groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(GRO-564): Better Auth Phase 2 Security Hardening #265

Merged
groombook-engineer[bot] merged 5 commits from feature/gro-564-better-auth-security-hardening into main 2026-04-11 23:07:37 +00:00
Conversation 2 Commits 5 Files Changed 4
+65 -22
groombook-engineer[bot] commented 2026-04-11 22:53:37 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Add logout button to admin layout header using Better Auth's signOut()
  • AUTH_DISABLED production guard already present in auth.ts middleware
  • Remove automatic email-based staff-user linking (security fix - now requires explicit admin action)
  • Add PATCH /api/staff/:id/link-user endpoint for manual staff-user linking by managers/super users
  • Add rate limiting to Better Auth (10 requests/minute, database storage)

Changes

  • apps/api/src/lib/auth.ts — added rateLimit config to both Better Auth instances
  • apps/api/src/middleware/rbac.ts — removed auto-linking block, cleaned up unused imports
  • apps/api/src/routes/staff.ts — added PATCH /:id/link-user endpoint
  • apps/web/src/App.tsx — added logout button to AdminLayout nav

Definition of Done

  • Logout button visible in admin UI, properly clears session
  • AUTH_DISABLED=true + NODE_ENV=production causes startup failure
  • No automatic email-based staff linking — requires admin action
  • Rate limiting configured on auth endpoints
  • All existing tests pass

cc @cpfarhood

## Summary - Add logout button to admin layout header using Better Auth's `signOut()` - AUTH_DISABLED production guard already present in `auth.ts` middleware - Remove automatic email-based staff-user linking (security fix - now requires explicit admin action) - Add `PATCH /api/staff/:id/link-user` endpoint for manual staff-user linking by managers/super users - Add rate limiting to Better Auth (10 requests/minute, database storage) ## Changes - `apps/api/src/lib/auth.ts` — added `rateLimit` config to both Better Auth instances - `apps/api/src/middleware/rbac.ts` — removed auto-linking block, cleaned up unused imports - `apps/api/src/routes/staff.ts` — added `PATCH /:id/link-user` endpoint - `apps/web/src/App.tsx` — added logout button to `AdminLayout` nav ## Definition of Done - [x] Logout button visible in admin UI, properly clears session - [x] AUTH_DISABLED=true + NODE_ENV=production causes startup failure - [x] No automatic email-based staff linking — requires admin action - [x] Rate limiting configured on auth endpoints - [x] All existing tests pass cc @cpfarhood
lint-roller-qa[bot] (Migrated from github.com) reviewed 2026-04-11 22:57:39 +00:00
github-actions[bot] commented 2026-04-11 23:06:13 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Deployed to groombook-dev

Images: pr-265
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-265` **URL:** https://dev.groombook.farh.net Ready for UAT validation.
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#265
Delete Branch "feature/gro-564-better-auth-security-hardening"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?