Feature/yazio provider 1442#1458
Conversation
Implements YAZIO integration as a new external food provider using the reverse-engineered YAZIO private API (OAuth2 password grant). Changes: - Server: new yazioService integration (search, details, barcode lookup) - Server: wire YAZIO into externalProviderService and foodCoreService - Server: API routes updated for YAZIO provider type - Server: migrations for provider_type lookup + CHECK constraint - Server: unit tests (4/4 passing) with mocked API responses - Frontend: provider settings UI, food search, barcode scanner support - Mobile: food search screen + hook updated for YAZIO - .env.example: YAZIO_CLIENT_ID/YAZIO_CLIENT_SECRET config Notes: - YAZIO API is unofficial/private — may break if YAZIO changes it - Credentials loaded via env vars (not hardcoded) - Provider marked as experimental in UI Refs: CodeWithCJ#1442
Scale YAZIO density nutrient payloads to per-100g/ml values so imported foods no longer save as 1 kcal with near-zero macros. Preserve provider verified metadata and cover the mapping with regression tests.
PR Validation ResultsChange Detection
✅ All checks passed. Thank you! |
There was a problem hiding this comment.
Code Review
This pull request implements an experimental integration with the YAZIO food provider across the web frontend, mobile app, and backend server. It adds support for YAZIO product searches, barcode lookups, and credential management. Feedback on the backend implementation focuses on improving robustness and error handling in yazioService.ts. Specifically, the reviewer identified a potential division-by-zero bug when scaling nutrients, a concurrency issue with parallel token requests, and potential TypeError crashes if the API returns non-array data or if a null product is mapped.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Addressed Gemini review feedback in cd16e1a:
Validation after the fix:
All passed locally. |
Propagate the selected online provider into mobile barcode lookups so YAZIO scans query the selected YAZIO provider before OpenFoodFacts fallback.
YAZIO search results do not include EANs for real barcode queries, so hydrate candidate details and match their eans before falling back to OpenFoodFacts. Preserve the scanned barcode in the normalized result.
- Fix YAZIO Client ID/Secret not persisted on edit (merge existing credentials with user edits) - Add prominent warning about unofficial API, ban risk, and instability - Remove redundant migration files (yazio already in refactor migration) - Add yazio to external_provider_types lookup table - Add regression tests for YAZIO credential merge No mobile changes — mobile will be separate PR.
- Server: validateYazioProviderCredentials now accepts EITHER login creds (username+password) OR client creds (clientId+clientSecret) - Server: requireCredentials in yazioService only requires clientId+clientSecret, username+password optional - Server: getYazioAccessToken only sends username/password in token request if both are provided - Frontend: yazio providerRequirements only requires yazio_client_id and yazio_client_secret - Frontend: Added '(Optional)' labels to YAZIO Email/Password fields in ProviderSpecificFields and EditProviderForm - Frontend: Added helper text explaining email/password are optional - Tests: Added server tests for YAZIO with only client credentials and for rejecting YAZIO without any credentials - Tests: Added yazioService test for token request without username/password - Tests: Updated validateProvider test expectations No mobile changes - mobile will be separate PR.
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 33773161 | Triggered | Generic Password | d7abc7b | SparkyFitnessFrontend/src/pages/Settings/ProviderSpecificFields.tsx | View secret |
| 33773161 | Triggered | Generic Password | 2372148 | SparkyFitnessFrontend/src/pages/Settings/ProviderSpecificFields.tsx | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
898ff97 to
4acafc9
Compare
- Server: validateYazioProviderCredentials now accepts EITHER login creds (username+password) OR client creds (clientId+clientSecret) - Server: requireCredentials in yazioService only requires clientId+clientSecret, username+password optional - Server: getYazioAccessToken only sends username/password in token request if both are provided - Frontend: yazio providerRequirements only requires yazio_client_id and yazio_client_secret - Frontend: Added '(Optional)' labels to YAZIO Email/Password fields in ProviderSpecificFields and EditProviderForm - Frontend: Added helper text explaining email/password are optional - Tests: Added server tests for YAZIO with only client credentials and for rejecting YAZIO without any credentials - Tests: Added yazioService test for token request without username/password - Tests: Updated validateProvider test expectations No mobile changes - mobile will be separate PR.
Removed YAZIO integration credentials section from example env file.
Description
What problem does this Solve?
This adds YAZIO as an experimental external food provider and makes it selectable in the shared mobile food-search flow.
How did you implement the solution?
Added YAZIO provider typing, settings support, server-side OAuth/search/barcode/detail mapping, v2 food routes and schemas, mobile API parsing/search support, and targeted tests. Mobile uses the shared React Native/Expo implementation, so the provider chip is available on both iOS and Android when the backend returns an active
provider_type: "yazio"provider.Linked Issue: Closes #1442
How to Test
corepack pnpm installif needed.cd SparkyFitnessMobile corepack pnpm run typecheck corepack pnpm run lint corepack pnpm run test:run -- --watchman=false --runInBand __tests__/hooks/useExternalFoodSearch.test.ts __tests__/hooks/useExternalProviders.test.ts __tests__/screens/FoodSearchScreen.test.tsxPR Type
Checklist
All PRs:
New features only:
Frontend changes (
SparkyFitnessFrontend/):pnpm run validateand it passes.en) translation file.Backend changes (
SparkyFitnessServer/):rls_policies.sqlfor any new user-specific tables. (N/A: this PR only extends the existing external-provider type/check constraints; no new user-specific tables.)UI changes (components, screens, pages):
Mobile changes (
SparkyFitnessMobile/):Screenshots
Click to expand
Before
The previous Online provider picker did not include YAZIO as a selectable provider.
After
YAZIO provider form
Default barcode provider includes YAZIO
Online search result from YAZIO
Edit food details from YAZIO result
YAZIO unit variants imported
Add-to-meal unit picker includes YAZIO units
Mobile: YAZIO provider settings (commit 49799ed)
Mobile: YAZIO search results (commit 49799ed)
Notes for Reviewers
YAZIO_CLIENT_IDandYAZIO_CLIENT_SECRET) plus provider username/password credentials.corepack pnpm run validateinSparkyFitnessFrontendinitially failed becausetsc -brequires a build mode invocation; the equivalent checklist steps were run individually and passed:tsc -b, ESLint, and Prettier check.