),
      },
@@ -23,6 +23,7 @@ if (process.env.AUTH_DISABLED === "true") {
 }

 export const authMiddleware: MiddlewareHandler = async (c, next) => {
+  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
  if (c.req.path.startsWith("/api/auth/")) {
    await next();
    return;
@@ -36,14 +37,7 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
    return;
  }

-  let auth;
-  try {
-    auth = getAuth();
-  } catch {
-    return c.json({ error: "Authentication not configured" }, 503);
-  }
-
-  const session = await auth.api.getSession({
+  const session = await getAuth().api.getSession({
    headers: c.req.raw.headers,
  });

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { eq, getDb, staff } from "@groombook/db";
+import { and, eq, getDb, isNull, staff } from "@groombook/db";

 export type StaffRole = "groomer" | "receptionist" | "manager";
 export type StaffRow = typeof staff.$inferSelect;
@@ -90,6 +90,25 @@ export const resolveStaffMiddleware: MiddlewareHandler<AppEnv> = async (
    .from(staff)
    .where(eq(staff.oidcSub, jwt.sub));
  if (!fallbackRow) {
+    // Auto-link: staff record exists with matching email but no userId — link it now
+    if (jwt.email) {
+      const [linkedStaff] = await db
+        .select()
+        .from(staff)
+        .where(and(eq(staff.email, jwt.email), isNull(staff.userId)));
+      if (linkedStaff) {
+        await db
+          .update(staff)
+          .set({ userId: jwt.sub })
+          .where(eq(staff.id, linkedStaff.id));
+        console.log(
+          `[rbac] Auto-linked staff ${linkedStaff.id} to Better-Auth user ${jwt.sub} via email ${jwt.email}`
+        );
+        c.set("staff", linkedStaff);
+        await next();
+        return;
+      }
+    }
    return c.json(
      { error: "Forbidden: no staff record found for authenticated user" },
      403
@@ -9,17 +9,6 @@ export const setupRouter = new Hono<AppEnv>();
 // GET /api/setup/status — public (no auth), returns whether setup is needed
 // and whether the auth provider bootstrap step should be shown
 setupRouter.get("/status", async (c) => {
-  const skipOobe = ["true", "1", "yes"].includes((process.env.SKIP_OOBE || "").toLowerCase());
-  if (skipOobe) {
-    return c.json({
-      needsSetup: false,
-      showAuthProviderStep: false,
-      authConfigExists: false,
-      authEnvVarsSet: false,
-      skipped: true,
-    });
-  }
-
  const db = getDb();

  // Check if any super user exists
@@ -18,10 +18,6 @@ const createStaffSchema = z.object({

 const updateStaffSchema = createStaffSchema.partial().omit({ email: true });

-const linkUserSchema = z.object({
-  userId: z.string().min(1),
-});
-
 staffRouter.get("/me", async (c) => {
  const staffRow = c.get("staff");
  return c.json(staffRow);
@@ -110,32 +106,6 @@ staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
  return c.json(row);
 });

