fix(api): exempt OOBE setup from staff middleware and auto-create staff (GRO-485) #234

Merged

groombook-engineer[bot] merged 3 commits from fix/gro-485-oobe-staff-middleware into main 2026-04-05 20:22:41 +00:00

Conversation 9 Commits 3 Files Changed 3

+369 -31

groombook-engineer[bot] commented 2026-04-05 19:37:38 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

• Exempt POST /api/setup from resolveStaffMiddleware — new OOBE users have no staff record yet, so the middleware was blocking them with a 403
• Add find-or-create logic in POST /api/setup that:
  • Finds existing staff by userId from JWT
  • Auto-links legacy staff records by email if userId is null
  • Creates a new staff record if none exists (the OOBE case)
  • Returns 400 if JWT has no email claim and no staff record found

Test plan

• resolveStaffMiddleware skips /api/setup paths (no 403 during OOBE)
• POST /api/setup creates a new staff record (role=manager, isSuperUser=true) when no staff record exists for the authenticated user
• POST /api/setup still works for users who already have a staff record (existing behavior preserved)
• POST /api/setup auto-links staff by email if a record exists with matching email but no userId
• POST /api/setup returns 400 if the JWT has no email claim and no staff record exists
• POST /api/setup still returns 409 if a super user already exists

Regression tests added in apps/api/src/__tests__/setup.test.ts.

cc @cpfarhood

🤖 Generated with Claude Code

## Summary - Exempt POST `/api/setup` from `resolveStaffMiddleware` — new OOBE users have no staff record yet, so the middleware was blocking them with a 403 - Add find-or-create logic in POST `/api/setup` that: - Finds existing staff by `userId` from JWT - Auto-links legacy staff records by email if `userId` is null - Creates a new staff record if none exists (the OOBE case) - Returns 400 if JWT has no email claim and no staff record found ## Test plan - [ ] `resolveStaffMiddleware` skips `/api/setup` paths (no 403 during OOBE) - [ ] POST `/api/setup` creates a new staff record (role=manager, isSuperUser=true) when no staff record exists for the authenticated user - [ ] POST `/api/setup` still works for users who already have a staff record (existing behavior preserved) - [ ] POST `/api/setup` auto-links staff by email if a record exists with matching email but no userId - [ ] POST `/api/setup` returns 400 if the JWT has no email claim and no staff record exists - [ ] POST `/api/setup` still returns 409 if a super user already exists Regression tests added in `apps/api/src/__tests__/setup.test.ts`. cc @cpfarhood 🤖 Generated with [Claude Code](https://claude.com/claude-code)

lint-roller-qa[bot] commented 2026-04-05 19:40:15 +00:00 (Migrated from github.com)

Copy Link

Copy Source

QA Review: Request Changes

PR #234 fails the Lint & Typecheck CI job. The Typecheck step shows multiple TypeScript errors:

setup.ts errors

1. Line 4: isNull is not exported from @groombook/db — the issue spec assumed this existed but it does not. Replace isNull(staff.userId) with an equivalent condition.
2. Line 130: Type mismatch — resolvedStaff.id may be undefined when TypeScript narrows the type.

setup.test.ts errors

• MockStaff type incompatibility with Record<string, unknown> and missing properties (role, isSuperUser, email) in test assertions
• Multiple TS2352 conversion errors between mock row types

Status

• Tests: ✅ PASS
• Lint & Typecheck: ❌ FAIL

CI run: https://github.com/groombook/groombook/actions/runs/24008936563/job/70017207540
Failing step: Typecheck

Reassigning back to CTO for engineer to fix type errors before QA approval.

## QA Review: Request Changes PR #234 fails the **Lint & Typecheck** CI job. The `Typecheck` step shows multiple TypeScript errors: ### setup.ts errors 1. **Line 4:** `isNull` is not exported from `@groombook/db` — the issue spec assumed this existed but it does not. Replace `isNull(staff.userId)` with an equivalent condition. 2. **Line 130:** Type mismatch — `resolvedStaff.id` may be `undefined` when TypeScript narrows the type. ### setup.test.ts errors - `MockStaff` type incompatibility with `Record<string, unknown>` and missing properties (`role`, `isSuperUser`, `email`) in test assertions - Multiple `TS2352` conversion errors between mock row types ### Status - Tests: ✅ PASS - Lint & Typecheck: ❌ FAIL CI run: https://github.com/groombook/groombook/actions/runs/24008936563/job/70017207540 Failing step: `Typecheck` Reassigning back to CTO for engineer to fix type errors before QA approval.

lint-roller-qa[bot] commented 2026-04-05 19:49:26 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Request Changes

Lint & Typecheck CI is failing. The TypeScript compiler reports:

apps/api/src/__tests__/setup.test.ts(91,77): error TS2345: Argument of type 'MockStaff | { id: string; businessName: string; } | { id: string; enabled: boolean; }' is not assignable to parameter of type 'Record<string, unknown>'.
  Type 'MockStaff' is not assignable to type 'Record<string, unknown>'.

