nextjs-hackathon-stack 0.1.30 → 0.1.32

package/template/src/app/__tests__/auth-callback.test.ts

@@ -69,4 +69,18 @@ describe("auth callback route", () => {
     expect(response.status).toBe(307);
     expect(response.headers.get("location")).toContain("/dashboard");
   });
+
+  it("ignores protocol-relative next param to prevent open redirect", async () => {
+    // Arrange
+    mockExchangeCodeForSession.mockResolvedValue({ error: null });
+    const { GET } = await import("../api/auth/callback/route");
+    const req = new Request("http://localhost/api/auth/callback?code=valid-code&next=//evil.com");
+
+    // Act
+    const response = await GET(req);
+
+    // Assert
+    expect(response.status).toBe(307);
+    expect(response.headers.get("location")).toBe("http://localhost/");
+  });
 });

package/template/src/app/__tests__/protected-page.test.tsx

@@ -1,27 +1,18 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 
 const mockGetUser = vi.fn();
-const mockSelect = vi.fn();
+const mockFrom = vi.fn();
 const mockRedirect = vi.fn();
 
 vi.mock("@/shared/lib/supabase/server", () => ({
   createClient: vi.fn(() =>
     Promise.resolve({
       auth: { getUser: mockGetUser },
+      from: mockFrom,
     })
   ),
 }));
 
-vi.mock("@/shared/db", () => ({
-  db: {
-    select: vi.fn(() => ({
-      from: vi.fn(() => ({
-        where: mockSelect,
-      })),
-    })),
-  },
-}));
-
 vi.mock("@/features/todos/components/todo-list", () => ({
   TodoList: () => <div data-testid="todo-list" />,
 }));
@@ -34,6 +25,13 @@ vi.mock("next/navigation", () => ({
   redirect: (url: string): unknown => mockRedirect(url),
 }));
 
+function makeTodosChain(data: unknown[]) {
+  return {
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn(() => Promise.resolve({ data, error: null })),
+  };
+}
+
 describe("HomePage (protected)", () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -53,7 +51,7 @@ describe("HomePage (protected)", () => {
   it("renderiza la página con las tareas del usuario", async () => {
     // Arrange
     mockGetUser.mockResolvedValue({ data: { user: { id: "u1", email: "user@example.com" } } });
-    mockSelect.mockResolvedValue([]);
+    mockFrom.mockReturnValue(makeTodosChain([]));
     const { default: HomePage } = await import("../(protected)/page");
 
     // Act
@@ -66,7 +64,7 @@ describe("HomePage (protected)", () => {
   it("renderiza correctamente con lista de tareas vacía", async () => {
     // Arrange
     mockGetUser.mockResolvedValue({ data: { user: { id: "u1", email: "user@example.com" } } });
-    mockSelect.mockResolvedValue([]);
+    mockFrom.mockReturnValue(makeTodosChain([]));
     const { default: HomePage } = await import("../(protected)/page");
 
     // Act

package/template/src/app/api/auth/callback/route.ts

@@ -5,7 +5,8 @@ import { createClient } from "@/shared/lib/supabase/server";
 export async function GET(request: Request) {
   const { searchParams, origin } = new URL(request.url);
   const code = searchParams.get("code");
-  const next = searchParams.get("next") ?? "/";
+  const rawNext = searchParams.get("next") ?? "/";
+  const next = rawNext.startsWith("/") && !rawNext.startsWith("//") ? rawNext : "/";
 
   if (!code) {
     return NextResponse.redirect(`${origin}/login?error=no_code`);

package/template/src/e2e/login.spec.ts

@@ -9,13 +9,13 @@ test.describe("Login flow", () => {
   test("shows login form", async ({ page }) => {
     await page.goto("/login");
     await expect(page.getByTestId("login-form")).toBeVisible();
-    await expect(page.getByLabel(/email/i)).toBeVisible();
-    await expect(page.getByLabel(/password/i)).toBeVisible();
+    await expect(page.getByLabel(/correo electrónico/i)).toBeVisible();
+    await expect(page.getByLabel(/contraseña/i)).toBeVisible();
   });
 