-staffRouter.patch("/:id/link-user", zValidator("json", linkUserSchema), async (c) => {
-  const db = getDb();
-  const targetId = c.req.param("id");
-  const body = c.req.valid("json");
-  const currentStaff = c.get("staff");
-
-  if (currentStaff.role !== "manager" && !currentStaff.isSuperUser) {
-    return c.json({ error: "Forbidden: only managers or super users can link staff to users" }, 403);
-  }
-
-  const [existing] = await db
-    .select()
-    .from(staff)
-    .where(eq(staff.id, targetId))
-    .limit(1);
-  if (!existing) return c.json({ error: "Not found" }, 404);
-
-  const [updated] = await db
-    .update(staff)
-    .set({ userId: body.userId, updatedAt: new Date() })
-    .where(eq(staff.id, targetId))
-    .returning();
-
-  return c.json(updated);
-});
-
 staffRouter.delete("/:id", async (c) => {
  const db = getDb();
  const id = c.req.param("id");
@@ -1,108 +0,0 @@
-import { Hono } from "hono";
-import Stripe from "stripe";
-import { eq, getDb, invoices } from "@groombook/db";
-
-export const webhooksRouter = new Hono();
-
-webhooksRouter.post("/stripe", async (c) => {
-  const secret = process.env.STRIPE_WEBHOOK_SECRET;
-  if (!secret) {
-    return c.json({ error: "Webhook secret not configured" }, 503);
-  }
-
-  const signature = c.req.header("stripe-signature");
-  if (!signature) {
-    return c.json({ error: "Missing signature" }, 401);
-  }
-
-  let rawBody: string;
-  try {
-    rawBody = await c.req.text();
-  } catch {
-    return c.json({ error: "Could not read body" }, 400);
-  }
-
-  const stripe = new Stripe(secret, { apiVersion: "2026-03-25.dahlia" });
-
-  let event: Stripe.Event;
-  try {
-    event = stripe.webhooks.constructEvent(rawBody, signature, secret);
-  } catch (err) {
-    const message = err instanceof Error ? err.message : "Invalid signature";
-    return c.json({ error: message }, 401);
-  }
-
-  const db = getDb();
-
-  if (event.type === "payment_intent.succeeded") {
-    const pi = event.data.object as Stripe.PaymentIntent;
-    if (pi.metadata?.groombook_invoice_ids) {
-      const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
-      for (const invoiceId of invoiceIds) {
-        if (!invoiceId) continue;
-        const [inv] = await db
-          .select()
-          .from(invoices)
-          .where(eq(invoices.id, invoiceId))
-          .limit(1);
-        if (!inv) continue;
-        if (inv.stripePaymentIntentId && inv.stripePaymentIntentId !== pi.id) continue;
-        await db
-          .update(invoices)
-          .set({
-            status: "paid",
-            paymentMethod: "card",
-            paidAt: new Date(),
-            stripePaymentIntentId: pi.id,
-            updatedAt: new Date(),
-          })
-          .where(eq(invoices.id, invoiceId));
-      }
-    }
-  } else if (event.type === "payment_intent.payment_failed") {
-    const pi = event.data.object as Stripe.PaymentIntent;
-    if (pi.metadata?.groombook_invoice_ids) {
-      const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
-      for (const invoiceId of invoiceIds) {
-        if (!invoiceId) continue;
-        await db
-          .update(invoices)
-          .set({
-            paymentFailureReason: pi.last_payment_error?.message ?? "Payment failed",
-            updatedAt: new Date(),
-          })
-          .where(eq(invoices.id, invoiceId));
-      }
-    }
-  } else if (event.type === "charge.refunded") {
-    const charge = event.data.object as Stripe.Charge;
-    if (typeof charge.payment_intent === "string" && charge.payment_intent) {
-      const [inv] = await db
-        .select({ id: invoices.id })
-        .from(invoices)
-        .where(eq(invoices.stripePaymentIntentId, charge.payment_intent))
-        .limit(1);
-      if (inv) {
-        const refundId =
-          typeof charge.refunded === "boolean" && charge.refunded
-            ? `ch_${charge.id}_refund`
-            : null;
-        await db
-          .update(invoices)
-          .set({
-            status: "void",
-            stripeRefundId: refundId,
-            updatedAt: new Date(),
-          })
-          .where(eq(invoices.id, inv.id));
-      }
-    }
-  } else if (event.type === "charge.dispute.created") {
-    const dispute = event.data.object as Stripe.Dispute;
-    console.error(
-      `[Stripe Webhook] Dispute created for payment intent: ${dispute.payment_intent}`
-    );
-  }
-
-  return c.json({ received: true });
-});
@@ -12,7 +12,6 @@ import {
  services,
  staff,
  reminderLogs,
-  session,
 } from "@groombook/db";
 import {
  buildReminderEmail,
@@ -156,19 +155,6 @@ export function startReminderScheduler(): void {
    runReminderCheck().catch((err) => {
      console.error("[reminders] Error during reminder check:", err);
    });
-    runSessionCleanup().catch((err) => {
-      console.error("[reminders] Error during session cleanup:", err);
-    });
  });
  console.log("[reminders] Reminder scheduler started");
 }
-
-// Deletes expired sessions from the database.
-// Runs every minute alongside reminder checks.
-export async function runSessionCleanup(): Promise<void> {
-  const db = getDb();
-  const now = new Date();
-  await db
-    .delete(session)
-    .where(lt(session.expiresAt, now));
-}
@@ -15,7 +15,7 @@
  "dependencies": {
    "@groombook/types": "workspace:*",
    "@tailwindcss/vite": "^4.2.2",
-    "better-auth": "^1.5.6",
+    "better-auth": "^1.0.0",
    "lucide-react": "^0.577.0",
    "react": "^19.0.0",
    "react-dom": "^19.0.0",
@@ -1,4 +1,4 @@
-import { Routes, Route, Link, useLocation, Navigate, useNavigate } from "react-router-dom";
+import { Routes, Route, Link, useLocation, Navigate } from "react-router-dom";
 import { useEffect, useState } from "react";
 import { AppointmentsPage } from "./pages/Appointments.js";
 import { ClientsPage } from "./pages/Clients.js";
@@ -18,31 +18,22 @@ import { DevLoginSelector, getDevUser } from "./pages/DevLoginSelector.js";
 import { DevSessionIndicator } from "./components/DevSessionIndicator.js";
 import { BrandingProvider, useBranding } from "./BrandingContext.js";
 import { GlobalSearch } from "./components/GlobalSearch.js";
-import { useSession, signIn, signOut } from "./lib/auth-client.js";
+import { useSession, signIn } from "./lib/auth-client.js";

