Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f123e04e4c | |||
| 15131b72f0 | |||
| f4e34f2826 |
@@ -3,7 +3,6 @@ import { drizzleAdapter } from "better-auth/adapters/drizzle";
|
|||||||
import { genericOAuth } from "better-auth/plugins";
|
import { genericOAuth } from "better-auth/plugins";
|
||||||
import { getDb, authProviderConfig, eq } from "@groombook/db";
|
import { getDb, authProviderConfig, eq } from "@groombook/db";
|
||||||
import { decryptSecret } from "@groombook/db";
|
import { decryptSecret } from "@groombook/db";
|
||||||
import { sendEmail } from "../services/email.js";
|
|
||||||
|
|
||||||
const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
|
const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
|
||||||
const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://localhost:3000";
|
const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://localhost:3000";
|
||||||
@@ -177,52 +176,6 @@ export async function initAuth(): Promise<void> {
|
|||||||
const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
|
const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
|
||||||
const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
|
const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
|
||||||
|
|
||||||
// Fetch OIDC discovery document to derive canonical provider URLs.
|
|
||||||
// Replace the host of token/userinfo endpoints with internalBaseUrl when set,
|
|
||||||
// while keeping authorizationUrl public for browser redirects.
|
|
||||||
const discoveryUrlStr = `${providerConfig.issuerUrl}/.well-known/openid-configuration`;
|
|
||||||
let oidcConfig: Record<string, string> = {};
|
|
||||||
try {
|
|
||||||
const discoveryRes = await fetch(discoveryUrlStr);
|
|
||||||
if (discoveryRes.ok) {
|
|
||||||
const discovery = await discoveryRes.json() as {
|
|
||||||
authorization_endpoint?: string;
|
|
||||||
token_endpoint?: string;
|
|
||||||
userinfo_endpoint?: string;
|
|
||||||
};
|
|
||||||
const replaceHost = (url: string, newHost: string) => {
|
|
||||||
try {
|
|
||||||
const parsed = new URL(url);
|
|
||||||
const newParsed = new URL(newHost);
|
|
||||||
return `${newParsed.origin}${parsed.pathname}${parsed.search}`;
|
|
||||||
} catch {
|
|
||||||
return url;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
const authzUrl = discovery.authorization_endpoint;
|
|
||||||
const tokenUrl = discovery.token_endpoint;
|
|
||||||
const userInfoUrl = discovery.userinfo_endpoint;
|
|
||||||
if (authzUrl && tokenUrl && userInfoUrl) {
|
|
||||||
oidcConfig = {
|
|
||||||
authorizationUrl: authzUrl,
|
|
||||||
tokenUrl: providerConfig.internalBaseUrl
|
|
||||||
? replaceHost(tokenUrl, providerConfig.internalBaseUrl)
|
|
||||||
: tokenUrl,
|
|
||||||
userInfoUrl: providerConfig.internalBaseUrl
|
|
||||||
? replaceHost(userInfoUrl, providerConfig.internalBaseUrl)
|
|
||||||
: userInfoUrl,
|
|
||||||
};
|
|
||||||
console.log("[auth] OIDC discovery successful, provider:", providerConfig.providerId);
|
|
||||||
} else {
|
|
||||||
console.warn("[auth] OIDC discovery missing required endpoints, using discoveryUrl only");
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
console.warn(`[auth] OIDC discovery failed (${discoveryRes.status}), using discoveryUrl only`);
|
|
||||||
}
|
|
||||||
} catch (err) {
|
|
||||||
console.warn(`[auth] OIDC discovery fetch failed: ${err}, using discoveryUrl only`);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Build Better-Auth instance using resolved config
|
// Build Better-Auth instance using resolved config
|
||||||
authInstance = betterAuth({
|
authInstance = betterAuth({
|
||||||
database: drizzleAdapter(db, {
|
database: drizzleAdapter(db, {
|
||||||
@@ -239,19 +192,6 @@ export async function initAuth(): Promise<void> {
|
|||||||
account: {
|
account: {
|
||||||
storeStateStrategy: "cookie" as const,
|
storeStateStrategy: "cookie" as const,
|
||||||
},
|
},
|
||||||
emailAndPassword: {
|
|
||||||
enabled: true,
|
|
||||||
emailVerification: {
|
|
||||||
sendVerificationEmail: async ({ user, url }: { user: { email: string }; url: string }) => {
