b6d6de265b
Implements the §12 bootstrap from docs/mobile-app-plan.md. Backend (§6): - auth: optional returnToken flag on login returns the JWT in the body (data.authToken) for native Keychain/Keystore + Bearer; web cookie flow unchanged. - main.ts: explicit CORS allowlist (APP_URL + CORS_ALLOWED_ORIGINS env + Capacitor WebView origins), credentials enabled, replaces open enableCors(). - optional OpenAPI/Swagger at /api/docs behind SWAGGER_ENABLED. - env: CORS_ALLOWED_ORIGINS, SWAGGER_ENABLED, CAP_SERVER_URL. PWA: - manifest metadata, hand-rolled service worker (network-first nav, SWR assets, never intercepts /api,/socket.io,/collab), prod-only registration, apple-touch-icon. Capacitor: - capacitor.config.ts (webDir apps/client/dist; iOS via CAP_SERVER_URL to avoid bundling the AGPL client in the .ipa, see plan §9), cap:* scripts, deps, .gitignore for native dirs. - docs/mobile-bootstrap.md documenting what is done and the remaining manual steps (cap add ios/android, APNs/FCM, stores). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2.8 KiB
2.8 KiB
Mobile app bootstrap
Purpose: this document records what has been bootstrapped in the repo to enable a mobile app for Gitmost, per the first-step checklist in docs/mobile-app-plan.md section 12.
What is in the repo now
- PWA: web app manifest, a hand-rolled service worker, and production-only service worker registration in the client. This lets the existing responsive web UI be installed and run as a Progressive Web App.
- Backend mobile auth: opt-in token return from the login flow. The login
request accepts a
returnTokenflag (must be sent as a JSON boolean) that makes the server include the auth token in the response body, and the server already accepts aBearertoken in theAuthorizationheader. Note the global response interceptor wraps every payload, so the native client reads the token atresponse.data.authToken(not at the top level). A native client can store this token (Keychain / Keystore) and send it asAuthorization: Beareron each request. - Explicit CORS allowlist: the server reads a
CORS_ALLOWED_ORIGINSenv variable for the allowed origins, and always allows the native WebView origins (capacitor://localhost,ionic://localhost,http://localhost,https://localhost) so the mobile shell can call the API. - Optional OpenAPI / Swagger: an opt-in OpenAPI/Swagger surface gated behind
the
SWAGGER_ENABLEDenv flag, useful for developing the native client. - Capacitor config: capacitor.config.ts at the
repo root. It targets the
apps/clientweb build output (apps/client/dist) for the Android bundled mode, and on iOS loads the client from a hosted server viaCAP_SERVER_URL(server.url) so the AGPL web client is not bundled into the.ipa(see mobile-app-plan section 9).
Remaining MANUAL / local steps (require Xcode / external accounts, out of scope here)
- Run
pnpm installto fetch the Capacitor packages and@nestjs/swagger. - Run
pnpm run client:buildto produce the web build inapps/client/dist. - Run
npx cap add iosand/ornpx cap add androidto generate the native platform projects (these live outside version control; see.gitignore). - Set
CAP_SERVER_URLfor the iOS build so the shell loads the hosted client (AGPL-clean), then runpnpm run mobile:build/cap sync. - Set up push notifications: APNs for iOS and FCM for Android.
- Obtain an Apple Developer account and the App Store / Play Console listings.
- Confirm the AGPL iOS distribution decision (mobile-app-plan section 9) before shipping anything to the App Store.
See also
For the full background, rationale, and the licensing analysis, see docs/mobile-app-plan.md (section 12 for the bootstrap checklist, section 9 for the AGPL / App Store licensing path).