Migrate REST APIs to tRPC for end-to-end type safety (#339)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Starefossen <968267+Starefossen@users.noreply.github.com>
Co-authored-by: Hans Kristian Flaatten <hans.kristian.flaatten@nav.no>

Author: Copilot

__tests__/api/badge/badge-e2e.test.ts

@@ -476,32 +476,26 @@ describe('Badge System E2E', () => {
       // Bake JWT string into SVG
       const bakedSVG = bakeBadge(svg, assertion)
 
-      // 2. Validate through API (which includes cryptographic verification)
-      const { POST } = await import('@/app/api/badge/validate/route')
-      const request = {
-        json: async () => ({ svg: bakedSVG }),
-      } as any
+      // 2. Validate through the validation module (migrated from REST to tRPC)
+      const { validateBadge } = await import('@/lib/badge/validation')
+      const result = await validateBadge(bakedSVG)
 
-      const response = await POST(request)
-      expect(response.status).toBe(200)
-
-      const result = await response.json()
       expect(result.checks).toBeDefined()
 
       // Verify canonicalization check (RDF Dataset Canonicalization)
       const canonCheck = result.checks.find(
-        (c: any) => c.name === 'canonicalization',
+        (c) => c.name === 'canonicalization',
       )
       expect(canonCheck).toBeDefined()
-      expect(canonCheck.status).toBe('success')
-      expect(canonCheck.details?.canonicalizationResult).toBeDefined()
-      expect(typeof canonCheck.details?.canonicalizationResult).toBe('string')
+      expect(canonCheck!.status).toBe('success')
+      expect(canonCheck!.details?.canonicalizationResult).toBeDefined()
+      expect(typeof canonCheck!.details?.canonicalizationResult).toBe('string')
 
       // Find the proof check
-      const proofCheck = result.checks.find((c: any) => c.name === 'proof')
+      const proofCheck = result.checks.find((c) => c.name === 'proof')
       expect(proofCheck).toBeDefined()
-      expect(proofCheck.status).toBe('success')
-      expect(proofCheck.details?.signatureValid).toBe(true)
+      expect(proofCheck!.status).toBe('success')
+      expect(proofCheck!.details?.signatureValid).toBe(true)
 
       console.log(
         '✓ Validator API cryptographically verified badge signature with RDF canonicalization',

__tests__/api/trpc/middleware.test.ts

@@ -0,0 +1,71 @@
+vi.mock('@/lib/auth', () => ({
+  getAuthSession: vi.fn().mockResolvedValue(null),
+}))
+
+vi.mock('@/lib/events/registry', () => ({}))
+
+import { describe, it, expect, vi } from 'vitest'
+import { TRPCError } from '@trpc/server'
+import {
+  createAnonymousCaller,
+  createAuthenticatedCaller,
+  createAdminCaller,
+  speakers,
+} from '../../helpers/trpc'
+
+describe('tRPC middleware', () => {
+  describe('protectedProcedure', () => {
+    it('should reject unauthenticated requests', async () => {
+      const caller = createAnonymousCaller()
+
+      await expect(caller.proposal.list()).rejects.toThrow(TRPCError)
+      await expect(caller.proposal.list()).rejects.toMatchObject({
+        code: 'UNAUTHORIZED',
+      })
+    })
+
+    it('should allow authenticated requests', async () => {
+      // This will fail because of missing mock data, but it should NOT throw UNAUTHORIZED
+      const caller = createAuthenticatedCaller()
+      try {
+        await caller.proposal.list()
+      } catch (error) {
+        expect(error).toBeInstanceOf(TRPCError)
+        expect((error as TRPCError).code).not.toBe('UNAUTHORIZED')
+      }
+    })
+  })
+
+  describe('adminProcedure', () => {
+    it('should reject unauthenticated requests', async () => {
+      const caller = createAnonymousCaller()
+
+      await expect(caller.speakers.list({})).rejects.toThrow(TRPCError)
+      await expect(caller.speakers.list({})).rejects.toMatchObject({
+        code: 'UNAUTHORIZED',
+      })
+    })
+
+    it('should reject non-admin users', async () => {
+      const regularUser = speakers.find((s) => !s.isOrganizer)!
+      const caller = createAuthenticatedCaller(regularUser._id)
+
+      await expect(caller.speakers.list({})).rejects.toThrow(TRPCError)
+      await expect(caller.speakers.list({})).rejects.toMatchObject({
+        code: 'FORBIDDEN',
+      })
+    })
+
+    it('should allow admin users', async () => {
+      const caller = createAdminCaller()
+      // Should not throw UNAUTHORIZED or FORBIDDEN — may throw due to missing mock data
+      try {
+        await caller.speakers.list({})
+      } catch (error) {
+        expect(error).toBeInstanceOf(TRPCError)
+        expect((error as TRPCError).code).not.toBe('UNAUTHORIZED')
+        expect((error as TRPCError).code).not.toBe('FORBIDDEN')
+      }
+    })
+  })
+})