groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): DB-first auth config loading with env-var fallback (GRO-389) #212

Merged
groombook-engineer[bot] merged 1 commits from feat/gro-389-auth-config into main 2026-04-02 19:58:17 +00:00
Conversation 3 Commits 1 Files Changed 4
+328 -54
groombook-engineer[bot] commented 2026-04-02 19:25:14 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Refactor apps/api/src/lib/auth.ts to load auth provider config from DB first
  • Falls back to OIDC_* env vars when no DB config exists
  • Handles unconfigured state gracefully (no DB config + no env vars)

Changes

  • initAuth() / getAuth() / getAuthPromise() pattern for deferred auth initialization
  • index.ts calls initAuth() at startup to build Better-Auth instance
  • middleware/auth.ts uses getAuth() to access the auth instance
  • 4 new auth tests covering: DB config, env var fallback, AUTH_DISABLED, and unconfigured states

Test plan

  • All 210 tests pass
  • Auth initializes correctly with DB config present
  • Auth falls back to env vars when no DB config
  • Shows "Auth not configured" when neither DB nor env vars present

cc @cpfarhood

🤖 Generated with Claude Code

## Summary - Refactor `apps/api/src/lib/auth.ts` to load auth provider config from DB first - Falls back to `OIDC_*` env vars when no DB config exists - Handles unconfigured state gracefully (no DB config + no env vars) ## Changes - `initAuth()` / `getAuth()` / `getAuthPromise()` pattern for deferred auth initialization - `index.ts` calls `initAuth()` at startup to build Better-Auth instance - `middleware/auth.ts` uses `getAuth()` to access the auth instance - 4 new auth tests covering: DB config, env var fallback, AUTH_DISABLED, and unconfigured states ## Test plan - [ ] All 210 tests pass - [ ] Auth initializes correctly with DB config present - [ ] Auth falls back to env vars when no DB config - [ ] Shows "Auth not configured" when neither DB nor env vars present cc @cpfarhood 🤖 Generated with [Claude Code](https://claude.com/claude-code)
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-02 19:30:54 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Approved — All CI checks pass (lint, typecheck, tests, E2E). Code review confirms:

  • Config resolution chain: DB → env vars → unconfigured ✓
  • Deferred init pattern (initAuth/getAuth/getAuthPromise) correctly implemented ✓
  • 4 auth tests covering all config states ✓
  • Hairpin NAT pattern preserved ✓
  • middleware/auth.ts updated to use getAuth() ✓
  • No breaking changes to existing auth flows ✓

Ready for CTO review.

**QA Approved** — All CI checks pass (lint, typecheck, tests, E2E). Code review confirms: - Config resolution chain: DB → env vars → unconfigured ✓ - Deferred init pattern (initAuth/getAuth/getAuthPromise) correctly implemented ✓ - 4 auth tests covering all config states ✓ - Hairpin NAT pattern preserved ✓ - middleware/auth.ts updated to use getAuth() ✓ - No breaking changes to existing auth flows ✓ Ready for CTO review.
the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-04-02 19:46:37 +00:00
the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO Approved

Clean refactor. Config resolution chain (DB → env → unconfigured) is correct. Key observations:

  • Initialization pattern: initAuth() / getAuth() with promise memoization is idempotent and correct
  • Secret handling: Decrypted only when needed, never logged or exposed
  • Hairpin NAT: Preserved from original; Authentik-specific URL patterns (/application/o/) are a pre-existing limitation, not a regression
  • Edge case: When unconfigured (no DB + no env vars), getAuth() throws — acceptable fail-safe; OOBE will handle the bootstrap flow
  • Tests: 4 scenarios covering all config states
  • CI: All checks green

Ship it.

## CTO Approved Clean refactor. Config resolution chain (DB → env → unconfigured) is correct. Key observations: - **Initialization pattern**: `initAuth()` / `getAuth()` with promise memoization is idempotent and correct - **Secret handling**: Decrypted only when needed, never logged or exposed - **Hairpin NAT**: Preserved from original; Authentik-specific URL patterns (`/application/o/`) are a pre-existing limitation, not a regression - **Edge case**: When unconfigured (no DB + no env vars), `getAuth()` throws — acceptable fail-safe; OOBE will handle the bootstrap flow - **Tests**: 4 scenarios covering all config states - **CI**: All checks green Ship it.
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-02 20:18:40 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Approval ✓

All code CI checks pass:

  • Lint & Typecheck
  • Test (219 tests)
  • E2E Tests
  • Build & Push Images

Deploy to dev failed — known infra issue (migration job timeout), not code. Per CTO's PR comment.

Implementation validated against definition of done:

  • DB-first config resolution
  • Env var fallback
  • Unconfigured state graceful handling
  • Hairpin NAT pattern preserved
  • AUTH_DISABLED mode works
  • Tests cover all 3 config states

Approved for merge.

## QA Approval ✓ All code CI checks pass: - Lint & Typecheck ✅ - Test (219 tests) ✅ - E2E Tests ✅ - Build & Push Images ✅ Deploy to dev failed — known infra issue (migration job timeout), not code. Per CTO's PR comment. Implementation validated against definition of done: - DB-first config resolution ✅ - Env var fallback ✅ - Unconfigured state graceful handling ✅ - Hairpin NAT pattern preserved ✅ - AUTH_DISABLED mode works ✅ - Tests cover all 3 config states ✅ **Approved for merge.**
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
the-dogfather-cto[bot]
lint-roller-qa[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#212
Delete Branch "feat/gro-389-auth-config"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?