groombook/web
13
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-2089): correct Authentik customer credential source in UAT_PLAYBOOK §5.25 #42

Merged
Flea Flicker merged 18 commits from flea/gro-2089-fix-authentik-credential-source into dev 2026-06-02 14:48:03 +00:00
Conversation 0 Commits 18 Files Changed 2
+17 -1
Flea Flicker commented 2026-06-02 14:41:39 +00:00
Member
Copy Link
Copy Source

Updates UAT_PLAYBOOK.md §5.25 (Customer Portal — Better Auth SSO Bridge) pre-conditions to point UAT testers at the correct Authentik credential source.

Root cause: the previous §5.25 pre-condition said the Authentik customer password lives in seed-uat-passwords:customer-password. That Secret holds the Better Auth email+password credential — a separate identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password].

Impact: UAT testers (incl. GRO-2026) were pulling the Better Auth value and typing it into the Authentik OIDC login, which rejected it as invalid. This unblocks GRO-2026 verification and any future run of TC-WEB-5.25.* / TC-WEB-5.27.*.

Verified 2026-06-02 against uat.groombook.dev: signing in with the correct Secret value yields Authentik 302 → /api/auth/get-session 200 (userId be0d112b-…) → /api/portal/session-from-auth 201 (clientId c0000001-…, clientName UAT Customer).

No code or infra change. Documentation only. The two Secrets remain intentionally separate (Better Auth and Authentik are different identity stores); only the playbook's pointer was wrong.

Updated UAT_PLAYBOOK §5.25 (Pre-conditions bullet).

Refs GRO-2089.

Updates UAT_PLAYBOOK.md §5.25 (Customer Portal — Better Auth SSO Bridge) pre-conditions to point UAT testers at the correct Authentik credential source. **Root cause:** the previous §5.25 pre-condition said the Authentik customer password lives in seed-uat-passwords:customer-password. That Secret holds the **Better Auth** email+password credential — a separate identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password]. **Impact:** UAT testers (incl. GRO-2026) were pulling the Better Auth value and typing it into the Authentik OIDC login, which rejected it as invalid. This unblocks GRO-2026 verification and any future run of TC-WEB-5.25.* / TC-WEB-5.27.*. **Verified 2026-06-02 against uat.groombook.dev:** signing in with the correct Secret value yields Authentik 302 → /api/auth/get-session 200 (userId be0d112b-…) → /api/portal/session-from-auth 201 (clientId c0000001-…, clientName UAT Customer). **No code or infra change.** Documentation only. The two Secrets remain intentionally separate (Better Auth and Authentik are different identity stores); only the playbook's pointer was wrong. **Updated UAT_PLAYBOOK §5.25** (Pre-conditions bullet). Refs GRO-2089.
Flea Flicker added 18 commits 2026-06-02 14:41:40 +00:00
chore: promote dev to uat (#3) 592be1301c 
chore: promote dev to uat
chore(GRO-1289): promote dev to uat — add UAT_PLAYBOOK.md cac8fc947e 
chore(GRO-1289): promote dev to uat — add UAT_PLAYBOOK.md
Merge pull request 'chore: promote dev to uat (CI Docker registry fix)' (#10) from dev into uat 032a3796ba 
chore: promote dev to uat (CI Docker registry fix) (#10)

Promotes GRO-1348 CI registry fix to UAT.
Merge pull request 'promote: dev → uat (Renovate config, GRO-1081)' (#11) from dev into uat db6a2a1bbf 
promote: dev → uat (Renovate config, GRO-1081)

Merge PR #11: dev → uat promotion
Includes: chore: add Renovate config (GRO-1081)
Merge pull request 'promote: dev → uat (GRO-1173 buffer rules + GRO-1470 pet save persistence)' (#14) from dev into uat
CI / Test (push) Successful in 14s
Details
CI / Lint & Typecheck (push) Successful in 19s
Details
CI / Build & Push Docker Image (push) Successful in 9s
Details
62cbfe4e43 
promote: dev → uat (GRO-1173 buffer rules + GRO-1470 pet save persistence) (#14)

