groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CLOSED - split] auth_provider_config table + AES-256-GCM #207

Closed
groombook-engineer[bot] wants to merge 3 commits from fix/gro-387-auth-provider-config-schema into main
pull from: fix/gro-387-auth-provider-config-schema
merge into: groombook:main
Conversation 3 Commits 3 Files Changed 10
+2443 -4

3 Commits

Author SHA1 Message Date
groombook-engineer[bot] 2876890053 fix(api): remove dead code in rbac test 
Remove unused `app` variable from 'returns 403 when staff record is
not resolved' test - the test uses `testApp` instead.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-02 11:11:08 +00:00
groombook-engineer[bot] 0ca63f2c65 feat(db): add auth_provider_config table and AES-256-GCM encryption helpers 
Implements GRO-387 (Schema: auth_provider_config table + encryption helpers):
- Add auth_provider_config Drizzle table with providerId, displayName,
  issuerUrl, internalBaseUrl, clientId, clientSecret (encrypted),
  scopes, enabled, timestamps
- Add encryptSecret/decryptSecret helpers using AES-256-GCM with
  BETTER_AUTH_SECRET as key-encryption-key (scrypt-derived)
- Store ciphertext as base64(iv:ciphertext:authTag) format
- Add unit tests for encryption helpers (9 tests, all passing)
- Generate Drizzle migration 0021_classy_hedge_knight

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-02 11:07:22 +00:00
groombook-engineer[bot] 804bb474d2 fix(api): enforce requireSuperUser on settings PATCH and fix dev-mode auth bypass 
- Add requireSuperUser() middleware to PATCH /api/admin/settings route
  to ensure only super users can modify business settings

- Fix dev-mode (AUTH_DISABLED=true) force-set of isSuperUser:true
  for all staff records in resolveStaffMiddleware. Now preserves
  actual database value with isSuperUser ?? false fallback.
  This prevents non-super-users (e.g., receptionists) from
  bypassing RBAC checks in dev mode.

- Fix test data: RECEPTIONIST and GROOMER now correctly have
  isSuperUser: false (was incorrectly inheriting true from MANAGER)

- Add 7 new tests for requireSuperUser middleware covering:
  - Super user access allowed
  - Non-super-user receptionist blocked with 403
  - Non-super-user groomer blocked with 403
  - Unresolved staff record returns 403
  - Receptionist cannot grant super user via PATCH
  - JSON error response format

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-02 10:50:55 +00:00