feat(mobile): bootstrap mobile app (PWA + Capacitor + backend auth/CORS) #116

Closed
Ghost wants to merge 2 commits from feature/mobile-app-bootstrap into develop

2 Commits

Author SHA1 Message Date
claude_code
92d03f1ff6 test(server): cover returnToken body opt-in and CORS/Swagger env parsers
Close the two "[test coverage]" review gaps on PR #116 (mobile bootstrap):

- auth.controller.spec.ts: unit-test AuthController.login() returnToken
  branches via direct instantiation. returnToken:true returns exactly
  { authToken } alongside the httpOnly cookie; omitted/explicit-false return
  strictly undefined (the token must never leak into the response body for
  web clients) while the cookie is still set.
- environment.service.spec.ts: table-driven tests for getCorsAllowedOrigins()
  (split/trim/filter of CORS_ALLOWED_ORIGINS) and isSwaggerEnabled()
  (case-insensitive SWAGGER_ENABLED === 'true'), the two parsers feeding the
  CORS allowlist and Swagger exposure trust boundaries.

Tests only; no production code changed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 17:05:35 +03:00
claude_code
9319bc7356 feat(mobile): bootstrap mobile app (PWA + Capacitor + backend auth/CORS)
Implements the §12 bootstrap from docs/mobile-app-plan.md.

Backend (§6):
- auth: optional returnToken flag on login returns the JWT in the body
  (data.authToken) for native Keychain/Keystore + Bearer; web cookie flow
  unchanged.
- main.ts: explicit CORS allowlist (APP_URL + CORS_ALLOWED_ORIGINS env +
  Capacitor WebView origins), credentials enabled, replaces open enableCors().
- optional OpenAPI/Swagger at /api/docs behind SWAGGER_ENABLED.
- env: CORS_ALLOWED_ORIGINS, SWAGGER_ENABLED, CAP_SERVER_URL.

PWA:
- manifest metadata, hand-rolled service worker (network-first nav, SWR
  assets, never intercepts /api,/socket.io,/collab), prod-only registration,
  apple-touch-icon.

Capacitor:
- capacitor.config.ts (webDir apps/client/dist; iOS via CAP_SERVER_URL to
  avoid bundling the AGPL client in the .ipa, see plan §9), cap:* scripts,
  deps, .gitignore for native dirs.
- docs/mobile-bootstrap.md documenting what is done and the remaining manual
  steps (cap add ios/android, APNs/FCM, stores).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 14:08:29 +03:00