Skip to content

Enable strictNullChecks and remediate null-safety issues in backend#137

Closed
rendall wants to merge 5 commits intomasterfrom
check-phase-4.2-checklist-for-type-safety
Closed

Enable strictNullChecks and remediate null-safety issues in backend#137
rendall wants to merge 5 commits intomasterfrom
check-phase-4.2-checklist-for-type-safety

Conversation

@rendall
Copy link
Owner

@rendall rendall commented Mar 3, 2026

Motivation

  • Progress Phase 4.2 by enabling strictNullChecks for functions compilation to catch nullability issues early.
  • Record the Phase 4.3 gate decision to evaluate broader strict escalation after completing null-safe remediations.

Description

  • Enable strictNullChecks in tsconfig.netlify.functions.json while keeping noImplicitAny enabled.
  • Mark Phase 4.2 checklist items complete in docs/plans/phase-4_2-checklist.md and add a Phase 4.3 gate note to docs/plans/phase-04-type-safety-and-env-handling.md describing the next evaluation step.
  • Fix nullability in request handling by using toDefinedHeaders(event.headers) result in src/functions/auth.ts when extracting credentials.
  • Harden password flow in src/lib/MongodbService.ts by checking for missing user.hash before calling comparePassword.
  • Make JWT secret usage explicitly typed in src/lib/crypt.ts by casting process.env.JWT_SECRET to jwt.Secret in getAuthToken.
  • Tighten success typing for no-content responses in src/lib/messages.ts by declaring success204NoContent: Success<undefined>.

Testing

  • Ran yarn run typecheck and it completed green after the null-safety fixes.
  • Ran yarn test:backend and it passed.
  • Ran yarn test:frontend and it passed.

Codex Task

@rendall rendall requested a review from Copilot March 3, 2026 21:56
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR advances Phase 4.2 of the backend type-safety plan by enabling strictNullChecks in the Netlify Functions TypeScript config and remediating the nullability issues that surfaced from the compiler after that flag was turned on.

Changes:

  • Enable strictNullChecks in tsconfig.netlify.functions.json (keeping noImplicitAny, leaving full strict off).
  • Harden null-safety in runtime code: use toDefinedHeaders-narrowed headers in auth.ts, guard user.hash before calling comparePassword in MongodbService.ts, cast JWT_SECRET to jwt.Secret in crypt.ts, and tighten the success204NoContent type to Success<undefined> in messages.ts.
  • Mark Phase 4.2 checklist complete and append the Phase 4.3 gate note in the planning docs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tsconfig.netlify.functions.json Enables strictNullChecks for the functions compilation path
src/functions/auth.ts Passes the already-narrowed eventHeaders (from toDefinedHeaders) to getUserIdPassword instead of the raw event.headers
src/lib/MongodbService.ts Adds an early-exit guard rejecting with 401 when user.hash is missing before calling comparePassword
src/lib/crypt.ts Casts process.env.JWT_SECRET to jwt.Secret to satisfy the compiler in getAuthToken
src/lib/messages.ts Narrows success204NoContent to Success<undefined> to accurately reflect a 204 No Content body
docs/plans/phase-4_2-checklist.md Marks all Phase 4.2 checklist items as complete
docs/plans/phase-04-type-safety-and-env-handling.md Adds the Phase 4.3 gate note recording the decision to proceed to broader strict evaluation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/lib/crypt.ts Outdated
Comment on lines +35 to +36
const jwtSecret = process.env.JWT_SECRET as jwt.Secret
return jwt.sign({ user, exp }, jwtSecret)
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix for the strictNullChecks error uses process.env.JWT_SECRET as jwt.Secret to silence the compiler, but this is a type-cast workaround that doesn't add actual null safety. Unlike backend-utilities.ts (lines 39–41) and MongodbService.ts (lines 92–94), which both guard the env var at module load time with if (process.env.JWT_SECRET === undefined) throw "...", crypt.ts has no such guard. If JWT_SECRET is undefined at runtime, the cast will silently pass undefined to jwt.sign, which will then throw a JsonWebTokenError at the call site rather than failing fast at startup. The correct fix is to add a module-level guard — read the secret once, narrow the type to string (or jwt.Secret), and use that constant inside getAuthToken, consistent with the rest of the codebase.

Copilot uses AI. Check for mistakes.
Copy link
Owner Author

@rendall rendall Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed by 7373e37

@rendall rendall requested a review from Copilot March 4, 2026 04:16
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rendall rendall closed this Mar 4, 2026
@rendall rendall deleted the check-phase-4.2-checklist-for-type-safety branch March 4, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rendall