From 505904d8bd8821afd231a81243b861d96f431a42 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Wed, 27 May 2026 00:53:16 +0000 Subject: [PATCH 1/3] fix(App.tsx): check user role before redirecting to /admin - Staff users (role !== "customer") continue to redirect to /admin - Customer users (role === "customer") see the portal at / instead - Impersonation flow via ?sessionId= remains unaffected - Dev mode (authDisabled=true) unchanged Refs: GRO-1822 --- src/App.tsx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/App.tsx b/src/App.tsx index ea51314..37e06ef 100644 --- a/src/App.tsx +++ b/src/App.tsx @@ -386,9 +386,10 @@ export function App() { return ; } - // Redirect authenticated users to /admin (but preserve impersonation flow via ?sessionId=) + // Redirect authenticated staff (non-customer) users to /admin (but preserve impersonation flow via ?sessionId=) const searchParams = new URLSearchParams(location.search); - if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId")) { + // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Better Auth session.user extends Record; role field is injected by Authentik OIDC + if (!authDisabled && session && (session as any)?.user?.role !== "customer" && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId")) { return ; } -- 2.52.0 From 4213c1f2e7ea0aed91395c4bc37247447b91fc53 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Wed, 27 May 2026 00:54:07 +0000 Subject: [PATCH 2/3] docs(UAT_PLAYBOOK.md): add TC-WEB-SSO-ROLE-* test cases for GRO-1822 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add section 5.4.3 covering role-based redirect after SSO login: - Customer SSO → portal at / (not redirected to /admin) - Staff SSO → redirect to /admin - Impersonation bypass via ?sessionId= preserved - Dev mode unaffected Refs: GRO-1822 --- UAT_PLAYBOOK.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md index eee0c18..c9a8a42 100644 --- a/UAT_PLAYBOOK.md +++ b/UAT_PLAYBOOK.md @@ -98,6 +98,15 @@ export const { signIn, signOut, useSession, changePassword } = authClient; | TC-WEB-OOBE-4 | Admin panel accessible after setup | After completing OOBE, navigate to admin panel | Admin features accessible | 403 on admin panel, insufficient permissions | | TC-WEB-OOBE-5 | SSO login during OOBE does not interfere | During fresh OOBE, attempt SSO login before completing setup | SSO login redirected appropriately, setup can still complete | Auto-provision creates staff prematurely, setup flow broken | +### 5.4.3 Role-Based Redirect After SSO Login (GRO-1822) + +| # | Scenario | Steps | Pass Criteria | Fail Criteria | +|---|----------|-------|---------------|---------------| +| TC-WEB-SSO-ROLE-1 | Customer SSO redirects to portal | Sign in via Authentik as a **customer** account, return to app root `/` | Customer portal is displayed at `/`; URL stays at `/` | Redirects to `/admin`, customer cannot access portal | +| TC-WEB-SSO-ROLE-2 | Staff SSO redirects to admin | Sign in via Authentik as a **staff** (groomer/manager/receptionist) account, return to app root `/` | Browser redirects to `/admin` | URL stays at `/`, staff cannot reach admin panel | +| TC-WEB-SSO-ROLE-3 | Impersonation bypasses role redirect | Append `?sessionId=` to any URL | Impersonation session activates; role redirect is skipped | Role redirect runs despite `?sessionId=`, impersonation blocked | +| TC-WEB-SSO-ROLE-4 | Dev mode unaffected | Set `AUTH_DISABLED=true`, load app, select a dev user | Dev login selector works; role redirect logic does not interfere | Dev login broken or redirected incorrectly | + ### 5.5 Dashboard | # | Scenario | Steps | Expected | -- 2.52.0 From 85294b108d28828cbb967f6433d2de9bad420923 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Wed, 27 May 2026 02:20:41 +0000 Subject: [PATCH 3/3] fix: add skipWaiting/clientsClaim to VitePWA workbox config Root cause: SW remained in waiting phase after redeploy, serving stale precached assets. Without skipWaiting/clientsClaim the old SW persisted and controlled the page even after a new SW was installed. Fixes blank-page regression where React never mounted on login. --- vite.config.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vite.config.ts b/vite.config.ts index d73c18d..d2c7811 100644 --- a/vite.config.ts +++ b/vite.config.ts @@ -39,6 +39,8 @@ export default defineConfig({ ], }, workbox: { + skipWaiting: true, + clientsClaim: true, globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"], navigateFallbackDenylist: [ /^\/api\/auth\//, -- 2.52.0