feat: Sprint 1 — backend fondations TetaRdPG

Auth SuperOAuth (JWT validation + httpOnly cookie), entités users/characters/level_thresholds, lazy calculation endurance, seed 100 niveaux, config prod-ready (trust proxy, helmet, CORS, rate limit). Validé : health 200, auth flow, character CRUD, endurance lazy, 401 sans cookie.
2026-03-15 05:51:02 +01:00
commit da3237bf3f
29 changed files with 7249 additions and 0 deletions
--- a/src/main.ts
+++ b/src/main.ts
@@ -0,0 +1,49 @@
+import { NestFactory } from '@nestjs/core';
+import { NestExpressApplication } from '@nestjs/platform-express';
+import { ValidationPipe } from '@nestjs/common';
+import * as cookieParser from 'cookie-parser';
+import helmet from 'helmet';
+import { AppModule } from './app.module';
+
+async function bootstrap() {
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
+
+  // VPS derrière Apache / reverse proxy — obligatoire pour rate limiter + IP logs corrects
+  app.set('trust proxy', 1);
+
+  // Security headers
+  app.use(helmet());
+
+  // Cookie parser avec signature
+  const cookieSecret = process.env.COOKIE_SECRET;
+  if (!cookieSecret) throw new Error('COOKIE_SECRET manquant');
+  app.use(cookieParser(cookieSecret));
+
+  // CORS — multi-origin depuis l'env
+  const allowedOrigins = (process.env.FRONTEND_URL ?? 'http://localhost:5173')
+    .split(',')
+    .map((o) => o.trim());
+
+  app.enableCors({
+    origin: allowedOrigins,
+    credentials: true,
+  });
+
+  // Validation globale
+  app.useGlobalPipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  );
+
+  // Prefix global
+  app.setGlobalPrefix('api');
+
+  const port = process.env.PORT ?? 4000;
+  await app.listen(port);
+  console.log(`TetaRdPG backend démarré sur le port ${port}`);
+}
+
+bootstrap();