From 0f8ad4a36af6f36ad3aafffc3430d6bd7fd7d693 Mon Sep 17 00:00:00 2001 From: schreifuchs Date: Fri, 3 Apr 2026 17:32:09 +0200 Subject: [PATCH] chore: better pre-commit checks --- .husky/pre-commit | 1 + TODO.md | 65 ----------------------------------------------- 2 files changed, 1 insertion(+), 65 deletions(-) delete mode 100644 TODO.md diff --git a/.husky/pre-commit b/.husky/pre-commit index 2463787..00adf63 100644 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,2 +1,3 @@ pnpm run format pnpm run lint +pnpm run test diff --git a/TODO.md b/TODO.md deleted file mode 100644 index a6ce201..0000000 --- a/TODO.md +++ /dev/null @@ -1,65 +0,0 @@ -# Project Review & Refactoring TODOs - -This document contains the prioritized list of refactoring tasks, architectural improvements, and testing strategies for the Aktiteil project. - -## 🚨 Must do (Security & Critical Best Practices) - -- [ ] **Fix Critical XSS Vulnerability (`{@html}` without sanitization)** - - **Where:** `src/routes/akti/[aktiId]/+page.svelte` - - **Why:** Rendering user input via `{@html data.akti.body}` without sanitization allows malicious scripts to be injected. - - **Fix:** Use the already installed `sanitize-html` library on the server to sanitize `changeRequest.body` before updating/inserting into the database. - -- [ ] **Move Server-Only Code to `$lib/server`** - - **Where:** `src/lib/auth.ts` - - **Why:** It imports from `./server/db`. Keeping server-side dependencies in the general `$lib` folder risks accidental imports by client components, breaking the Vite build and potentially leaking server logic. - - **Fix:** Move and rename it to `src/lib/server/session.ts` (or `authUtils.ts`) and update imports in `.server.ts` files. - -- [ ] **Fix Action Validation Error Handling** - - **Where:** `src/routes/akti/[aktiId]/+page.server.ts` and `src/routes/akti/[aktiId]/comment/+page.server.ts` - - **Why:** Currently returning `error(400)` on validation failure, which wipes form data and shows a generic error page. - - **Fix:** Use SvelteKit's `fail(400, { message: 'Invalid data' })` to keep the user on the page and preserve their input. - -- [ ] **Fix Hacky Fallback in Auth Query** - - **Where:** `src/lib/auth.ts` -> `getSession()` - - **Why:** Querying the DB with a fallback UUID (`eaf930...`) when email is missing is an anti-pattern. - - **Fix:** Implement an early return (`if (!session?.user?.email) return null;`) before hitting the database. - -## 🛠️ Should do (Performance & Architecture) - -- [ ] **Parallelize Database Queries** - - **Where:** `src/routes/akti/[aktiId]/+page.server.ts` (load function) - - **Why:** Queries are running sequentially. - - **Fix:** Use `Promise.all([ db.query.aktis.findFirst(...), db.query.ratings.findMany(...) ])` to run concurrently. - -- [ ] **Implement Pagination / Limit for the Dashboard** - - **Where:** `src/routes/+page.server.ts` - - **Why:** Querying all records joined with ratings will scale poorly. - - **Fix:** Add a `.limit()` clause and consider basic pagination or infinite scrolling. - -- [ ] **Extend Auth.js Types Globally** - - **Where:** `src/app.d.ts` - - **Why:** TypeScript doesn't inherently know `session.user.id` exists, leading to hacky workarounds. - - **Fix:** Override `@auth/sveltekit` Session types in `app.d.ts` to include `id` and `email` strictly. - -- [ ] **Consider Adopting a Form Library** - - **Where:** `src/lib/extractFormData.ts` - - **Why:** Custom form extractors lack instant client-side validation and seamless server-side error mapping. - - **Fix:** Consider switching to `sveltekit-superforms` which integrates well with Valibot. - -## ✨ Nice to have (UX & Polish) - -- [ ] **Clarify File Naming (`auth.ts` vs `auth.ts`)** - - Rename `src/lib/auth.ts` to `session.ts` or similar to distinguish from `src/auth.ts` (Auth.js setup). - -- [ ] **Abstract Heavy Database Queries** - - Move complex aggregations (like computing averages in `src/routes/+page.server.ts`) into a dedicated `src/lib/server/db/queries.ts` file to keep routes clean. - -- [ ] **Clean up Redundant Imports** - - In `src/routes/+layout.server.ts`, change `import { getSession as getSession }` to `import { getSession }`. - -## 🧪 Testing Plan - -- [ ] **Add Playwright (End-to-End Testing)** - - Install Playwright to test SvelteKit server actions, DB integration, and Flowbite forms holistically. -- [ ] **Add Vitest + Svelte Testing Library (Unit/Component Testing)** - - Set up Vitest to test UI components (`AktiCard`, `AktiEditor`) and utility functions (`extractFormData`) in isolation.