|
|
||||||
await sendEmail({
|
|
||||||
to: user.email,
|
|
||||||
subject: "Verify your GroomBook email",
|
|
||||||
text: `Click the link to verify your email: ${url}`,
|
|
||||||
html: `<p>Click the link to verify your email:</p><a href="${url}">${url}</a>`,
|
|
||||||
});
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
plugins: [
|
plugins: [
|
||||||
genericOAuth({
|
genericOAuth({
|
||||||
config: [
|
config: [
|
||||||
@@ -259,8 +199,15 @@ export async function initAuth(): Promise<void> {
|
|||||||
providerId: providerConfig.providerId,
|
providerId: providerConfig.providerId,
|
||||||
clientId: providerConfig.clientId,
|
clientId: providerConfig.clientId,
|
||||||
clientSecret: providerConfig.clientSecret,
|
clientSecret: providerConfig.clientSecret,
|
||||||
discoveryUrl: discoveryUrlStr,
|
...(providerConfig.internalBaseUrl
|
||||||
...(Object.keys(oidcConfig).length > 0 ? oidcConfig : {}),
|
? {
|
||||||
|
authorizationUrl: `${new URL(providerConfig.issuerUrl).origin}/application/o/authorize/`,
|
||||||
|
tokenUrl: `${providerConfig.internalBaseUrl}/application/o/token/`,
|
||||||
|
userInfoUrl: `${providerConfig.internalBaseUrl}/application/o/userinfo/`,
|
||||||
|
}
|
||||||
|
: {
|
||||||
|
discoveryUrl: `${providerConfig.issuerUrl}/.well-known/openid-configuration`,
|
||||||
|
}),
|
||||||
scopes: providerConfig.scopes.split(" ").filter(Boolean),
|
scopes: providerConfig.scopes.split(" ").filter(Boolean),
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
import { Hono } from "hono";
|
import { Hono } from "hono";
|
||||||
import { zValidator } from "@hono/zod-validator";
|
import { zValidator } from "@hono/zod-validator";
|
||||||
import { z } from "zod/v3";
|
import { z } from "zod/v3";
|
||||||
import { eq, getDb, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db";
|
import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db";
|
||||||
import type { AppEnv } from "../middleware/rbac.js";
|
import type { AppEnv } from "../middleware/rbac.js";
|
||||||
|
|
||||||
export const setupRouter = new Hono<AppEnv>();
|
export const setupRouter = new Hono<AppEnv>();
|
||||||
@@ -108,6 +108,21 @@ setupRouter.post("/", zValidator("json", setupSchema), async (c) => {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!resolvedStaff && jwt.email) {
|
||||||
|
// Try auto-link by email: staff record exists with matching email but no userId
|
||||||
|
const [byEmail] = await tx
|
||||||
|
.select()
|
||||||
|
.from(staff)
|
||||||
|
.where(and(eq(staff.email, jwt.email), sql`${staff.userId} IS NULL`));
|
||||||
|
if (byEmail) {
|
||||||
|
await tx
|
||||||
|
.update(staff)
|
||||||
|
.set({ userId: jwt.sub })
|
||||||
|
.where(eq(staff.id, byEmail.id));
|
||||||
|
resolvedStaff = { ...byEmail, userId: jwt.sub };
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!resolvedStaff) {
|
if (!resolvedStaff) {
|
||||||
// Brand new user during OOBE — create staff record
|
// Brand new user during OOBE — create staff record
|
||||||
if (!jwt.email) {
|
if (!jwt.email) {
|
||||||
|
|||||||
@@ -12,7 +12,6 @@ import {
|
|||||||
services,
|
services,
|
||||||
staff,
|
staff,
|
||||||
reminderLogs,
|
reminderLogs,
|
||||||
session,
|
|
||||||
} from "@groombook/db";
|
} from "@groombook/db";
|
||||||
import {
|
import {
|
||||||
buildReminderEmail,
|
buildReminderEmail,
|
||||||
@@ -156,19 +155,6 @@ export function startReminderScheduler(): void {
|
|||||||
runReminderCheck().catch((err) => {
|
runReminderCheck().catch((err) => {
|
||||||
console.error("[reminders] Error during reminder check:", err);
|
console.error("[reminders] Error during reminder check:", err);
|
||||||
});
|
});
|
||||||
runSessionCleanup().catch((err) => {
|
|
||||||
console.error("[reminders] Error during session cleanup:", err);
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
console.log("[reminders] Reminder scheduler started");
|
console.log("[reminders] Reminder scheduler started");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Deletes expired sessions from the database.
