fix(App.tsx): check user role before redirecting to /admin #29

Closed

The Dogfather wants to merge 3 commits from ccfa5281-2076-40c2-87a9-bf2dbcf98d22/gro-1822-role-based-redirect into dev

pull from: ccfa5281-2076-40c2-87a9-bf2dbcf98d22/gro-1822-role-based-redirect

merge into: groombook:dev

groombook:main

groombook:gro-2381-agents-contributing

groombook:uat

groombook:flea/uat-to-main-gro-2359-web

groombook:promote/GRO-2373-dev-to-uat

groombook:dev

groombook:feature/gro-2373-chrome-signout

groombook:promote/GRO-2358-dev-to-uat

groombook:release/main-GRO-2319-web

groombook:promote/GRO-2319-web-to-uat

groombook:feat/GRO-2319-live-statusbadge-palette

groombook:flea/uat-to-main-gro-2160

groombook:promote/GRO-2160-dev-to-uat

groombook:flea/uat-to-main-gro-2159

groombook:promote/GRO-2159-dev-to-uat

groombook:feat/GRO-2159-route-drag-reorder

groombook:flea/uat-to-main-gro-2158

groombook:flea/dev-to-uat-gro-2158

groombook:feat/GRO-2158-route-planner

groombook:flea/dev-to-uat-gro-2236

groombook:flea/gro-2236-portal-service-cards

groombook:flea/uat-to-main-gro-2234-web

groombook:flea/promote-uat-gro-2234

groombook:flea-flicker/gro-2234-portal-waitlist-remint-on-401

groombook:fix/gro-2207-portal-pet-readview-fields

groombook:flea/gro-2218-playbook-512e

groombook:flea/gro-2213-portal-preferredtime

groombook:flea/gro-2180-appointments-starttime-shape

groombook:fix/gro-2094-react-blank-mount

groombook:flea/gro-2099-fix-authed-portal-nav

groombook:flea/gro-2089-fix-authentik-credential-source

groombook:flea/gro-2012-portal-sessionid-fallback

groombook:flea/gro-2011-login-blank

groombook:gro-1867-portal-better-auth

groombook:gro-1829-swpwa-fix

groombook:fix/gro-1822-role-based-redirect

groombook:feature/gro-1165e-booking-status-badge

groombook:feature/gro-1165d-booking-analytics

groombook:feature/gro-1165b-error-recovery

groombook:flea-flicker/pet-profile-editor

groombook:fix/gro-1757-uat-playbook

groombook:fix/gro-1633-web-ci-buildx

groombook:promote-uat-gro1592

groombook:fix/gro-1592-sso-session-cookie

groombook:pr-13

groombook:fix/gro-1414-pet-size-enum

groombook:pr-1

groombook:fix/ci-registry-auth

groombook:fix/GRO-1289-uat-playbook-web

groombook:add-renovate-config

groombook:docs/GRO-1099-uat-playbook-web

Conversation 1 Commits 3 Files Changed 3

+14 -2

The Dogfather commented 2026-05-27 00:53:53 +00:00

Member

Copy Link

Copy Source

Summary

• Staff users (role !== customer, injected via Authentik OIDC genericOAuth) continue to redirect to /admin
• Customer users (role === customer) see the customer portal at / instead of being blocked
• Impersonation flow via ?sessionId= preserved and unaffected
• Dev mode (authDisabled=true) unchanged

Test plan

• Login via Authentik as a customer account → verify / shows the customer portal (no redirect to /admin)
• Login via Authentik as a staff account → verify / redirects to /admin
• Append ?sessionId= to any URL → verify impersonation works
• Disable auth (authDisabled=true) → verify dev login selector still works

Acceptance criteria

• Customer SSO login → portal at / (no redirect to /admin)
• Staff SSO login → admin panel at /admin (redirect works)
• Impersonation flow with ?sessionId= still works
• Dev mode unaffected (authDisabled=true)

cc @cpfarhood

## Summary - Staff users (role !== customer, injected via Authentik OIDC genericOAuth) continue to redirect to /admin - Customer users (role === customer) see the customer portal at / instead of being blocked - Impersonation flow via ?sessionId= preserved and unaffected - Dev mode (authDisabled=true) unchanged ## Test plan - [ ] Login via Authentik as a customer account → verify / shows the customer portal (no redirect to /admin) - [ ] Login via Authentik as a staff account → verify / redirects to /admin - [ ] Append ?sessionId=<impersonation-id> to any URL → verify impersonation works - [ ] Disable auth (authDisabled=true) → verify dev login selector still works ## Acceptance criteria - [x] Customer SSO login → portal at / (no redirect to /admin) - [x] Staff SSO login → admin panel at /admin (redirect works) - [x] Impersonation flow with ?sessionId= still works - [x] Dev mode unaffected (authDisabled=true) cc @cpfarhood

The Dogfather added 1 commit 2026-05-27 00:53:54 +00:00

fix(App.tsx): check user role before redirecting to /admin ... 505904d8bd

- Staff users (role !== "customer") continue to redirect to /admin
- Customer users (role === "customer") see the portal at / instead
- Impersonation flow via ?sessionId= remains unaffected
- Dev mode (authDisabled=true) unchanged

Refs: GRO-1822

Flea Flicker added 1 commit 2026-05-27 00:54:08 +00:00

docs(UAT_PLAYBOOK.md): add TC-WEB-SSO-ROLE-* test cases for GRO-1822 ... 4213c1f2e7

Add section 5.4.3 covering role-based redirect after SSO login:
- Customer SSO → portal at / (not redirected to /admin)
- Staff SSO → redirect to /admin
- Impersonation bypass via ?sessionId= preserved
- Dev mode unaffected

Refs: GRO-1822

Flea Flicker added 1 commit 2026-05-27 02:20:46 +00:00

fix: add skipWaiting/clientsClaim to VitePWA workbox config ... 85294b108d

Root cause: SW remained in waiting phase after redeploy, serving stale
precached assets. Without skipWaiting/clientsClaim the old SW persisted
and controlled the page even after a new SW was installed.

Fixes blank-page regression where React never mounted on login.

The Dogfather commented 2026-05-29 08:35:18 +00:00

Author

Member

Copy Link

Copy Source

Closing as superseded.

The role-based redirect fix for GRO-1822 was merged to dev via PR #30. The current dev branch already contains the staff/customer redirect guard in src/App.tsx:

const isStaff = session?.user && (session.user as any).role === "staff";
if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId") && isStaff) {
  return <Navigate to="/admin" replace />;
}

Deployment to UAT tracked under GRO-1824 (done). Closed as part of GRO-1847 hygiene sweep.

Closing as superseded. The role-based redirect fix for [GRO-1822](/GRO/issues/GRO-1822) was merged to `dev` via PR #30. The current `dev` branch already contains the staff/customer redirect guard in `src/App.tsx`: ```tsx const isStaff = session?.user && (session.user as any).role === "staff"; if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId") && isStaff) { return <Navigate to="/admin" replace />; } ``` Deployment to UAT tracked under [GRO-1824](/GRO/issues/GRO-1824) (done). Closed as part of [GRO-1847](/GRO/issues/GRO-1847) hygiene sweep.

The Dogfather closed this pull request 2026-05-29 08:35:25 +00:00

Some checks are pending

Hide all checks

CI / Test (pull_request) Successful in 13s

Details

CI / Lint & Typecheck (pull_request) Successful in 25s

Details

CI / Build & Push Docker Image (pull_request) Successful in 50s

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/web#29