 function LoginPage() {
  const [isLoading, setIsLoading] = useState(false);
  const [providers, setProviders] = useState<string[]>([]);
-  const [error, setError] = useState<string | null>(null);

  useEffect(() => {
    fetch("/api/auth/providers")
      .then((r) => r.json())
      .then((data) => setProviders(data.providers ?? []))
      .catch(() => setProviders([]));
-    const params = new URLSearchParams(window.location.search);
-    const authError = params.get("error");
-    if (authError) setError(authError.replace(/_/g, " "));
  }, []);

  const handleSocialLogin = async (provider: string) => {
    setIsLoading(true);
-    setError(null);
-    const result = await signIn.social({ provider, callbackURL: window.location.origin });
-    if (result?.error) {
-      setError(result.error.message ?? "Sign-in failed");
-      setIsLoading(false);
-    }
+    await signIn.social({ provider, callbackURL: window.location.origin });
  };

  const isGoogle = providers.includes("google");
@@ -74,11 +65,6 @@ function LoginPage() {
        <p style={{ color: "#6b7280", marginBottom: "1.5rem", fontSize: 14 }}>
          Sign in to continue
        </p>
-        {error && (
-          <div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 6, padding: "0.5rem 0.75rem", marginBottom: "1rem", color: "#991b1b", fontSize: 13 }}>
-            {error}
-          </div>
-        )}
        {isGoogle && (
          <button
            onClick={() => handleSocialLogin("google")}
@@ -181,7 +167,6 @@ const NAV_LINKS = [

 function AdminLayout() {
  const location = useLocation();
-  const navigate = useNavigate();
  const { branding } = useBranding();

