From 4213c1f2e7ea0aed91395c4bc37247447b91fc53 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@paperclip.ing>
Date: Wed, 27 May 2026 00:54:07 +0000
Subject: [PATCH] docs(UAT_PLAYBOOK.md): add TC-WEB-SSO-ROLE-* test cases for
 GRO-1822
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add section 5.4.3 covering role-based redirect after SSO login:
- Customer SSO → portal at / (not redirected to /admin)
- Staff SSO → redirect to /admin
- Impersonation bypass via ?sessionId= preserved
- Dev mode unaffected

Refs: GRO-1822
---
 UAT_PLAYBOOK.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index eee0c18..c9a8a42 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -98,6 +98,15 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-WEB-OOBE-4 | Admin panel accessible after setup | After completing OOBE, navigate to admin panel | Admin features accessible | 403 on admin panel, insufficient permissions |
 | TC-WEB-OOBE-5 | SSO login during OOBE does not interfere | During fresh OOBE, attempt SSO login before completing setup | SSO login redirected appropriately, setup can still complete | Auto-provision creates staff prematurely, setup flow broken |
 
+### 5.4.3 Role-Based Redirect After SSO Login (GRO-1822)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-WEB-SSO-ROLE-1 | Customer SSO redirects to portal | Sign in via Authentik as a **customer** account, return to app root `/` | Customer portal is displayed at `/`; URL stays at `/` | Redirects to `/admin`, customer cannot access portal |
+| TC-WEB-SSO-ROLE-2 | Staff SSO redirects to admin | Sign in via Authentik as a **staff** (groomer/manager/receptionist) account, return to app root `/` | Browser redirects to `/admin` | URL stays at `/`, staff cannot reach admin panel |
+| TC-WEB-SSO-ROLE-3 | Impersonation bypasses role redirect | Append `?sessionId=<active-impersonation-id>` to any URL | Impersonation session activates; role redirect is skipped | Role redirect runs despite `?sessionId=`, impersonation blocked |
+| TC-WEB-SSO-ROLE-4 | Dev mode unaffected | Set `AUTH_DISABLED=true`, load app, select a dev user | Dev login selector works; role redirect logic does not interfere | Dev login broken or redirected incorrectly |
+
 ### 5.5 Dashboard
 
 | # | Scenario | Steps | Expected |