   test("shows validation errors on empty submit", async ({ page }) => {
     await page.goto("/login");
-    await page.getByRole("button", { name: /sign in/i }).click();
-    await expect(page.getByText(/invalid email/i)).toBeVisible();
+    await page.getByRole("button", { name: /iniciar sesión/i }).click();
+    await expect(page.getByText(/correo electrónico inválido/i)).toBeVisible();
   });
 });

package/template/src/features/todos/__tests__/todos.action.test.ts

@@ -1,11 +1,8 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 
-const mockInsert = vi.fn();
-const mockUpdate = vi.fn();
-const mockDelete = vi.fn();
-const mockSelectWhere = vi.fn();
 const mockRevalidatePath = vi.fn();
 const mockGetUser = vi.fn();
+const mockFrom = vi.fn();
 
 vi.mock("next/cache", () => ({
   revalidatePath: (path: string): unknown => mockRevalidatePath(path),
@@ -15,22 +12,27 @@ vi.mock("@/shared/lib/supabase/server", () => ({
   createClient: vi.fn(() =>
     Promise.resolve({
       auth: { getUser: mockGetUser },
+      from: mockFrom,
     })
   ),
 }));
 
-vi.mock("@/shared/db", () => ({
-  db: {
-    insert: vi.fn(() => ({ values: mockInsert })),
-    update: vi.fn(() => ({ set: vi.fn(() => ({ where: mockUpdate })) })),
-    delete: vi.fn(() => ({ where: mockDelete })),
-    select: vi.fn(() => ({ from: vi.fn(() => ({ where: mockSelectWhere })) })),
-  },
-}));
-
-vi.mock("@/shared/db/schema", () => ({
-  todos: {},
-}));
+interface QueryResult { data: unknown; error: unknown }
+
+function makeChain(result: QueryResult) {
+  const chain: Record<string, unknown> = {};
+  chain.insert = vi.fn(() => chain);
+  chain.select = vi.fn(() => chain);
+  chain.update = vi.fn(() => chain);
+  chain.delete = vi.fn(() => chain);
+  chain.eq = vi.fn(() => chain);
+  chain.single = vi.fn(() => Promise.resolve(result));
+  chain.then = (
+    onFulfilled: (v: QueryResult) => unknown,
+    onRejected?: (e: unknown) => unknown
+  ) => Promise.resolve(result).then(onFulfilled, onRejected);
+  return chain;
+}
 
 describe("addTodoAction", () => {
   beforeEach(() => {
@@ -48,58 +50,57 @@ describe("addTodoAction", () => {
 
     // Assert
     expect(result.status).toBe("error");
-    expect(mockInsert).not.toHaveBeenCalled();
+    expect(mockFrom).not.toHaveBeenCalled();
   });
 
-  it("retorna error si no hay usuario autenticado", async () => {
+  it("retorna error si el campo title no está presente", async () => {
     // Arrange
-    mockGetUser.mockResolvedValue({ data: { user: null } });
     const { addTodoAction } = await import("../actions/todos.action");
     const fd = new FormData();
-    fd.set("title", "Mi tarea");
 
     // Act
     const result = await addTodoAction(fd);
 
     // Assert
     expect(result.status).toBe("error");
-    expect(mockInsert).not.toHaveBeenCalled();
+    expect(mockFrom).not.toHaveBeenCalled();
   });
 
-  it("inserta la tarea, llama a revalidatePath y retorna success cuando el usuario existe", async () => {
+  it("retorna error si no hay usuario autenticado", async () => {
     // Arrange
-    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
-    mockInsert.mockResolvedValue(undefined);
+    mockGetUser.mockResolvedValue({ data: { user: null } });
     const { addTodoAction } = await import("../actions/todos.action");
     const fd = new FormData();
-    fd.set("title", "Nueva tarea");
+    fd.set("title", "Mi tarea");
 
