docs(GRO-1757): add SSO + OOBE test cases to groombook-web UAT_PLAYBOOK

Added §5.4.1 SSO Login Journey (TC-WEB-SSO-1 to 5) covering: - SSO button visibility, Authentik redirect, valid credentials, post-login dashboard, user identity display Added §5.4.2 OOBE Flow Post-Login (TC-WEB-OOBE-1 to 5) covering: - Setup wizard on fresh DB, OIDC config, setup completion, admin panel access, SSO/OOBE interaction Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(GRO-1633): add buildx network=host and provenance:false to web CI (#17 )
2026-05-25 23:36:52 +00:00 · 2026-05-24 22:08:59 +00:00 · 2026-05-23 18:31:05 +00:00 · 2026-05-23 14:13:01 +00:00 · 2026-05-23 14:02:16 +00:00 · 2026-05-23 13:57:47 +00:00
4 changed files with 26 additions and 2 deletions
@@ -78,6 +78,8 @@ jobs:

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=host

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
@@ -92,6 +94,7 @@ jobs:
          context: .
          file: Dockerfile
          push: true
+          provenance: false
          tags: |
            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
@@ -69,6 +69,7 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-AUTH-5.3.1 | Auth client falls back to window.location.origin | Do not set `VITE_API_URL`, load app | Auth client uses `window.location.origin` as base URL |
 | TC-AUTH-5.3.2 | Sign-in on localhost | Load app without `VITE_API_URL` on localhost:3000 | Auth client uses `http://localhost:3000` as base URL |
 | TC-AUTH-5.3.3 | Sign-in on dev environment | Load app without `VITE_API_URL` on `https://dev.groombook.dev` | Auth client uses `https://dev.groombook.dev` as base URL |
+| TC-AUTH-5.3.4 | SSO cookie set after Authentik callback (GRO-1592) | Complete Authentik SSO login on UAT without `VITE_API_URL` set | `__Secure-better-auth.session_token` cookie is present in browser; subsequent `/api/*` calls include the cookie and return 200 |

 ### 5.4 Session Persistence

@@ -77,6 +78,26 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-AUTH-5.4.1 | Session persists across page reload | Sign in, reload page | Session remains active |
 | TC-AUTH-5.4.2 | Session clears on sign-out | Sign in, sign out | User is logged out, redirected to login |

+### 5.4.1 SSO Login Journey (Authentik OIDC end-to-end)
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-WEB-SSO-1 | Sign-in page shows SSO button | Navigate to app root URL | Sign-in page displayed with "Sign in with SSO" button visible | No SSO button, 403 before page loads |
+| TC-WEB-SSO-2 | Click SSO redirects to Authentik | Click "Sign in with SSO" button | Browser redirected to Authentik login at auth.farh.net | No redirect, error shown, button does nothing |
+| TC-WEB-SSO-3 | Valid OIDC credentials authenticate | At Authentik, enter valid credentials and authenticate | Redirected back to app with active session | Redirect loop, 403, session not established |
+| TC-WEB-SSO-4 | Post-login dashboard accessible | After SSO flow completes, dashboard loads | Dashboard displays correctly with user identity shown | Blank page, 403, session not active |
+| TC-WEB-SSO-5 | User identity displayed correctly | After SSO login, check header/nav | User name/email/initials shown in nav, role reflected in UI | No user indicator, wrong user shown |
+
+### 5.4.2 OOBE Flow Post-Login
+
+| # | Scenario | Steps | Pass Criteria | Fail Criteria |
+|---|----------|-------|---------------|---------------|
+| TC-WEB-OOBE-1 | Fresh DB shows setup wizard | On fresh DB (no super user), navigate to app | Setup wizard / OOBE screen displayed | Regular login page shown instead of setup |
+| TC-WEB-OOBE-2 | Configure OIDC via setup | During OOBE, configure OIDC auth provider via /api/setup/auth-provider | OIDC configured successfully, no 403 | 403 during setup, config rejected |
+| TC-WEB-OOBE-3 | Setup completes and redirects | Complete OOBE setup with business name | Redirected to app dashboard as super user, setup bypassed on reload | Setup errors, wrong redirect, setup reappears |
+| TC-WEB-OOBE-4 | Admin panel accessible after setup | After completing OOBE, navigate to admin panel | Admin features accessible | 403 on admin panel, insufficient permissions |
+| TC-WEB-OOBE-5 | SSO login during OOBE does not interfere | During fresh OOBE, attempt SSO login before completing setup | SSO login redirected appropriately, setup can still complete | Auto-provision creates staff prematurely, setup flow broken |
+
 ### 5.5 Dashboard

 | # | Scenario | Steps | Expected |
@@ -1,7 +1,7 @@
 import { createAuthClient } from "better-auth/react";

