k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-20 22:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer

Browse Source 
Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.

Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.

Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.
This commit is contained in:
Maurice
2026-05-30 02:39:26 +02:00
parent 6d2dd37414
commit fc7d8b5d12
347 changed files with 31278 additions and 10381 deletions
Download Patch File Download Diff File Expand all files Collapse all files
shared/src/oauth/oauth.schema.spec.ts
+25
View File
@@ -0,0 +1,25 @@
import { describe, it, expect } from 'vitest';
import { oauthTokenRequestSchema, oauthConsentRequestSchema, oauthClientCreateRequestSchema } from './oauth.schema';
describe('oauthTokenRequestSchema', () => {
it('is permissive across grant types and passes extras through', () => {
expect(oauthTokenRequestSchema.safeParse({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }).success).toBe(true);
expect(oauthTokenRequestSchema.safeParse({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', scope: 'a b' }).success).toBe(true);
expect(oauthTokenRequestSchema.safeParse({}).success).toBe(true);
});
});
describe('oauthConsentRequestSchema', () => {
it('requires the PKCE consent fields + approved flag', () => {
expect(oauthConsentRequestSchema.safeParse({ client_id: 'c', redirect_uri: 'u', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }).success).toBe(true);
expect(oauthConsentRequestSchema.safeParse({ client_id: 'c', redirect_uri: 'u', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256' }).success).toBe(false);
});
});
describe('oauthClientCreateRequestSchema', () => {
it('requires name + allowed_scopes', () => {
expect(oauthClientCreateRequestSchema.safeParse({ name: 'CLI', allowed_scopes: ['trips:read'] }).success).toBe(true);
expect(oauthClientCreateRequestSchema.safeParse({ name: 'CLI' }).success).toBe(false);
expect(oauthClientCreateRequestSchema.safeParse({ allowed_scopes: [] }).success).toBe(false);
});
});
shared/src/oauth/oauth.schema.ts
+44
View File
@@ -0,0 +1,44 @@
import { z } from 'zod';
/**
* OAuth 2.1 server contract for /oauth/* (public) + /api/oauth/* (SPA).
*
* The token endpoint accepts JSON or form-encoded bodies across three grant
* types, so its body stays permissive (the service enforces grant-specific
* rules + the RFC error codes). These schemas pin the consent submit and the
* client-create body the SPA sends.
*/
export const oauthTokenRequestSchema = z
.object({
grant_type: z.string().optional(),
client_id: z.string().optional(),
client_secret: z.string().optional(),
code: z.string().optional(),
redirect_uri: z.string().optional(),
code_verifier: z.string().optional(),
refresh_token: z.string().optional(),
scope: z.string().optional(),
resource: z.string().optional(),
})
.passthrough();
export type OauthTokenRequest = z.infer<typeof oauthTokenRequestSchema>;
export const oauthConsentRequestSchema = z.object({
client_id: z.string(),
redirect_uri: z.string(),
scope: z.string(),
state: z.string().optional(),
code_challenge: z.string(),
code_challenge_method: z.string(),
approved: z.boolean(),
resource: z.string().optional(),
});
export type OauthConsentRequest = z.infer<typeof oauthConsentRequestSchema>;
export const oauthClientCreateRequestSchema = z.object({
name: z.string().min(1),
redirect_uris: z.array(z.string()).optional(),
allowed_scopes: z.array(z.string()),
allows_client_credentials: z.boolean().optional(),
});
export type OauthClientCreateRequest = z.infer<typeof oauthClientCreateRequestSchema>;