|
|
||||||
// Runs every minute alongside reminder checks.
|
|
||||||
export async function runSessionCleanup(): Promise<void> {
|
|
||||||
const db = getDb();
|
|
||||||
const now = new Date();
|
|
||||||
await db
|
|
||||||
.delete(session)
|
|
||||||
.where(lt(session.expiresAt, now));
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -3,13 +3,13 @@ kind: Kustomization
|
|||||||
namespace: groombook-uat
|
namespace: groombook-uat
|
||||||
images:
|
images:
|
||||||
- name: ghcr.io/groombook/api
|
- name: ghcr.io/groombook/api
|
||||||
newTag: "2026.04.03-90be1be"
|
newTag: "2026.04.12-15131b7"
|
||||||
- name: ghcr.io/groombook/web
|
- name: ghcr.io/groombook/web
|
||||||
newTag: "2026.04.03-90be1be"
|
newTag: "2026.04.12-15131b7"
|
||||||
- name: ghcr.io/groombook/migrate
|
- name: ghcr.io/groombook/migrate
|
||||||
newTag: "2026.04.03-90be1be"
|
newTag: "2026.04.12-15131b7"
|
||||||
- name: ghcr.io/groombook/seed
|
- name: ghcr.io/groombook/seed
|
||||||
newTag: "2026.04.03-90be1be"
|
newTag: "2026.04.12-15131b7"
|
||||||
resources:
|
resources:
|
||||||
- ../../base
|
- ../../base
|
||||||
- postgres-sealed-secret.yaml
|
- postgres-sealed-secret.yaml
|
||||||
|
|||||||
@@ -4,4 +4,4 @@ export const authClient = createAuthClient({
|
|||||||
baseURL: import.meta.env.VITE_API_URL ?? "",
|
baseURL: import.meta.env.VITE_API_URL ?? "",
|
||||||
});
|
});
|
||||||
|
|
||||||
export const { signIn, signOut, useSession, changePassword } = authClient;
|
export const { signIn, signOut, useSession } = authClient;
|
||||||
@@ -1,7 +1,6 @@
|
|||||||
import React, { useState, useEffect } from "react";
|
import React, { useState, useEffect } from "react";
|
||||||
import { User, Lock, PawPrint, FileCheck, Plus, Archive } from "lucide-react";
|
import { User, Lock, PawPrint, FileCheck, Plus, Archive } from "lucide-react";
|
||||||
import { PetForm } from "./PetForm.js";
|
import { PetForm } from "./PetForm.js";
|
||||||
import { authClient } from "../../lib/auth-client.js";
|
|
||||||
|
|
||||||
interface Props {
|
interface Props {
|
||||||
sessionId: string | null;
|
sessionId: string | null;
|
||||||
@@ -149,11 +148,9 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
|
|||||||
const [newPassword, setNewPassword] = useState("");
|
const [newPassword, setNewPassword] = useState("");
|
||||||
const [confirmPassword, setConfirmPassword] = useState("");
|
const [confirmPassword, setConfirmPassword] = useState("");
|
||||||
const [error, setError] = useState<string | null>(null);
|
const [error, setError] = useState<string | null>(null);
|
||||||
const [success, setSuccess] = useState(false);
|
|
||||||
const [loading, setLoading] = useState(false);
|
|
||||||
|
|
||||||
const passwordsMatch = newPassword === confirmPassword;
|
const passwordsMatch = newPassword === confirmPassword;
|
||||||
const canSubmit = newPassword.length > 0 && passwordsMatch && !loading;
|
const canSubmit = currentPassword.length > 0 && newPassword.length > 0 && passwordsMatch;
|
||||||
|
|
||||||
if (readOnly) {
|