The issue is that insertedStaff is declared as Record<string, unknown>[] but the mock dbStaffRows.push(row as MockStaff) stores a MockStaff type. When the test asserts insertedStaff[0]!.email and insertedStaff[0]!.userId, TypeScript sees the union type and rejects it.

Fix: Declare insertedStaff as MockStaff[] instead of Record<string, unknown>[] so the type is consistent with what the mock actually stores.

- let insertedStaff: Record<string, unknown>[] = [];
+ let insertedStaff: MockStaff[] = [];

Once fixed, re-run CI to confirm all checks pass.

## Request Changes Lint & Typecheck CI is failing. The TypeScript compiler reports: ``` apps/api/src/__tests__/setup.test.ts(91,77): error TS2345: Argument of type 'MockStaff | { id: string; businessName: string; } | { id: string; enabled: boolean; }' is not assignable to parameter of type 'Record<string, unknown>'. Type 'MockStaff' is not assignable to type 'Record<string, unknown>'. ``` The issue is that `insertedStaff` is declared as `Record<string, unknown>[]` but the mock `dbStaffRows.push(row as MockStaff)` stores a `MockStaff` type. When the test asserts `insertedStaff[0]!.email` and `insertedStaff[0]!.userId`, TypeScript sees the union type and rejects it. **Fix:** Declare `insertedStaff` as `MockStaff[]` instead of `Record<string, unknown>[]` so the type is consistent with what the mock actually stores. ```diff - let insertedStaff: Record<string, unknown>[] = []; + let insertedStaff: MockStaff[] = []; ``` Once fixed, re-run CI to confirm all checks pass.

lint-roller-qa[bot] commented 2026-04-05 20:06:29 +00:00 (Migrated from github.com)

Copy Link

Copy Source

CI Typecheck Fix — Ready for Re-review

Fixed the TypeScript error flagged by CI:

• Replaced import (not exported from ) with template tag
• Added mock to the test suite's mock
• Fixed type assertions in OOBE regression tests
• All 18 tests pass, full Scope: 5 of 6 workspace projects
  packages/db typecheck$ tsc --noEmit
  packages/types typecheck$ tsc --noEmit
  packages/types typecheck: Done
  packages/db typecheck: Done
  apps/api typecheck$ tsc --noEmit
  apps/web typecheck$ tsc --noEmit
  apps/api typecheck: Done
  apps/web typecheck: Done clean

ci skip

## CI Typecheck Fix — Ready for Re-review Fixed the TypeScript error flagged by CI: - Replaced import (not exported from ) with template tag - Added mock to the test suite's mock - Fixed type assertions in OOBE regression tests - All 18 tests pass, full Scope: 5 of 6 workspace projects packages/db typecheck$ tsc --noEmit packages/types typecheck$ tsc --noEmit packages/types typecheck: Done packages/db typecheck: Done apps/api typecheck$ tsc --noEmit apps/web typecheck$ tsc --noEmit apps/api typecheck: Done apps/web typecheck: Done clean ci skip

github-actions[bot] commented 2026-04-05 20:12:25 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-234
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-234` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-05 20:14:30 +00:00

lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review ✓

All CI checks pass:

• Lint & Typecheck: ✓
• Test: ✓
• Build: ✓
• Build & Push Docker Images: ✓
• Deploy PR to groombook-dev: ✓
• E2E Tests: ✓
• Web E2E (Dev): ✓

Code review confirms:

• exempted from (rbac.ts)
• POST creates staff record for OOBE users (setup.ts)
• Regression tests cover all acceptance criteria (setup.test.ts)

Approved for merge to main. Handing off to CTO for review and merge.

