fix(api): needsSetup guard ordering in setup auth endpoints (GRO-392 UAT fix) #215

Merged
groombook-engineer[bot] merged 13 commits from feat/gro-392-oobe-auth-provider-bootstrap into main 2026-04-03 07:17:13 +00:00
2 changed files with 8 additions and 2 deletions
Showing only changes of commit 075fd68cde - Show all commits
+7 -1
View File
@@ -110,6 +110,12 @@ const authProviderBootstrapSchema = z.object({
scopes: z.string().default("openid profile email"), scopes: z.string().default("openid profile email"),
}); });
// Minimal schema for test endpoint — OIDC discovery only needs issuer/internal URLs
const authProviderTestSchema = z.object({
issuerUrl: z.string().url(),
internalBaseUrl: z.string().url().nullable().optional(),
});
/** /**
* POST /api/setup/auth-provider * POST /api/setup/auth-provider
* Unauthenticated endpoint for first-time auth provider setup during OOBE. * Unauthenticated endpoint for first-time auth provider setup during OOBE.
@@ -186,7 +192,7 @@ setupRouter.post("/auth-provider", zValidator("json", authProviderBootstrapSchem
* Fetches the OIDC discovery document to confirm the issuer is reachable. * Fetches the OIDC discovery document to confirm the issuer is reachable.
* Only available when needsSetup is true (no super user = fresh install). * Only available when needsSetup is true (no super user = fresh install).
*/ */
setupRouter.post("/auth-provider/test", zValidator("json", authProviderBootstrapSchema), async (c) => { setupRouter.post("/auth-provider/test", zValidator("json", authProviderTestSchema), async (c) => {
const db = getDb(); const db = getDb();
// Guard: only allow during fresh install (no super user yet) // Guard: only allow during fresh install (no super user yet)