feat(validation): migrate to Zod in @nbw/validation; drop class-validator

- Add env, Discord strategy, and song form schemas to @nbw/validation
- Wire ConfigModule to validateEnv; parse user/song/query payloads with Zod
- Replace DTO class helpers with mappers in song.util; re-export validation from @nbw/database for consumers
- Frontend: import song form schemas from @nbw/validation; remove local SongForm.zod
- Remove class-validator/class-transformer and global ValidationPipe from backend
- Update specs; note bun test may need workspace resolution fixes for @nbw/config

Author: tomast1337

apps/backend/package.json

@@ -27,6 +27,7 @@
     "@encode42/nbs.js": "^5.0.2",
     "@nbw/config": "workspace:*",
     "@nbw/database": "workspace:*",
+    "@nbw/validation": "workspace:*",
     "@nbw/song": "workspace:*",
     "@nbw/sounds": "workspace:*",
     "@nbw/thumbnail": "workspace:*",
@@ -44,10 +45,10 @@
     "axios": "^1.13.2",
     "bcryptjs": "^3.0.3",
     "class-transformer": "^0.5.1",
-    "class-validator": "^0.14.3",
     "esm": "^3.2.25",
     "express": "^5.2.1",
     "mongoose": "^9.0.1",
+    "nestjs-zod": "^5.0.1",
     "multer": "2.1.1",
     "nanoid": "^5.1.6",
     "passport": "^0.7.0",

apps/backend/scripts/build.ts

@@ -51,9 +51,6 @@ const build = async () => {
   await Bun.$`rm -rf dist`;
 
   const optionalRequirePackages = [
-    'class-transformer',
-    'class-transformer/storage',
-    'class-validator',
     '@nestjs/microservices',
     '@nestjs/websockets',
     '@fastify/static',
@@ -76,8 +73,11 @@ const build = async () => {
       }),
       '@nbw/config',
       '@nbw/database',
+      '@nbw/validation',
       '@nbw/song',
       '@nbw/sounds',
+      // @nestjs/swagger → @nestjs/mapped-types requires class-transformer metadata storage; bundler mis-resolves subpaths
+      'class-transformer',
     ],
     splitting: true,
   });

apps/backend/src/app.module.ts

@@ -1,13 +1,14 @@
 import { Logger, Module } from '@nestjs/common';
 import { ConfigModule, ConfigService } from '@nestjs/config';
-import { APP_GUARD } from '@nestjs/core';
+import { APP_GUARD, APP_PIPE } from '@nestjs/core';
 import { MongooseModule, MongooseModuleFactoryOptions } from '@nestjs/mongoose';
 import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
+import { ZodValidationPipe } from 'nestjs-zod';
 import { MailerModule } from '@nestjs-modules/mailer';
 import { HandlebarsAdapter } from '@nestjs-modules/mailer/dist/adapters/handlebars.adapter';
 
 import { AuthModule } from './auth/auth.module';
-import { validate } from './config/EnvironmentVariables';
+import { validateEnv } from '@nbw/validation';
 import { EmailLoginModule } from './email-login/email-login.module';
 import { FileModule } from './file/file.module';
 import { ParseTokenPipe } from './lib/parseToken';
@@ -21,7 +22,7 @@ import { UserModule } from './user/user.module';
     ConfigModule.forRoot({
       isGlobal: true,
       envFilePath: ['.env.test', '.env.development', '.env.production'],
-      validate,
+      validate: validateEnv,
     }),
     //DatabaseModule,
     MongooseModule.forRootAsync({
@@ -82,6 +83,10 @@ import { UserModule } from './user/user.module';
   controllers: [],
   providers: [
     ParseTokenPipe,
+    {
+      provide: APP_PIPE,
+      useClass: ZodValidationPipe,
+    },
     {
       provide: APP_GUARD,
       useClass: ThrottlerGuard,

apps/backend/src/auth/auth.service.spec.ts

@@ -278,6 +278,7 @@ describe('AuthService', () => {
         profileImage: 'http://example.com/photo.jpg',
       };
 
+      mockUserService.generateUsername.mockResolvedValue('testuser');
       mockUserService.findByEmail.mockResolvedValue(null);
       mockUserService.create.mockResolvedValue({ id: 'new-user-id' });
 

apps/backend/src/auth/auth.service.ts

@@ -4,8 +4,8 @@ import axios from 'axios';
 import type { CookieOptions, Request, Response } from 'express';
 import ms from 'ms';
 
