From 4e487db6f132b960c84db36becda79757f56b22d Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@paperclip.ing>
Date: Wed, 27 May 2026 01:01:28 +0000
Subject: [PATCH 1/2] =?UTF-8?q?fix(GRO-1822):=20add=20role=20check=20befor?=
 =?UTF-8?q?e=20/admin=20redirect=20=E2=80=94=20customers=20access=20portal?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

App.tsx lines 389-393 redirected ALL authenticated users to /admin,
breaking customer portal access after SSO login.

Now checks `session.user.role === "staff"` before redirecting.
Customers (role !== "staff") can access the portal at /.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 src/App.tsx | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/App.tsx b/src/App.tsx
index ea51314..30d2091 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -386,9 +386,10 @@ export function App() {
     return <Navigate to="/setup" replace />;
   }
 
-  // Redirect authenticated users to /admin (but preserve impersonation flow via ?sessionId=)
+  // Redirect staff to /admin; allow customers to access portal (preserve impersonation via ?sessionId=)
   const searchParams = new URLSearchParams(location.search);
-  if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId")) {
+  const isStaff = session?.user && (session.user as any).role === "staff";
+  if (!authDisabled && session && !location.pathname.startsWith("/admin") && !searchParams.has("sessionId") && isStaff) {
     return <Navigate to="/admin" replace />;
   }
 
-- 
2.52.0


From ad9a178c89187257abdeb660812f844524450bbb Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@paperclip.ing>
Date: Wed, 27 May 2026 02:20:41 +0000
Subject: [PATCH 2/2] fix: add skipWaiting/clientsClaim to VitePWA workbox
 config

Root cause: SW remained in waiting phase after redeploy, serving stale
precached assets. Without skipWaiting/clientsClaim the old SW persisted
and controlled the page even after a new SW was installed.

Fixes blank-page regression where React never mounted on login.
---
 vite.config.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vite.config.ts b/vite.config.ts
index d73c18d..d2c7811 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -39,6 +39,8 @@ export default defineConfig({
         ],
       },
       workbox: {
+        skipWaiting: true,
+        clientsClaim: true,
         globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
         navigateFallbackDenylist: [
           /^\/api\/auth\//,
-- 
2.52.0