groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(GRO-564): Better Auth Phase 2 Security Hardening #265

Merged
groombook-engineer[bot] merged 5 commits from feature/gro-564-better-auth-security-hardening into main 2026-04-11 23:07:37 +00:00
Conversation 2 Commits 5 Files Changed 4
+65 -22

5 Commits

Author SHA1 Message Date
Paperclip bbe95df9ca merge: resolve conflict with main for GRO-564 security hardening 
Keep rate limiting config from feature branch during merge with main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 22:59:50 +00:00
Paperclip 1380d5a9d3 feat(GRO-564): Better Auth Phase 2 security hardening 
- Add logout button to admin layout header (signOut from better-auth)
- AUTH_DISABLED production guard already present in auth.ts middleware
- Remove automatic email-based staff-user linking (security fix)
- Add PATCH /api/staff/:id/link-user endpoint for manual linking by admins
- Add rate limiting to Better Auth (10 req/min, database storage)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 22:53:00 +00:00
Paperclip 8002a3db96 fix(GRO-563): stabilize OAuth login - upgrade better-auth, fix service worker, add 503 handling 
- apps/web: upgrade better-auth from ^1.0.0 to ^1.5.6 (matches API)
- apps/web/vite.config.ts: exclude /api/auth/* from service worker caching
- apps/api/index.ts: return 503 when auth not configured
- apps/api/middleware/auth.ts: return 503 when auth not initialized

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 20:35:10 +00:00
Paperclip 88e6845027 chore: update infra submodule to include social auth env vars (GRO-545) 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 18:13:24 +00:00
Paperclip 085c8b9cfa fix(GRO-545): switch OAuth state to cookie storage and add login error display 
The OAuth callback was failing with "please_restart_the_process" because
Better-Auth's default DB-backed state (verification table) was unreliable —
the UAT hourly reset wipes all tables including verification records. Switch
to cookie-based state storage so the encrypted state survives in the browser
cookie across the redirect flow.

Also removes explicit redirectURI from socialProviders (Better-Auth derives
it from baseURL) and adds visible error feedback on the login page when
OAuth callbacks fail.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 18:01:59 +00:00