     // Act
     const result = await addTodoAction(fd);
 
     // Assert
-    expect(result.status).toBe("success");
-    expect(mockInsert).toHaveBeenCalledWith({ userId: "u1", title: "Nueva tarea" });
-    expect(mockRevalidatePath).toHaveBeenCalledWith("/");
+    expect(result.status).toBe("error");
+    expect(mockFrom).not.toHaveBeenCalled();
   });
 
-  it("retorna error si el campo title no está presente", async () => {
+  it("inserta la tarea, llama a revalidatePath y retorna success cuando el usuario existe", async () => {
     // Arrange
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom.mockReturnValue(makeChain({ data: null, error: null }));
     const { addTodoAction } = await import("../actions/todos.action");
     const fd = new FormData();
+    fd.set("title", "Nueva tarea");
 
     // Act
     const result = await addTodoAction(fd);
 
     // Assert
-    expect(result.status).toBe("error");
-    expect(mockInsert).not.toHaveBeenCalled();
+    expect(result.status).toBe("success");
+    expect(mockRevalidatePath).toHaveBeenCalledWith("/");
   });
 
-  it("retorna error si la inserción lanza una excepción", async () => {
+  it("retorna error si la inserción falla", async () => {
     // Arrange
     mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
-    mockInsert.mockRejectedValue(new Error("DB error"));
+    mockFrom.mockReturnValue(makeChain({ data: null, error: new Error("DB error") }));
     const { addTodoAction } = await import("../actions/todos.action");
     const fd = new FormData();
     fd.set("title", "Tarea fallida");
@@ -117,9 +118,25 @@ describe("toggleTodoAction", () => {
     vi.clearAllMocks();
   });
 
+  it("retorna error si no hay usuario autenticado", async () => {
+    // Arrange
+    mockGetUser.mockResolvedValue({ data: { user: null } });
+    const { toggleTodoAction } = await import("../actions/todos.action");
+
+    // Act
+    const result = await toggleTodoAction("1");
+
+    // Assert
+    expect(result.status).toBe("error");
+    expect(mockFrom).not.toHaveBeenCalled();
+  });
+
   it("retorna error si la tarea no existe", async () => {
     // Arrange
-    mockSelectWhere.mockResolvedValue([]);
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom.mockReturnValue(
+      makeChain({ data: null, error: { code: "PGRST116" } })
+    );
     const { toggleTodoAction } = await import("../actions/todos.action");
 
     // Act
@@ -127,13 +144,14 @@ describe("toggleTodoAction", () => {
 
     // Assert
     expect(result.status).toBe("error");
-    expect(mockUpdate).not.toHaveBeenCalled();
   });
 
   it("invierte completed, llama a revalidatePath y retorna success", async () => {
     // Arrange
-    mockSelectWhere.mockResolvedValue([{ id: "1", completed: false }]);
-    mockUpdate.mockResolvedValue(undefined);
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom
+      .mockReturnValueOnce(makeChain({ data: { completed: false }, error: null }))
+      .mockReturnValueOnce(makeChain({ data: null, error: null }));
     const { toggleTodoAction } = await import("../actions/todos.action");
 
     // Act
@@ -141,13 +159,15 @@ describe("toggleTodoAction", () => {
 
     // Assert
     expect(result.status).toBe("success");
-    expect(mockUpdate).toHaveBeenCalled();
     expect(mockRevalidatePath).toHaveBeenCalledWith("/");
   });
 
-  it("retorna error si la actualización lanza una excepción", async () => {
+  it("retorna error si la actualización falla", async () => {
     // Arrange
-    mockSelectWhere.mockRejectedValue(new Error("DB error"));
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom
+      .mockReturnValueOnce(makeChain({ data: { completed: true }, error: null }))
+      .mockReturnValueOnce(makeChain({ data: null, error: new Error("DB error") }));
     const { toggleTodoAction } = await import("../actions/todos.action");
 
