k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-22 23:01:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Finish the NestJS migration — drop the legacy Express app

Browse Source 
NestJS now serves the whole surface: every /api domain plus the platform
routes (uploads, /mcp, the OAuth/MCP SDK + /.well-known metadata and the
production SPA fallback). Removed server/src/app.ts, all of
server/src/routes/* and the strangler dispatcher; index.ts and the
integration suite share a single buildApp() bootstrap so prod and tests
can't drift.

- Platform/transport routes extracted to nest/platform/platform.routes.ts
  and mounted before app.init() — Nest's router answers an unmatched
  request with a 404, so a route registered after init is never reached.
  The SPA fallback is a NotFoundException filter and the catch-all uses a
  RegExp (Express 5's path-to-regexp rejects a bare '*').
- New modules: memories (/api/integrations/memories — the Journey
  gallery's Immich/Synology proxy), addons (GET /api/addons) and the
  cross-trip GET /api/reservations/upcoming.
- TrekExceptionFilter reproduces the old multer / err.statusCode handling
  so upload rejections keep their 400/413 { error } body and non-ASCII
  filenames survive (defParamCharset).
- addTripToJourney and the MCP get_journey_share_link tool gained the
  trip-access check they were missing.
- Re-pointed the 34 integration tests + the websocket test onto the Nest
  app; removed the now-meaningless Express-vs-Nest parity tests and a few
  orphaned client components.
This commit is contained in:
Maurice
2026-05-31 13:29:22 +02:00
parent fc7d8b5d12
commit bfe52579df
138 changed files with 2289 additions and 12666 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/tests/unit/services/journeyService.test.ts
+25 -1
View File
@@ -17,7 +17,15 @@ const { testDb, dbMock } = vi.hoisted(() => {
closeDb: () => {},
reinitialize: () => {},
getPlaceWithTags: () => null,
canAccessTrip: () => null,
// Mirror the real canAccessTrip semantics against the test DB (owner or member
// → truthy access row, else undefined) so addTripToJourney's trip-access guard
// behaves as in production. (Was an unused `() => null` stub before the guard existed.)
canAccessTrip: (tripId: number | string, userId: number) =>
db
.prepare(
'SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)',
)
.get(userId, tripId, userId),
isOwner: () => false,
};
return { testDb: db, dbMock: mock };
@@ -417,6 +425,22 @@ describe('addTripToJourney / removeTripFromJourney', () => {
expect(link).toBeDefined();
});
it('JOURNEY-SVC-024b: refuses to link a trip the caller cannot access (IDOR guard)', () => {
const { user } = createUser(testDb);
const { user: stranger } = createUser(testDb);
const journey = createJourney(testDb, user.id);
// A trip owned by someone else, that `user` is not a member of.
const foreignTrip = createTrip(testDb, stranger.id, { title: "Stranger's Trip" });
const result = addTripToJourney(journey.id, foreignTrip.id, user.id);
expect(result).toBe(false);
const link = testDb.prepare(
'SELECT * FROM journey_trips WHERE journey_id = ? AND trip_id = ?'
).get(journey.id, foreignTrip.id);
expect(link).toBeUndefined();
});
it('JOURNEY-SVC-025: syncs places as skeleton entries when linking a trip', () => {
const { user } = createUser(testDb);
const journey = createJourney(testDb, user.id);