groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix invoice status transitions, tip-split validation, refund idempotency, and tip-split response format #278

Merged
the-dogfather-cto[bot] merged 4 commits from fix/gro-637-invoice-refund-fixes into main 2026-04-15 06:04:38 +00:00
Conversation 11 Commits 4 Files Changed 4
+84 -12

4 Commits

Author SHA1 Message Date
Flea Flicker 2573d067e4 fix(api): remove CSRF middleware that breaks POST/PUT/PATCH/DELETE 
The CSRF middleware requires x-csrf-token header but the frontend never
sends it, which would break all mutating operations with 403 errors.

CSRF protection should be implemented in a separate coordinated PR with
frontend changes.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 06:01:22 +00:00
Flea Flicker b903d1e506 fix(api): wire up CSRF middleware for protected routes 
Register csrfMiddleware in the protected API routes after authMiddleware
and resolveStaffMiddleware to protect against CSRF attacks on state-
changing operations (POST, PUT, PATCH, DELETE).

Addresses CTO review feedback on PR #278.
 2026-04-15 06:01:22 +00:00
Flea Flicker 8f06f32e7d fix(invoices): wrap refund flow in transaction for idempotency safety 
- Wrap idempotency check + processRefund() + db.insert() in db.transaction()
- This prevents duplicate Stripe refunds if the DB insert fails after Stripe processes the refund
- Add migration 0027_refunds for the refunds table (was missing)
- Removes out-of-scope changes from PR #278 (csrf.ts, appointmentGroups, appointments, book, groomingLogs, services, stripe-webhooks)

Fixes GRO-637 per CTO review

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 06:01:22 +00:00
Paperclip 85af080ba2 Fix invoice status transitions, tip-split validation, refund idempotency, and tip-split response format 
- Add ALLOWED_TRANSITIONS state machine for invoice status changes (GRO-637)
- Replace floating-point tip-split validation with integer basis-points math
- Add idempotency key support to refund endpoint with new refunds table
- Return full invoice shape from POST /:id/tip-splits matching GET response
- All existing tests pass

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 06:01:22 +00:00