  const logoSrc = branding.logoBase64 && branding.logoMimeType
@@ -210,7 +195,6 @@ function AdminLayout() {
          alignItems: "center",
          gap: 8,
          marginRight: "1.25rem",
-          flexShrink: 0,
        }}>
          {logoSrc && (
            <img src={logoSrc} alt="" style={{ width: 24, height: 24, objectFit: "contain" }} />
@@ -224,73 +208,45 @@ function AdminLayout() {
          </strong>
        </div>
        <GlobalSearch />
-        <div style={{
-          display: "flex",
-          overflowX: "auto",
-          flex: 1,
-          minWidth: 0,
-          gap: "0.25rem",
-        }}>
-          <Link
-            to="/admin/book"
-            style={{
-              padding: "0.4rem 0.85rem",
-              borderRadius: 6,
-              textDecoration: "none",
-              fontSize: 13,
-              fontWeight: 600,
-              color: "#fff",
-              background: branding.primaryColor,
-              boxShadow: "0 1px 2px rgba(79, 138, 111, 0.3)",
-              flexShrink: 0,
-            }}
-          >
-            Book
-          </Link>
-          {NAV_LINKS.map(({ to, label }) => {
-            const active =
-              to === "/admin"
-                ? location.pathname === "/admin"
-                : location.pathname.startsWith(to);
-            return (
-              <Link
-                key={to}
-                to={to}
-                style={{
-                  padding: "0.4rem 0.75rem",
-                  borderRadius: 6,
-                  textDecoration: "none",
-                  fontSize: 13,
-                  fontWeight: active ? 600 : 500,
-                  color: active ? "#2d6a4f" : "#4b5563",
-                  background: active ? "#ecfdf5" : "transparent",
-                  flexShrink: 0,
-                }}
-              >
-                {label}
-              </Link>
-            );
-          })}
-        </div>
-        <button
-          onClick={async () => {
-            await signOut();
-            navigate("/login");
-          }}
+        <Link
+          to="/admin/book"
          style={{
-            flexShrink: 0,
            padding: "0.4rem 0.85rem",
            borderRadius: 6,
-            border: "1px solid #e2e8f0",
-            background: "#fff",
-            color: "#4b5563",
+            textDecoration: "none",
            fontSize: 13,
-            fontWeight: 500,
-            cursor: "pointer",
+            fontWeight: 600,
+            color: "#fff",
+            background: branding.primaryColor,
+            marginRight: "0.5rem",
+            boxShadow: "0 1px 2px rgba(79, 138, 111, 0.3)",
          }}
        >
-          Logout
-        </button>
+          Book
+        </Link>
+        {NAV_LINKS.map(({ to, label }) => {
+          const active =
+            to === "/admin"
+              ? location.pathname === "/admin"
+              : location.pathname.startsWith(to);
+          return (
+            <Link
+              key={to}
+              to={to}
+              style={{
+                padding: "0.4rem 0.75rem",
+                borderRadius: 6,
+                textDecoration: "none",
+                fontSize: 13,
+                fontWeight: active ? 600 : 500,
+                color: active ? "#2d6a4f" : "#4b5563",
+                background: active ? "#ecfdf5" : "transparent",
+              }}
+            >
+              {label}
+            </Link>
+          );
+        })}
      </nav>
      <main style={{ padding: "1.25rem 1.5rem" }}>
        <Routes>
@@ -4,4 +4,4 @@ export const authClient = createAuthClient({
  baseURL: import.meta.env.VITE_API_URL ?? "",
 });

-export const { signIn, signOut, useSession, changePassword } = authClient;
+export const { signIn, signOut, useSession } = authClient;
@@ -1,7 +1,6 @@
 import React, { useState, useEffect } from "react";
 import { User, Lock, PawPrint, FileCheck, Plus, Archive } from "lucide-react";
 import { PetForm } from "./PetForm.js";
-import { authClient } from "../../lib/auth-client.js";

 interface Props {
  sessionId: string | null;
@@ -149,11 +148,9 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
  const [newPassword, setNewPassword] = useState("");
  const [confirmPassword, setConfirmPassword] = useState("");
  const [error, setError] = useState<string | null>(null);
-  const [success, setSuccess] = useState(false);
-  const [loading, setLoading] = useState(false);

  const passwordsMatch = newPassword === confirmPassword;
-  const canSubmit = newPassword.length > 0 && passwordsMatch && !loading;
+  const canSubmit = currentPassword.length > 0 && newPassword.length > 0 && passwordsMatch;

  if (readOnly) {
    return (
@@ -163,34 +160,17 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
    );
  }

-  async function handleSubmit() {
+  function handleSubmit() {
    if (!canSubmit) return;
    if (newPassword !== confirmPassword) {
      setError("Passwords do not match.");
      return;
    }
+    // TODO: Wire up to actual password-change API endpoint once backend support exists
    setError(null);
-    setLoading(true);
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const result = await (authClient as any).changePassword({
-        currentPassword,
-        newPassword,
-      });
-      if (result.error) {
-        setError(result.error.message ?? "Failed to change password.");
-      } else {
-        setSuccess(true);
-        setCurrentPassword("");
-        setNewPassword("");
-        setConfirmPassword("");
-        setTimeout(() => setSuccess(false), 4000);
-      }
-    } catch {
-      setError("An unexpected error occurred.");
-    } finally {
-      setLoading(false);
-    }
+    setCurrentPassword("");
+    setNewPassword("");
+    setConfirmPassword("");
  }

