feat(backend): Phase 1 MVP — auth, pantry, recipes, shopping lists, sync API #1

jdeville05 · 2026-05-11T15:44:19Z

jdeville05 commented

2026-05-11 15:44:19 +00:00

Summary

Backend for Phase 1 of Pantree (Node.js + TypeScript + Express + Postgres + Knex).

Features Implemented

Email/password + Google OAuth signup/signin
Password reset with HMAC-indexed token lookup
Account deletion with 15-day restore window + daily 2 AM UTC hard-delete cron
Pantry CRUD with case-insensitive duplicate detection (409)
Recipe browse/detail with pantry availability, search, 1×/2×/3× scaling
Shopping lists with manual add + add-from-recipes (merge by name + unit)
Delta sync endpoint with tombstone tracking
Jest + Supertest tests

Blockers Fixed in This PR

Auth middleware no longer filters out soft-deleted users — restore-account flow reachable
JWT_SECRET now required via requireEnv outside test mode — no silent production default
Password reset tokens use indexed HMAC lookup instead of full-table bcrypt scan

Known Issues (Phase 2 Follow-up)

Severity	Issue
Major	CORS allows all origins — restrict in production config
Major	Recipe filter loads full ingredient table — fine for Phase 1 scale
Major	Sync endpoint has N+1 on shopping list items — batch in Phase 2
Minor	updateShoppingListItemSchema Zod .refine() accepts an edge case

Test Plan

✅ npm test green
⏳ Manual: full auth lifecycle (signup → delete → restore → cron permanent delete)
⏳ Manual: pantry CRUD with case-insensitive dupes
⏳ Manual: recipe filter + scaling
⏳ Manual: add-recipes-to-list merge by name+unit

## Summary Backend for Phase 1 of Pantree (Node.js + TypeScript + Express + Postgres + Knex). ### Features Implemented - Email/password + Google OAuth signup/signin - Password reset with HMAC-indexed token lookup - Account deletion with 15-day restore window + daily 2 AM UTC hard-delete cron - Pantry CRUD with case-insensitive duplicate detection (409) - Recipe browse/detail with pantry availability, search, 1×/2×/3× scaling - Shopping lists with manual add + add-from-recipes (merge by name + unit) - Delta sync endpoint with tombstone tracking - Jest + Supertest tests ### Blockers Fixed in This PR - Auth middleware no longer filters out soft-deleted users — restore-account flow reachable - JWT_SECRET now required via requireEnv outside test mode — no silent production default - Password reset tokens use indexed HMAC lookup instead of full-table bcrypt scan ### Known Issues (Phase 2 Follow-up) | Severity | Issue | |----------|-------| | Major | CORS allows all origins — restrict in production config | | Major | Recipe filter loads full ingredient table — fine for Phase 1 scale | | Major | Sync endpoint has N+1 on shopping list items — batch in Phase 2 | | Minor | updateShoppingListItemSchema Zod .refine() accepts an edge case | ### Test Plan - ✅ npm test green - ⏳ Manual: full auth lifecycle (signup → delete → restore → cron permanent delete) - ⏳ Manual: pantry CRUD with case-insensitive dupes - ⏳ Manual: recipe filter + scaling - ⏳ Manual: add-recipes-to-list merge by name+unit

jdeville05 added 1 commit 2026-05-11 15:44:20 +00:00

fix: auth middleware, JWT_SECRET env guard, and password reset token lookup e10b387be6

jdeville05 merged commit 41fd933642 into main

2026-05-11 15:45:15 +00:00

jdeville05 referenced this issue from a commit

2026-05-11 15:45:15 +00:00

Merge pull request 'feat(backend): Phase 1 MVP — auth, pantry, recipes, shopping lists, sync API' (#1) from feature/backend-implementation into main

jdeville05 referenced this pull request

2026-05-11 15:45:50 +00:00

feat(android): Phase 1 MVP app — Compose UI, Room, sync #2

Sign in to join this conversation.