Merged-By: The Dogfather (CTO)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
chore: promote dev→uat for GRO-1592 SSO session cookie fix
CI / Lint & Typecheck (pull_request) Successful in 17s
Details
CI / Test (pull_request) Successful in 18s
Details
CI / Build & Push Docker Image (pull_request) Failing after 41s
Details
93da2f1dd8 
- Fixed frontend auth client baseURL fallback to use window.location.origin
- Added UAT test coverage (TC-AUTH-5.3.4)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request 'chore(GRO-1592): promote dev→uat SSO session cookie fix' (#16) from promote-uat-gro1592 into uat
CI / Test (push) Successful in 12s
Details
CI / Lint & Typecheck (push) Successful in 18s
Details
CI / Build & Push Docker Image (push) Failing after 39s
Details
0306c7fbd9
Add .mcp.json
CI / Test (push) Successful in 20s
Details
CI / Lint & Typecheck (push) Successful in 27s
Details
CI / Build & Push Docker Image (push) Successful in 4m1s
Details
0c41640f59
Merge pull request 'promote: dev → uat (GRO-1757 SSO auto-provision fix)' (#19) from dev into uat
CI / Test (push) Successful in 13s
Details
CI / Lint & Typecheck (push) Successful in 33s
Details
CI / Build & Push Docker Image (push) Successful in 14s
Details
CI / Test (pull_request) Successful in 19s
Details
CI / Lint & Typecheck (pull_request) Successful in 24s
Details
CI / Build & Push Docker Image (pull_request) Successful in 15s
Details
8349ea00de 
promote: dev → uat (GRO-1757 SSO auto-provision fix)
Merge pull request 'promote: uat → main (GRO-1757 SSO auto-provision fix)' (#21) from uat into main
CI / Test (push) Successful in 13s
Details
CI / Lint & Typecheck (push) Successful in 21s
Details
CI / Build & Push Docker Image (push) Successful in 13s
Details
2aad7cb6a0
Merge pull request 'Promote dev → uat (GRO-1793: dynamic time slots)' (#25) from dev into uat
CI / Test (push) Successful in 14s
Details
CI / Lint & Typecheck (push) Successful in 16s
Details
CI / Build & Push Docker Image (push) Failing after 6s
Details
4e3a038bf3 
Promote dev → uat: GRO-1793 dynamic portal time slots (#25)
Merge pull request 'chore: promote dev → uat (GRO-1794 booking analytics)' (#27) from dev into uat
CI / Test (push) Successful in 19s
Details
CI / Lint & Typecheck (push) Successful in 22s
Details
CI / Build & Push Docker Image (push) Successful in 12s
Details
87939e5413 
Merge dev → uat: GRO-1794 booking funnel analytics events
Merge pull request 'chore: promote dev → uat (GRO-1795 StatusBadge)' (#28) from dev into uat
CI / Lint & Typecheck (push) Successful in 17s
Details
CI / Test (push) Successful in 13s
Details
CI / Build & Push Docker Image (push) Successful in 34s
Details
3b4d0f15f6 
Merge PR #28: promote dev → uat (GRO-1795 StatusBadge)
Merge pull request 'chore: promote dev → uat (GRO-1829 SW fix)' (#32) from dev into uat
CI / Test (push) Successful in 13s
Details
CI / Lint & Typecheck (push) Successful in 23s
Details
CI / Build & Push Docker Image (push) Successful in 15s
Details
0e5e9d1f16 
Merge: promote dev → uat (GRO-1829 SW fix)
Merge pull request 'Promote dev -> uat: GRO-2011 login-blank fix (+ GRO-1867)' (#37) from dev into uat
CI / Test (push) Successful in 19s
Details
CI / Lint & Typecheck (push) Successful in 23s
Details
CI / Build & Push Docker Image (push) Successful in 10s
Details
bd2a0d9516
Merge pull request 'Promote to UAT: GRO-2012 RescheduleFlow portalSessionId fallback' (#39) from dev into uat
CI / Test (push) Successful in 21s
Details
CI / Lint & Typecheck (push) Successful in 30s
Details
CI / Build & Push Docker Image (push) Successful in 10s
Details
CI / Test (pull_request) Successful in 21s
Details
CI / Lint & Typecheck (pull_request) Successful in 28s
Details
CI / Build & Push Docker Image (pull_request) Successful in 13s
Details
ec29f71974
Merge pull request 'Promote uat → main: GRO-2012 RescheduleFlow portalSessionId fallback' (#40) from uat into main
CI / Test (push) Successful in 23s
Details
CI / Lint & Typecheck (push) Successful in 29s
Details
CI / Build & Push Docker Image (push) Successful in 16s
Details
fdff0977ad 
Promote uat → main: GRO-2012 RescheduleFlow portalSessionId fallback

Gate checks:
- UAT: GRO-2023 done (CTO verified, ec29f719)
- Security: GRO-2032 Barkley PASS
- UAT_PLAYBOOK.md: TC-WEB-5.26 present

Fix: CustomerPortal.tsx:329 sessionId={session?.id ?? portalSessionId}
Fix commit: f29f1828c8

Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(GRO-2089): correct Authentik customer credential source in §5.25 pre-conditions
CI / Test (pull_request) Successful in 22s
Details
CI / Lint & Typecheck (pull_request) Successful in 28s
Details
CI / Build & Push Docker Image (pull_request) Successful in 15s
Details
affb697708 
The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition
incorrectly stated that the Authentik customer password comes from
seed-uat-passwords:customer-password. That Secret holds the *Better Auth*
email+password credential — a different identity store. The actual Authentik
uat-customer password lives in authentik-uat-users-credentials:uat_customer_password,
provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password].

UAT testers were using the Better Auth value at the Authentik OIDC step and
getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct
Secret value, signing in via SSO, and POST /api/portal/session-from-auth all
succeed (returns 201 with valid portal session).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker merged commit 903ce2d675 into dev 2026-06-02 14:48:03 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/web#42
Delete Branch "flea/gro-2089-fix-authentik-credential-source"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?