     // Act
@@ -163,9 +183,23 @@ describe("deleteTodoAction", () => {
     vi.clearAllMocks();
   });
 
+  it("retorna error si no hay usuario autenticado", async () => {
+    // Arrange
+    mockGetUser.mockResolvedValue({ data: { user: null } });
+    const { deleteTodoAction } = await import("../actions/todos.action");
+
+    // Act
+    const result = await deleteTodoAction("1");
+
+    // Assert
+    expect(result.status).toBe("error");
+    expect(mockFrom).not.toHaveBeenCalled();
+  });
+
   it("elimina la tarea, llama a revalidatePath y retorna success", async () => {
     // Arrange
-    mockDelete.mockResolvedValue(undefined);
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom.mockReturnValue(makeChain({ data: null, error: null }));
     const { deleteTodoAction } = await import("../actions/todos.action");
 
     // Act
@@ -173,13 +207,13 @@ describe("deleteTodoAction", () => {
 
     // Assert
     expect(result.status).toBe("success");
-    expect(mockDelete).toHaveBeenCalled();
     expect(mockRevalidatePath).toHaveBeenCalledWith("/");
   });
 
-  it("retorna error si la eliminación lanza una excepción", async () => {
+  it("retorna error si la eliminación falla", async () => {
     // Arrange
-    mockDelete.mockRejectedValue(new Error("DB error"));
+    mockGetUser.mockResolvedValue({ data: { user: { id: "u1" } } });
+    mockFrom.mockReturnValue(makeChain({ data: null, error: new Error("DB error") }));
     const { deleteTodoAction } = await import("../actions/todos.action");
 
     // Act

package/template/src/features/todos/__tests__/todos.queries.test.ts

@@ -0,0 +1,101 @@
+import { describe, it, expect, vi } from "vitest";
+
+import { getTodoById, getTodosByUserId } from "../queries/todos.queries";
+
+import type { createClient } from "@/shared/lib/supabase/server";
+
+type Client = Awaited<ReturnType<typeof createClient>>;
+interface QueryResult { data: unknown; error: unknown }
+
+function makeSupabase(result: QueryResult) {
+  const chain: Record<string, unknown> = {};
+  chain.select = vi.fn(() => chain);
+  chain.eq = vi.fn(() => chain);
+  chain.single = vi.fn(() => Promise.resolve(result));
+  chain.then = (
+    onFulfilled: (v: QueryResult) => unknown,
+    onRejected?: (e: unknown) => unknown
+  ) => Promise.resolve(result).then(onFulfilled, onRejected);
+  return { from: vi.fn(() => chain) } as unknown as Client;
+}
+
+describe("getTodosByUserId", () => {
+  it("retorna los todos del usuario cuando la consulta tiene éxito", async () => {
+    // Arrange
+    const todos = [{ id: "1", title: "Tarea", completed: false, user_id: "u1" }];
+    const supabase = makeSupabase({ data: todos, error: null });
+
+    // Act
+    const result = await getTodosByUserId(supabase, "u1");
+
+    // Assert
+    expect(result.data).toEqual(todos);
+    expect(result.error).toBeNull();
+  });
+
+  it("retorna lista vacía cuando el usuario no tiene todos", async () => {
+    // Arrange
+    const supabase = makeSupabase({ data: [], error: null });
+
+    // Act
+    const result = await getTodosByUserId(supabase, "u1");
+
+    // Assert
+    expect(result.data).toEqual([]);
+    expect(result.error).toBeNull();
+  });
+
+  it("retorna error cuando falla la consulta", async () => {
+    // Arrange
+    const dbError = new Error("DB error");
+    const supabase = makeSupabase({ data: null, error: dbError });
+
+    // Act
+    const result = await getTodosByUserId(supabase, "u1");
+
+    // Assert
+    expect(result.data).toBeNull();
+    expect(result.error).toBe(dbError);
+  });
+});
+
+describe("getTodoById", () => {
+  it("retorna el todo cuando existe y pertenece al usuario", async () => {
+    // Arrange
+    const todo = { id: "1", completed: false };
+    const supabase = makeSupabase({ data: todo, error: null });
+
+    // Act
+    const result = await getTodoById(supabase, "1", "u1");
+
+    // Assert
+    expect(result.data).toEqual(todo);
+    expect(result.error).toBeNull();
+  });
+
+  it("retorna error cuando el todo no existe", async () => {
+    // Arrange
+    const dbError = { code: "PGRST116" };
+    const supabase = makeSupabase({ data: null, error: dbError });
+
+    // Act
+    const result = await getTodoById(supabase, "non-existent", "u1");
+
+    // Assert
+    expect(result.data).toBeNull();
+    expect(result.error).toEqual(dbError);
+  });
+
+  it("retorna error cuando falla la consulta", async () => {
+    // Arrange
+    const dbError = new Error("DB error");
+    const supabase = makeSupabase({ data: null, error: dbError });
+
+    // Act
+    const result = await getTodoById(supabase, "1", "u1");
+
+    // Assert
+    expect(result.data).toBeNull();
+    expect(result.error).toBe(dbError);
+  });
+});