-import { CreateUser } from '@nbw/database';
 import type { UserDocument } from '@nbw/database';
+import { createUserSchema } from '@nbw/validation';
 import { UserService } from '@server/user/user.service';
 
 import { DiscordUser } from './types/discordProfile';
@@ -90,10 +90,9 @@ export class AuthService {
 
   private async createNewUser(user: Profile) {
     const { username, email, profileImage } = user;
-    const baseUsername = username;
-    const newUsername = await this.userService.generateUsername(baseUsername);
+    const newUsername = await this.userService.generateUsername(username);
 
-    const newUser = new CreateUser({
+    const newUser = createUserSchema.parse({
       username: newUsername,
       email: email,
       profileImage: profileImage,
@@ -220,8 +219,6 @@ export class AuthService {
       return null;
     }
 
-    const user = await this.userService.findByID(decoded.id);
-
-    return user;
+    return await this.userService.findByID(decoded.id);
   }
 }

apps/backend/src/auth/strategies/discord.strategy/DiscordStrategyConfig.ts

@@ -1,6 +1,5 @@
+import type { DiscordStrategyConfig } from '@nbw/validation';
 import { VerifyFunction } from 'passport-oauth2';
-
-import { DiscordStrategyConfig } from './DiscordStrategyConfig';
 import DiscordStrategy from './Strategy';
 import { DiscordPermissionScope, Profile } from './types';
 
@@ -42,16 +41,15 @@ describe('DiscordStrategy', () => {
       prompt: 'consent',
     };
 
-    await expect(strategy['validateConfig'](config)).resolves.toBeUndefined();
+    expect(() => strategy['validateConfig'](config)).not.toThrow();
   });
 
   it('should make API request', async () => {
-    const mockGet = jest.fn((url, accessToken, callback) => {
-      callback(null, JSON.stringify({ id: '123' }));
+    strategy['_oauth2'].get = jest.fn((url, accessToken, callback) => {
+      // oauth2 `dataCallback` typings omit `null`; runtime passes null on success.
+      callback(null as never, JSON.stringify({ id: '123' }));
     });
 
-    strategy['_oauth2'].get = mockGet;
-
     const result = await strategy['makeApiRequest']<{ id: string }>(
       'https://discord.com/api/users/@me',
       'test-access-token',

apps/backend/src/auth/strategies/discord.strategy/Strategy.spec.ts

@@ -1,15 +1,15 @@
 import { Logger } from '@nestjs/common';
-import { plainToClass } from 'class-transformer';
-import { validateOrReject } from 'class-validator';
+import {
+  discordStrategyConfigSchema,
+  type DiscordStrategyConfig,
+} from '@nbw/validation';
 import {
   InternalOAuthError,
   Strategy as OAuth2Strategy,
   StrategyOptions as OAuth2StrategyOptions,
   VerifyCallback,
   VerifyFunction,
 } from 'passport-oauth2';
-
-import { DiscordStrategyConfig } from './DiscordStrategyConfig';
 import {
   Profile,
   ProfileConnection,
@@ -47,20 +47,19 @@ export default class Strategy extends OAuth2Strategy {
     );
 
     this.validateConfig(options);
-    this.scope = options.scope;
+    this.scope = options.scope as ScopeType;
     this.scopeDelay = options.scopeDelay ?? 0;
     this.fetchScopeEnabled = options.fetchScope ?? true;
     this._oauth2.useAuthorizationHeaderforGET(true);
     this.prompt = options.prompt;
   }
 
-  private async validateConfig(config: DiscordStrategyConfig): Promise<void> {
+  private validateConfig(config: DiscordStrategyConfig): void {
     try {
-      const validatedConfig = plainToClass(DiscordStrategyConfig, config);
-      await validateOrReject(validatedConfig);
-    } catch (errors) {
-      this.logger.error(errors);
-      throw new Error(`Configuration validation failed: ${errors}`);
+      discordStrategyConfigSchema.parse(config);
+    } catch (error) {
+      this.logger.error(error);
+      throw new Error(`Configuration validation failed: ${String(error)}`);
     }
   }