chore: replace hand-rolled layout() with @fastify/view + EJS #20

brendan · 2026-05-15T05:55:00Z

brendan commented

2026-05-15 05:55:00 +00:00

Summary

Convert all src/views/*.ts template-literal modules to .ejs templates under views/
Register @fastify/view plugin in src/server.ts with EJS engine and _layout.ejs as the layout file
Update route handlers to use reply.view() instead of reply.send(layout(...))
Delete the 6 old TypeScript view modules and layout.ts
<%= %> auto-escaping replaces manual escHtml() calls; <%- body %> confined to layout slot only (trusted template output)
Auth gates (preHandler: requireAuth) unchanged on all protected routes
131/131 tests pass, TypeScript clean

Security

No new security surface: <%- body %> used only in _layout.ejs for trusted template output, never for user input
All auth gates preserved unchanged
No secrets introduced or exposed
Minor inherited code smell noted (not blocking): file-list.ejs embeds baseUrl and nanoid-format f.id in an onclick attribute string — safe, same as original code

Lockfile

Added @fastify/view@11.1.1, ejs@5.0.2, @types/ejs@3.1.5 and transitive deps. Lockfile regenerated from scratch (rm -rf node_modules package-lock.json && npm install --include=optional). npm ci verified clean. Docker build verification deferred to CI (docker daemon not available in sandbox).

Closes #19

## Summary - Convert all `src/views/*.ts` template-literal modules to `.ejs` templates under `views/` - Register `@fastify/view` plugin in `src/server.ts` with EJS engine and `_layout.ejs` as the layout file - Update route handlers to use `reply.view()` instead of `reply.send(layout(...))` - Delete the 6 old TypeScript view modules and `layout.ts` - `<%= %>` auto-escaping replaces manual `escHtml()` calls; `<%- body %>` confined to layout slot only (trusted template output) - Auth gates (`preHandler: requireAuth`) unchanged on all protected routes - 131/131 tests pass, TypeScript clean ## Security - No new security surface: `<%- body %>` used only in `_layout.ejs` for trusted template output, never for user input - All auth gates preserved unchanged - No secrets introduced or exposed - Minor inherited code smell noted (not blocking): `file-list.ejs` embeds `baseUrl` and nanoid-format `f.id` in an onclick attribute string — safe, same as original code ## Lockfile Added `@fastify/view@11.1.1`, `ejs@5.0.2`, `@types/ejs@3.1.5` and transitive deps. Lockfile regenerated from scratch (`rm -rf node_modules package-lock.json && npm install --include=optional`). `npm ci` verified clean. Docker build verification deferred to CI (docker daemon not available in sandbox). Closes #19

brendan added 2 commits 2026-05-15 05:55:01 +00:00

chore: replace hand-rolled layout() with @fastify/view + EJS 118ea15b4a

Convert all src/views/*.ts template-literal modules to .ejs templates
under views/. Register @fastify/view plugin in server.ts with EJS
engine and _layout.ejs as the layout file. Update route handlers to
use reply.view() instead of reply.send(layout(...)). Delete the old
TypeScript view modules and layout.ts.

Closes #19

refactor: remove redundant FileRow type annotation in pages.ts map callback 5586a8cf19

brendan merged commit 829037f89c into main

2026-05-15 05:55:22 +00:00

brendan referenced this issue from a commit

2026-05-15 05:55:24 +00:00

Merge pull request 'chore: replace hand-rolled layout() with @fastify/view + EJS' (#20) from chore/ejs-view-templates into main

brendan referenced this pull request

2026-05-15 05:55:44 +00:00

chore: replace hand-rolled layout() with @fastify/view + EJS #19

Sign in to join this conversation.