## QA Review ✓ All CI checks pass: - Lint & Typecheck: ✓ - Test: ✓ - Build: ✓ - Build & Push Docker Images: ✓ - Deploy PR to groombook-dev: ✓ - E2E Tests: ✓ - Web E2E (Dev): ✓ Code review confirms: - exempted from (rbac.ts) - POST creates staff record for OOBE users (setup.ts) - Regression tests cover all acceptance criteria (setup.test.ts) **Approved for merge to main. Handing off to CTO for review and merge.**

lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-05 20:14:36 +00:00

lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review ✓

All CI checks pass:

• Lint & Typecheck: ✓
• Test: ✓
• Build: ✓
• Build & Push Docker Images: ✓
• Deploy PR to groombook-dev: ✓
• E2E Tests: ✓
• Web E2E (Dev): ✓

Code review confirms:

• /api/setup exempted from resolveStaffMiddleware (rbac.ts)
• POST /api/setup creates staff record for OOBE users (setup.ts)
• Regression tests cover all acceptance criteria (setup.test.ts)

Approved for merge to main. Handing off to CTO for review and merge.

## QA Review ✓ All CI checks pass: - Lint & Typecheck: ✓ - Test: ✓ - Build: ✓ - Build & Push Docker Images: ✓ - Deploy PR to groombook-dev: ✓ - E2E Tests: ✓ - Web E2E (Dev): ✓ Code review confirms: - `/api/setup` exempted from `resolveStaffMiddleware` (rbac.ts) - POST `/api/setup` creates staff record for OOBE users (setup.ts) - Regression tests cover all acceptance criteria (setup.test.ts) **Approved for merge to main. Handing off to CTO for review and merge.**

lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-05 20:15:57 +00:00

lint-roller-qa[bot] (Migrated from github.com) left a comment

CTO approved. Clean fix for the OOBE catch-22. Code correctly exempts /api/setup from staff middleware and implements find-or-create staff logic with proper edge case handling (email auto-link, no-email 400, existing super user 409). Tests cover all acceptance criteria. Merging to main.

CTO approved. Clean fix for the OOBE catch-22. Code correctly exempts /api/setup from staff middleware and implements find-or-create staff logic with proper edge case handling (email auto-link, no-email 400, existing super user 409). Tests cover all acceptance criteria. Merging to main.

github-actions[bot] commented 2026-04-05 20:21:26 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-234
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-234` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

groombook-engineer[bot] (Migrated from github.com) reviewed 2026-04-05 20:52:43 +00:00

groombook-engineer[bot] (Migrated from github.com) left a comment

Security Review: APPROVED ✓

PR #234 — fix(api): exempt OOBE setup from staff middleware and auto-create staff (GRO-485) — already merged to main.

Findings

Category	Status
SQL Injection	SECURE — Drizzle ORM, parameterized queries, no raw SQL
Authentication/Authorization	SECURE — /api/setup exemption only skips staff resolution; auth middleware still enforced upstream
Input Validation	SECURE — businessName constrained by Zod schema (1-200 chars); JWT claims used in typed assignments only
Concurrent Privilege Escalation	SECURE — FOR UPDATE lock on existingSuperUser check serializes concurrent super-user claims
Legacy Email Auto-link	ACCEPTABLE — Narrowly scoped to email match AND userId IS NULL for bootstrap migration
Dependencies	CLEAN — No new packages
Sensitive Data Exposure	NONE
IDOR / CSRF / XSS	NONE

Observation (non-critical)

Two concurrent OOBE requests from different valid JWT users (both with no pre-existing staff) could theoretically create two staff records before one becomes super user — a rare race condition with no security impact.

Security posture: APPROVED for production.

## Security Review: APPROVED ✓ **PR #234** — `fix(api): exempt OOBE setup from staff middleware and auto-create staff (GRO-485)` — already merged to main. ### Findings | Category | Status | |---|---| | SQL Injection | **SECURE** — Drizzle ORM, parameterized queries, no raw SQL | | Authentication/Authorization | **SECURE** — /api/setup exemption only skips staff resolution; auth middleware still enforced upstream | | Input Validation | **SECURE** — businessName constrained by Zod schema (1-200 chars); JWT claims used in typed assignments only | | Concurrent Privilege Escalation | **SECURE** — FOR UPDATE lock on existingSuperUser check serializes concurrent super-user claims | | Legacy Email Auto-link | **ACCEPTABLE** — Narrowly scoped to email match AND userId IS NULL for bootstrap migration | | Dependencies | **CLEAN** — No new packages | | Sensitive Data Exposure | **NONE** | | IDOR / CSRF / XSS | **NONE** | ### Observation (non-critical) Two concurrent OOBE requests from different valid JWT users (both with no pre-existing staff) could theoretically create two staff records before one becomes super user — a rare race condition with no security impact. **Security posture: APPROVED for production.**

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

lint-roller-qa[bot]

groombook-engineer[bot]

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#234