if (readOnly) {
|
||||||
return (
|
return (
|
||||||
@@ -163,34 +160,17 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function handleSubmit() {
|
function handleSubmit() {
|
||||||
if (!canSubmit) return;
|
if (!canSubmit) return;
|
||||||
if (newPassword !== confirmPassword) {
|
if (newPassword !== confirmPassword) {
|
||||||
setError("Passwords do not match.");
|
setError("Passwords do not match.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
// TODO: Wire up to actual password-change API endpoint once backend support exists
|
||||||
setError(null);
|
setError(null);
|
||||||
setLoading(true);
|
setCurrentPassword("");
|
||||||
try {
|
setNewPassword("");
|
||||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
setConfirmPassword("");
|
||||||
const result = await (authClient as any).changePassword({
|
|
||||||
currentPassword,
|
|
||||||
newPassword,
|
|
||||||
});
|
|
||||||
if (result.error) {
|
|
||||||
setError(result.error.message ?? "Failed to change password.");
|
|
||||||
} else {
|
|
||||||
setSuccess(true);
|
|
||||||
setCurrentPassword("");
|
|
||||||
setNewPassword("");
|
|
||||||
setConfirmPassword("");
|
|
||||||
setTimeout(() => setSuccess(false), 4000);
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
setError("An unexpected error occurred.");
|
|
||||||
} finally {
|
|
||||||
setLoading(false);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return (
|
return (
|
||||||
@@ -225,13 +205,12 @@ function PasswordChange({ readOnly }: { readOnly: boolean }) {
|
|||||||
/>
|
/>
|
||||||
</div>
|
</div>
|
||||||
{error && <p className="text-sm text-red-500">{error}</p>}
|
{error && <p className="text-sm text-red-500">{error}</p>}
|
||||||
{success && <p className="text-sm text-green-600">Password updated successfully.</p>}
|
|
||||||
<button
|
<button
|
||||||
onClick={handleSubmit}
|
onClick={handleSubmit}
|
||||||
disabled={!canSubmit}
|
disabled={!canSubmit}
|
||||||
className="px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover) disabled:opacity-50 disabled:cursor-not-allowed"
|
className="px-4 py-2 bg-(--color-accent) text-white rounded-lg text-sm font-medium hover:bg-(--color-accent-hover) disabled:opacity-50 disabled:cursor-not-allowed"
|
||||||
>
|
>
|
||||||
{loading ? "Updating..." : "Update Password"}
|
Update Password
|
||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
-- Better-Auth rate limiting table (GRO-574)
|
||||||
|
CREATE TABLE "rate_limit" (
|
||||||
|
key TEXT NOT NULL PRIMARY KEY,
|
||||||
|
count INTEGER NOT NULL,
|
||||||
|
last_request BIGINT NOT NULL
|
||||||
|
);
|
||||||
@@ -176,6 +176,13 @@
|
|||||||
"when": 1775396067192,
|
"when": 1775396067192,
|
||||||
"tag": "0024_invoice_indexes",
|
"tag": "0024_invoice_indexes",
|
||||||
"breakpoints": true
|
"breakpoints": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"idx": 25,
|
||||||
|
"version": "7",
|
||||||
|
"when": 1775482467192,
|
||||||
|
"tag": "0025_rate_limit",
|
||||||
|
"breakpoints": true
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user