package/template/src/features/todos/actions/todos.action.ts

@@ -1,10 +1,8 @@
 "use server";
 
-import { eq } from "drizzle-orm";
 import { revalidatePath } from "next/cache";
 
-import { db } from "@/shared/db";
-import { todos } from "@/shared/db/schema";
+import { getTodoById } from "@/features/todos/queries/todos.queries";
 import type { ActionResult } from "@/shared/lib/action-result";
 import { createClient } from "@/shared/lib/supabase/server";
 
@@ -20,34 +18,50 @@ export async function addTodoAction(formData: FormData): Promise<ActionResult> {
   } = await supabase.auth.getUser();
   if (!user) return { status: "error", message: "No autenticado" };
 
-  try {
-    await db.insert(todos).values({ userId: user.id, title: title.trim() });
-    revalidatePath("/");
-    return { status: "success", message: "Tarea agregada" };
-  } catch {
-    return { status: "error", message: "Error al agregar la tarea" };
-  }
+  const { error } = await supabase
+    .from("todos")
+    .insert({ user_id: user.id, title: title.trim() });
+  if (error) return { status: "error", message: "Error al agregar la tarea" };
+
+  revalidatePath("/");
+  return { status: "success", message: "Tarea agregada" };
 }
 
 export async function toggleTodoAction(id: string): Promise<ActionResult> {
-  try {
-    const [todo] = await db.select().from(todos).where(eq(todos.id, id));
-    if (!todo) return { status: "error", message: "Tarea no encontrada" };
-
-    await db.update(todos).set({ completed: !todo.completed }).where(eq(todos.id, id));
-    revalidatePath("/");
-    return { status: "success", message: "Tarea actualizada" };
-  } catch {
-    return { status: "error", message: "Error al actualizar la tarea" };
-  }
+  const supabase = await createClient();
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+  if (!user) return { status: "error", message: "No autenticado" };
+
+  const { data: todo, error: fetchError } = await getTodoById(supabase, id, user.id);
+  if (fetchError ?? !todo) return { status: "error", message: "Tarea no encontrada" };
+
+  const { error } = await supabase
+    .from("todos")
+    .update({ completed: !todo.completed })
+    .eq("id", id)
+    .eq("user_id", user.id);
+  if (error) return { status: "error", message: "Error al actualizar la tarea" };
+
+  revalidatePath("/");
+  return { status: "success", message: "Tarea actualizada" };
 }
 