  return (
@@ -225,13 +205,12 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
          />
        </div>
        {error && <p className="text-sm text-red-500">{error}</p>}
-        {success && <p className="text-sm text-green-600">Password updated successfully.</p>}
        <button
          onClick={handleSubmit}
          disabled={!canSubmit}
          className="px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover) disabled:opacity-50 disabled:cursor-not-allowed"
        >
-          {loading ? "Updating..." : "Update Password"}
+          Update Password
        </button>
      </div>
    </div>
@@ -41,11 +41,11 @@ export default defineConfig({
      workbox: {
        globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
        navigateFallbackDenylist: [
-          /^\/api\/auth\//,
+          /^\/api\/auth\/oauth2\/callback\//,
        ],
        runtimeCaching: [
          {
-            urlPattern: /^http.*\/api\/(?!auth\/).*/i,
+            urlPattern: /^http.*\/api\/.*/i,
            handler: "NetworkFirst",
            options: {
              cacheName: "api-cache",
@@ -1,6 +0,0 @@
-- Better-Auth rate limiting table (GRO-574)
-CREATE TABLE "rate_limit" (
-  key TEXT NOT NULL PRIMARY KEY,
-  count INTEGER NOT NULL,
-  last_request BIGINT NOT NULL
-);
@@ -1,4 +0,0 @@
-ALTER TABLE "invoices" ADD COLUMN "stripe_payment_intent_id" text;
-ALTER TABLE "invoices" ADD COLUMN "stripe_refund_id" text;
-ALTER TABLE "invoices" ADD COLUMN "payment_failure_reason" text;
-ALTER TABLE "invoices" ADD CONSTRAINT "idx_invoices_stripe_payment_intent_id" UNIQUE("stripe_payment_intent_id");
@@ -176,13 +176,6 @@
      "when": 1775396067192,
      "tag": "0024_invoice_indexes",
      "breakpoints": true
-    },
-    {
-      "idx": 25,
-      "version": "7",
-      "when": 1775482467192,
-      "tag": "0025_rate_limit",
-      "breakpoints": true
    }
  ]
 }
@@ -251,9 +251,6 @@ export const invoices = pgTable(
    status: invoiceStatusEnum("status").notNull().default("draft"),
    paymentMethod: paymentMethodEnum("payment_method"),
    paidAt: timestamp("paid_at"),
-    stripePaymentIntentId: text("stripe_payment_intent_id"),
-    stripeRefundId: text("stripe_refund_id"),
-    paymentFailureReason: text("payment_failure_reason"),
    notes: text("notes"),
    createdAt: timestamp("created_at").notNull().defaultNow(),
    updatedAt: timestamp("updated_at").notNull().defaultNow(),
@@ -262,7 +259,6 @@ export const invoices = pgTable(
    index("idx_invoices_client_id").on(t.clientId),
    index("idx_invoices_status").on(t.status),
    index("idx_invoices_created_at").on(t.createdAt),
-    unique("idx_invoices_stripe_payment_intent_id").on(t.stripePaymentIntentId),
  ]
 );

@@ -40,9 +40,6 @@ importers:
      nodemailer:
        specifier: ^6.9.16
        version: 6.10.1
-      stripe:
-        specifier: ^22.0.0
-        version: 22.0.1(@types/node@22.19.15)
      zod:
        specifier: ^4.3.6
        version: 4.3.6
@@ -90,7 +87,7 @@ importers:
        specifier: ^4.2.2
        version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      better-auth:
-        specifier: ^1.5.6
+        specifier: ^1.0.0
        version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
      lucide-react:
        specifier: ^0.577.0
@@ -4127,15 +4124,6 @@ packages:
  strip-literal@3.1.0:
    resolution: {integrity: sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==}

-  stripe@22.0.1:
-    resolution: {integrity: sha512-Yw764pZ6s8Xu4CtUZdD5uWOkw6gc9xzO9OKylCuj1gMhMDLbyGbDtaPNNSFE4mB6njYSHESYIVbF1iIzUfAl2g==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      '@types/node': '>=18'
-    peerDependenciesMeta:
-      '@types/node':
-        optional: true
-
  strnum@2.2.1:
    resolution: {integrity: sha512-BwRvNd5/QoAtyW1na1y1LsJGQNvRlkde6Q/ipqqEaivoMdV+B1OMOTVdwR+N/cwVUcIt9PYyHmV8HyexCZSupg==}

@@ -8786,10 +8774,6 @@ snapshots:
    dependencies:
      js-tokens: 9.0.1

-  stripe@22.0.1(@types/node@22.19.15):
-    optionalDependencies:
-      '@types/node': 22.19.15
-
  strnum@2.2.1: {}

  supports-color@7.2.0: