Jason Woltje
df4b7399ad
The admin page role check was failing because better-auth v1.5.5 doesn't automatically include additionalFields (like 'role') in the session response. This caused the admin guard to treat all users as non-admin and redirect them. The fix implements a defensive fallback in the AdminGuard that fetches the role from the database if it's missing from the session, ensuring that admin users can access the admin panel while protecting against regression. Fixes #196
1.4 KiB
1.4 KiB
BUG-196: Admin Page Redirect Issue
Problem
Admin page redirects to /chat for users with admin role because role check fails.
Root Cause
The role field is defined as an additionalField in better-auth's user configuration, but
better-auth v1.5.5 does not automatically include additionalFields in the session response from
the getSession() API. This causes the admin role check to fail:
- Frontend:
AdminRoleGuardchecksuser?.role !== 'admin' - Backend:
AdminGuardchecksuser.role !== 'admin' - When
roleisundefined, both checks treat the user as non-admin and deny access
Solution
Implemented a defensive check in the backend AdminGuard that:
- First tries to use the
rolefield from the session (if better-auth includes it) - Falls back to fetching the role directly from the database if it's missing
- Defaults to 'member' if the user has no role set
This ensures that admin users can always access the admin panel, and also protects against the case where better-auth doesn't include the additionalField in future versions.
Files Changed
/apps/gateway/src/admin/admin.guard.ts- Added fallback role lookup/packages/auth/src/auth.ts- No changes needed (better-auth config is correct)
Verification
- All three quality gates pass:
typecheck,lint,format:check - Backend admin guard now explicitly handles missing role field
- Frontend admin guard remains unchanged (will work once role is available)