 export const authClient = createAuthClient({
-  baseURL: import.meta.env.VITE_API_URL ?? "",
+  baseURL: import.meta.env.VITE_API_URL || (typeof window !== "undefined" ? window.location.origin : ""),
 });

 export const { signIn, signOut, useSession, changePassword } = authClient;
@@ -519,7 +519,7 @@ export function BookPage() {
                    <option value="small">Small (under 15 lbs)</option>
                    <option value="medium">Medium (15–40 lbs)</option>
                    <option value="large">Large (40–80 lbs)</option>
-                    <option value="x-large">X-Large (over 80 lbs)</option>
+                    <option value="xlarge">X-Large (over 80 lbs)</option>
                  </select>
                </div>
                <div>
Author	SHA1	Message	Date
Flea Flicker	1de53f6e8b	docs(GRO-1757): add SSO + OOBE test cases to groombook-web UAT_PLAYBOOK CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 17s Details CI / Build & Push Docker Image (pull_request) Successful in 8s Details Added §5.4.1 SSO Login Journey (TC-WEB-SSO-1 to 5) covering: - SSO button visibility, Authentik redirect, valid credentials, post-login dashboard, user identity display Added §5.4.2 OOBE Flow Post-Login (TC-WEB-OOBE-1 to 5) covering: - Setup wizard on fresh DB, OIDC config, setup completion, admin panel access, SSO/OOBE interaction Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 23:36:52 +00:00
Flea Flicker	db892409ef	fix(GRO-1633): add buildx network=host and provenance:false to web CI (#17 ) CI / Test (push) Successful in 17s Details CI / Lint & Typecheck (push) Successful in 19s Details CI / Build & Push Docker Image (push) Successful in 9s Details	2026-05-24 22:08:59 +00:00
The Dogfather	c83214cf42	Merge pull request 'fix(GRO-1414): update pet size value from x-large to xlarge' (#12 ) from fix/gro-1414-pet-size-enum into dev CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 21s Details CI / Build & Push Docker Image (push) Failing after 2m20s Details fix(GRO-1414): update pet size value from x-large to xlarge (#12)	2026-05-23 18:31:05 +00:00
The Dogfather	80101fc37c	Merge pull request 'fix(GRO-1592): fallback auth baseURL to window.location.origin' (#15 ) from fix/gro-1592-sso-session-cookie into dev CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Image (push) Failing after 39s Details	2026-05-23 14:13:01 +00:00
Flea Flicker	8ee58471b2	docs(UAT_PLAYBOOK): add TC-AUTH-5.3.4 — SSO cookie after Authentik callback CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 16s Details CI / Build & Push Docker Image (pull_request) Failing after 38s Details Documents the acceptance criteria for GRO-1592: after completing Authentik SSO login without VITE_API_URL set, the __Secure-better-auth.session_token cookie must be present in the browser and sent with subsequent /api/* calls. Updated: UAT_PLAYBOOK.md §5.3 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 14:02:16 +00:00
Flea Flicker	35d31a984d	fix(GRO-1592): fallback auth baseURL to window.location.origin CI / Test (pull_request) Successful in 18s Details CI / Lint & Typecheck (pull_request) Successful in 19s Details CI / Build & Push Docker Image (pull_request) Failing after 38s Details When VITE_API_URL is not set (e.g. in Docker/container deployments where the env var was never injected), fallback to window.location.origin so the auth client uses relative URLs and cookies are sent to the correct origin. Previously the fallback was empty string "", which caused the auth client to default to http://localhost:3000 — the nginx sub_filter workaround only handles strings baked into the JS bundle at build time, not runtime-constructed URLs. Fixes: SSO session cookie not set in browser after Authentik callback Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 13:57:47 +00:00
Flea Flicker	f1bb7c4fa6	fix(GRO-1414): update pet size value from x-large to xlarge CI / Test (pull_request) Successful in 14s Details CI / Lint & Typecheck (pull_request) Successful in 18s Details CI / Build & Push Docker Image (pull_request) Successful in 35s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 06:58:56 +00:00
Scrubs McBarkley	f70dd96c65	Merge pull request 'feat: extract groombook/web from monorepo (GRO-903)' (#1 ) from dev into main CI / Test (push) Successful in 14s Details CI / Lint & Typecheck (push) Successful in 16s Details CI / Build & Push Docker Image (push) Successful in 14s Details feat: extract groombook/web from monorepo (GRO-903) Bootstrap exception: dev → main QA: Lint Roller (#2753) CTO: The Dogfather (#2764) CI: Lint & Typecheck ✓, Tests ✓, Docker Build ✓ UAT_PLAYBOOK.md: present	2026-05-20 15:26:27 +00:00