groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-05-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
d1ab91adfae3266db4fc1354b6113016da273af8
app/apps/api/src/routes/staff.ts
T
groombook-paperclip[bot] 43e50255ec fix: appointment conflict detection, soft-delete, and auth guardrail (#18-22) 
Fixes five bugs flagged in CEO code review (GitHub issues #18–22):

- #18: Wrap conflict check + insert/update in a DB transaction to
  prevent double-booking race conditions under concurrent load.

- #19: PATCH conflict detection now falls back to the existing
  appointment's staffId when staffId is omitted from the request body,
  so rescheduling always checks for conflicts.

- #20: DELETE endpoint now soft-deletes (status = 'cancelled') instead
  of hard-deleting, preserving audit trail and financial records.

- #21: Staff DELETE checks for existing non-cancelled appointments
  before deleting and returns 409 if any are found, preventing orphaned
  references.

- #22: AUTH_DISABLED=true now logs a startup warning in development and
  calls process.exit(1) in production, preventing accidental auth
  bypass in deployed environments.

Co-authored-by: Groom Book CTO <cto@groombook.app>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-03-17 19:32:24 +00:00

89 lines
2.5 KiB
TypeScript
Raw Blame History

import { Hono } from "hono";
import { zValidator } from "@hono/zod-validator";
import { z } from "zod";
import { and, eq, getDb, ne, staff, appointments } from "@groombook/db";
export const staffRouter = new Hono();
const createStaffSchema = z.object({
name: z.string().min(1).max(200),
email: z.string().email(),
role: z.enum(["groomer", "receptionist", "manager"]).default("groomer"),
oidcSub: z.string().optional(),
active: z.boolean().default(true),
});
const updateStaffSchema = createStaffSchema.partial().omit({ email: true });
staffRouter.get("/", async (c) => {
const db = getDb();
const includeInactive = c.req.query("includeInactive") === "true";
const rows = includeInactive
? await db.select().from(staff).orderBy(staff.name)
: await db.select().from(staff).where(eq(staff.active, true)).orderBy(staff.name);
return c.json(rows);
});
staffRouter.get("/:id", async (c) => {
const db = getDb();
const [row] = await db
.select()
.from(staff)
.where(eq(staff.id, c.req.param("id")));
if (!row) return c.json({ error: "Not found" }, 404);
return c.json(row);
});
staffRouter.post("/", zValidator("json", createStaffSchema), async (c) => {
const db = getDb();
const body = c.req.valid("json");
const [row] = await db.insert(staff).values(body).returning();
return c.json(row, 201);
});
staffRouter.patch("/:id", zValidator("json", updateStaffSchema), async (c) => {
const db = getDb();
const body = c.req.valid("json");
const [row] = await db
.update(staff)
.set({ ...body, updatedAt: new Date() })
.where(eq(staff.id, c.req.param("id")))
.returning();
if (!row) return c.json({ error: "Not found" }, 404);
return c.json(row);
});
staffRouter.delete("/:id", async (c) => {
const db = getDb();
const id = c.req.param("id");
// Prevent deleting staff who have existing non-cancelled appointments (fixes #21).
const activeAppointments = await db
.select({ id: appointments.id })
.from(appointments)
.where(
and(
eq(appointments.staffId, id),
ne(appointments.status, "cancelled"),
ne(appointments.status, "no_show"),
)
)
.limit(1);
if (activeAppointments.length > 0) {
return c.json(
{
error:
"Cannot delete staff member with existing appointments. Reassign or cancel their appointments first.",
},
409
);
}
const [row] = await db
.delete(staff)
.where(eq(staff.id, id))
.returning();
if (!row) return c.json({ error: "Not found" }, 404);
return c.json({ ok: true });
});
Reference in New Issue View Git Blame Copy Permalink