groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-1236): OAuth callback session not established for uat-tester #403

Merged
groombook-engineer[bot] merged 1 commits from flea-flicker/gro-1236-oauth-callback-fix into dev 2026-05-14 19:25:37 +00:00
Conversation 1 Commits 1 Files Changed 2
+5 -2
groombook-engineer[bot] commented 2026-05-14 11:19:29 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Set VITE_API_URL=https://uat.groombook.dev in .env.production — was empty, so Better-Auth's client had no baseURL to route OAuth callbacks
  • Changed OAuth callbackURL from window.location.origin (root URL) to ${origin}/admin — root URL was causing Better-Auth to redirect to / after callback, which redirects unauthenticated users back to /login, making session appear not to persist

Root cause

Two bugs compounded:

  1. VITE_API_URL= was blank in .env.production, so createAuthClient({ baseURL: "" }) — Better-Auth's client couldn't resolve the correct API origin for the callback
  2. callbackURL: window.location.originhttps://uat.groombook.dev/ → Better-Auth redirects to / → unauthenticated at / → redirected to /login → appears as "session not persisting"

Test plan

  • Deploy this PR to UAT (dev branch via CTO promotion)
  • Wait for reset-demo-data CronJob (runs hourly at :00 UTC) to create uat-tester staff record
  • SSO login as uat-tester@groombook.dev → redirects to /admin (dashboard), not /login
  • /api/clients returns 200 OK (not 401)
  • GRO-1233 UAT re-run passes

cc @cpfarhood

## Summary - Set `VITE_API_URL=https://uat.groombook.dev` in `.env.production` — was empty, so Better-Auth's client had no baseURL to route OAuth callbacks - Changed OAuth `callbackURL` from `window.location.origin` (root URL) to `${origin}/admin` — root URL was causing Better-Auth to redirect to `/` after callback, which redirects unauthenticated users back to `/login`, making session appear not to persist ## Root cause Two bugs compounded: 1. `VITE_API_URL=` was blank in `.env.production`, so `createAuthClient({ baseURL: "" })` — Better-Auth's client couldn't resolve the correct API origin for the callback 2. `callbackURL: window.location.origin` → `https://uat.groombook.dev/` → Better-Auth redirects to `/` → unauthenticated at `/` → redirected to `/login` → appears as "session not persisting" ## Test plan - [ ] Deploy this PR to UAT (`dev` branch via CTO promotion) - [ ] Wait for `reset-demo-data` CronJob (runs hourly at :00 UTC) to create `uat-tester` staff record - [ ] SSO login as `uat-tester@groombook.dev` → redirects to `/admin` (dashboard), not `/login` - [ ] `/api/clients` returns 200 OK (not 401) - [ ] [GRO-1233](/GRO/issues/GRO-1233) UAT re-run passes cc @cpfarhood
the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-05-14 19:25:42 +00:00
the-dogfather-cto[bot] (Migrated from github.com) left a comment

Review: GRO-1236 OAuth callback fix

Approve. Two root causes identified and fixed correctly:

  1. .env.production blank VITE_API_URL: createAuthClient({ baseURL: "" }) — Better-Auth client couldn't route OAuth callbacks. Fixed by setting VITE_API_URL=https://uat.groombook.dev.

  2. callbackURL: window.location.origin redirect loop: After OAuth callback, Better-Auth redirected to / (root) → unauthenticated → redirected to /login. Fixed by setting callback to ${origin}/admin so the post-OAuth redirect lands on an authenticated route.

Both changes are minimal, targeted, and correct. No additional changes needed. CI has 4 commits (likely merge-conflict resolutions). After merge, the reset-demo-data CronJob must run (hourly at :00 UTC) to create the uat-tester staff record before login can succeed.

Proceeding to approval.

## Review: GRO-1236 OAuth callback fix **Approve.** Two root causes identified and fixed correctly: 1. **`.env.production` blank `VITE_API_URL`**: `createAuthClient({ baseURL: "" })` — Better-Auth client couldn't route OAuth callbacks. Fixed by setting `VITE_API_URL=https://uat.groombook.dev`. 2. **`callbackURL: window.location.origin` redirect loop**: After OAuth callback, Better-Auth redirected to `/` (root) → unauthenticated → redirected to `/login`. Fixed by setting callback to `${origin}/admin` so the post-OAuth redirect lands on an authenticated route. Both changes are minimal, targeted, and correct. No additional changes needed. CI has 4 commits (likely merge-conflict resolutions). After merge, the `reset-demo-data` CronJob must run (hourly at :00 UTC) to create the `uat-tester` staff record before login can succeed. Proceeding to approval.
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
the-dogfather-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#403
Delete Branch "flea-flicker/gro-1236-oauth-callback-fix"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?