k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-20 13:51:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer

Browse Source 
Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.

Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.

Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.
This commit is contained in:
Maurice
2026-05-30 02:39:26 +02:00
parent 6d2dd37414
commit fc7d8b5d12
347 changed files with 31278 additions and 10381 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/tests/integration/auth.test.ts
+25
View File
@@ -467,6 +467,31 @@ describe('Forced MFA policy', () => {
const res = await request(app).get('/api/trips').set(authHeader(user.id));
expect(res.status).toBe(200);
});
it('AUTH-020 — require_mfa guards nested Nest addon controllers, not just top-level routes', async () => {
// The global MFA middleware runs ahead of the Express→Nest dispatch, so it
// must block the deeper trip-scoped controllers (budget/packing/todo) too —
// not only /api/trips. A regression that only guarded top-level paths would
// leave every addon endpoint reachable without MFA.
const { user } = createUser(testDb);
const trip = createTrip(testDb, user.id);
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('require_mfa', 'true')").run();
for (const path of [`/api/trips/${trip.id}/budget`, `/api/trips/${trip.id}/packing`, `/api/trips/${trip.id}/todo`]) {
const res = await request(app).get(path).set(authHeader(user.id));
expect(res.status, `${path} must be MFA-gated`).toBe(403);
expect(res.body.code).toBe('MFA_REQUIRED');
}
});
it('AUTH-020 — MFA-enabled user reaches nested Nest addon controllers under require_mfa', async () => {
const { user } = createUserWithMfa(testDb);
const trip = createTrip(testDb, user.id);
testDb.prepare("INSERT INTO app_settings (key, value) VALUES ('require_mfa', 'true')").run();
const res = await request(app).get(`/api/trips/${trip.id}/budget`).set(authHeader(user.id));
expect(res.status).toBe(200);
});
});
// ─────────────────────────────────────────────────────────────────────────────