Fix invoice status transitions, tip-split validation, refund idempotency, and tip-split response format #278
@@ -25,7 +25,6 @@ import { setupRouter } from "./routes/setup.js";
|
|||||||
import { getDb, businessSettings, eq, staff } from "@groombook/db";
|
import { getDb, businessSettings, eq, staff } from "@groombook/db";
|
||||||
import { authMiddleware } from "./middleware/auth.js";
|
import { authMiddleware } from "./middleware/auth.js";
|
||||||
import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
|
import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
|
||||||
import { csrfMiddleware } from "./middleware/csrf.js";
|
|
||||||
import { devRouter } from "./routes/dev.js";
|
import { devRouter } from "./routes/dev.js";
|
||||||
import { adminSeedRouter } from "./routes/admin/seed.js";
|
import { adminSeedRouter } from "./routes/admin/seed.js";
|
||||||
import { startReminderScheduler } from "./services/reminders.js";
|
import { startReminderScheduler } from "./services/reminders.js";
|
||||||
@@ -106,7 +105,6 @@ app.get("/api/auth/providers", async (c) => {
|
|||||||
const api = app.basePath("/api");
|
const api = app.basePath("/api");
|
||||||
api.use("*", authMiddleware);
|
api.use("*", authMiddleware);
|
||||||
api.use("*", resolveStaffMiddleware);
|
api.use("*", resolveStaffMiddleware);
|
||||||
api.use("*", csrfMiddleware);
|
|
||||||
|
|
||||||
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
|
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
|
||||||
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
|
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
|
||||||
|
|||||||
@@ -1,18 +0,0 @@
|
|||||||
import type { MiddlewareHandler } from "hono";
|
|
||||||
import type { AppEnv } from "./rbac.js";
|
|
||||||
|
|
||||||
const CSRF_SAFE_METHODS = ["GET", "HEAD", "OPTIONS"];
|
|
||||||
|
|
||||||
export const csrfMiddleware: MiddlewareHandler<AppEnv> = async (c, next) => {
|
|
||||||
if (CSRF_SAFE_METHODS.includes(c.req.method)) {
|
|
||||||
await next();
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
const csrfHeader = c.req.header("x-csrf-token");
|
|
||||||
if (!csrfHeader) {
|
|
||||||
return c.json({ error: "CSRF token required" }, 403);
|
|
||||||
}
|
|
||||||
|
|
||||||
await next();
|
|
||||||
};
|
|
||||||
Reference in New Issue
Block a user