 export async function deleteTodoAction(id: string): Promise<ActionResult> {
-  try {
-    await db.delete(todos).where(eq(todos.id, id));
-    revalidatePath("/");
-    return { status: "success", message: "Tarea eliminada" };
-  } catch {
-    return { status: "error", message: "Error al eliminar la tarea" };
-  }
+  const supabase = await createClient();
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+  if (!user) return { status: "error", message: "No autenticado" };
+
+  const { error } = await supabase
+    .from("todos")
+    .delete()
+    .eq("id", id)
+    .eq("user_id", user.id);
+  if (error) return { status: "error", message: "Error al eliminar la tarea" };
+
+  revalidatePath("/");
+  return { status: "success", message: "Tarea eliminada" };
 }

package/template/src/features/todos/queries/todos.queries.ts

@@ -0,0 +1,16 @@
+import type { createClient } from "@/shared/lib/supabase/server";
+
+type Client = Awaited<ReturnType<typeof createClient>>;
+
+export async function getTodosByUserId(supabase: Client, userId: string) {
+  return supabase.from("todos").select("*").eq("user_id", userId);
+}
+
+export async function getTodoById(supabase: Client, id: string, userId: string) {
+  return supabase
+    .from("todos")
+    .select("completed")
+    .eq("id", id)
+    .eq("user_id", userId)
+    .single();
+}

package/template/src/shared/lib/supabase/middleware.ts

@@ -4,7 +4,6 @@ import { NextResponse, type NextRequest } from "next/server";
 export async function updateSession(request: NextRequest) {
   let supabaseResponse = NextResponse.next({ request });
 
-  // eslint-disable-next-line @typescript-eslint/no-deprecated
   const supabase = createServerClient(
     process.env.NEXT_PUBLIC_SUPABASE_URL ?? "",
     process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?? "",

package/template/src/shared/lib/supabase/server.ts

@@ -4,7 +4,6 @@ import { cookies } from "next/headers";
 export async function createClient() {
   const cookieStore = await cookies();
 
-  // eslint-disable-next-line @typescript-eslint/no-deprecated
   return createServerClient(
     process.env.NEXT_PUBLIC_SUPABASE_URL ?? "",
     process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ?? "",

package/template/tailwind.css

@@ -1,20 +1,20 @@
 @import "tailwindcss";
 
 @theme {
-  --color-background: hsl(0 0% 100%);
-  --color-foreground: hsl(222.2 84% 4.9%);
-  --color-primary: hsl(222.2 47.4% 11.2%);
-  --color-primary-foreground: hsl(210 40% 98%);
-  --color-secondary: hsl(210 40% 96.1%);
-  --color-secondary-foreground: hsl(222.2 47.4% 11.2%);
-  --color-muted: hsl(210 40% 96.1%);
-  --color-muted-foreground: hsl(215.4 16.3% 46.9%);
-  --color-accent: hsl(210 40% 96.1%);
-  --color-accent-foreground: hsl(222.2 47.4% 11.2%);
+  --color-background: #ffffff;
+  --color-foreground: #111111;
+  --color-primary: #022633;
+  --color-primary-foreground: #ffffff;
+  --color-secondary: #f6a623;
+  --color-secondary-foreground: #ffffff;
+  --color-muted: #f5f5f5;
+  --color-muted-foreground: #666666;
+  --color-accent: #044a68;
+  --color-accent-foreground: #ffffff;
   --color-destructive: hsl(0 84.2% 60.2%);
-  --color-destructive-foreground: hsl(210 40% 98%);
-  --color-border: hsl(214.3 31.8% 91.4%);
-  --color-input: hsl(214.3 31.8% 91.4%);
-  --color-ring: hsl(222.2 84% 4.9%);
+  --color-destructive-foreground: #ffffff;
+  --color-border: #e5e5e5;
+  --color-input: #e5e5e5;
+  --color-ring: #022633;
   --radius: 0.5rem;
 }