Skip to content

Feature/yazio provider 1442#1458

Merged
CodeWithCJ merged 24 commits into
CodeWithCJ:mainfrom
thorethy1:feature/yazio-provider-1442
Jun 6, 2026
Merged

Feature/yazio provider 1442#1458
CodeWithCJ merged 24 commits into
CodeWithCJ:mainfrom
thorethy1:feature/yazio-provider-1442

Conversation

@thorethy1

@thorethy1 thorethy1 commented Jun 6, 2026

Copy link
Copy Markdown

Description

What problem does this Solve?
This adds YAZIO as an experimental external food provider and makes it selectable in the shared mobile food-search flow.

How did you implement the solution?
Added YAZIO provider typing, settings support, server-side OAuth/search/barcode/detail mapping, v2 food routes and schemas, mobile API parsing/search support, and targeted tests. Mobile uses the shared React Native/Expo implementation, so the provider chip is available on both iOS and Android when the backend returns an active provider_type: "yazio" provider.

Linked Issue: Closes #1442

How to Test

  1. From the repo root, install deps with corepack pnpm install if needed.
  2. Validate frontend changes:
    cd SparkyFitnessFrontend
    corepack pnpm exec tsc -b
    corepack pnpm exec eslint . --max-warnings 0
    corepack pnpm exec prettier . --check
  3. Validate backend changes:
    cd SparkyFitnessServer
    corepack pnpm run typecheck
    corepack pnpm run lint
    corepack pnpm run test -- tests/yazioService.test.ts
  4. Validate mobile changes:
    cd SparkyFitnessMobile
    corepack pnpm run typecheck
    corepack pnpm run lint
    corepack pnpm run test:run -- --watchman=false --runInBand __tests__/hooks/useExternalFoodSearch.test.ts __tests__/hooks/useExternalProviders.test.ts __tests__/screens/FoodSearchScreen.test.tsx
  5. Configure an active YAZIO external food provider and verify the Online food-search source chips show YAZIO alongside the other active providers.

PR Type

  • Issue (bug fix)
  • New Feature
  • Refactor
  • Documentation

Checklist

All PRs:

  • [MANDATORY - ALL] Integrity & License: I certify this is my own work, free of malicious code, and I agree to the License terms.

New features only:

  • [MANDATORY for new feature] Alignment: I have raised a GitHub issue and it was reviewed/approved by maintainers or it was approved on Discord.

Frontend changes (SparkyFitnessFrontend/):

  • [MANDATORY for Frontend changes] Quality: I have run pnpm run validate and it passes.
  • [MANDATORY for Frontend changes] Translations: I have only updated the English (en) translation file.

Backend changes (SparkyFitnessServer/):

  • [MANDATORY for Backend changes] Code Quality: I have run typecheck, lint, and tests. New files use TypeScript, new endpoints have Zod schemas, and new endpoints include tests.
  • [MANDATORY for Backend changes] Database Security: I have updated rls_policies.sql for any new user-specific tables. (N/A: this PR only extends the existing external-provider type/check constraints; no new user-specific tables.)

UI changes (components, screens, pages):

  • [MANDATORY for UI changes] Screenshots: I have attached Before/After screenshots below.

Mobile changes (SparkyFitnessMobile/):

  • [MANDATORY for Mobile changes] Tested on device or emulator: I have verified the changes work on iOS or Android. (Automated mobile screen/hook coverage was run locally; current web/PWA screenshots from the dev deployment are attached below.)

Screenshots

Click to expand

Before

The previous Online provider picker did not include YAZIO as a selectable provider.

After

YAZIO provider form

YAZIO provider form

Default barcode provider includes YAZIO

Default barcode provider includes YAZIO

Online search result from YAZIO

Online search result from YAZIO

Edit food details from YAZIO result

Edit food details

YAZIO unit variants imported

YAZIO unit variants

Add-to-meal unit picker includes YAZIO units

Add to meal unit picker

Mobile: YAZIO provider settings (commit 49799ed)

Mobile YAZIO settings

Mobile: YAZIO search results (commit 49799ed)

Mobile YAZIO search

Notes for Reviewers

  • YAZIO requires server-level OAuth client credentials (YAZIO_CLIENT_ID and YAZIO_CLIENT_SECRET) plus provider username/password credentials.
  • DM me for a YAZIO Test account you can use to actively test this implementation.
  • The unofficial Yazio API uses OAuth2 credentials that I reverse-engineered from the official Yazio app. These credentials have never changed since the app's first lunch (6+ Years) and are hardcoded in the official app.
  • The mobile app does not need platform-specific iOS/Android changes; it reads active providers from the existing provider API and supports YAZIO through the shared provider type list.
  • corepack pnpm run validate in SparkyFitnessFrontend initially failed because tsc -b requires a build mode invocation; the equivalent checklist steps were run individually and passed: tsc -b, ESLint, and Prettier check.

Thore Eichler added 6 commits June 6, 2026 09:27
Implements YAZIO integration as a new external food provider using the
reverse-engineered YAZIO private API (OAuth2 password grant).

Changes:
- Server: new yazioService integration (search, details, barcode lookup)
- Server: wire YAZIO into externalProviderService and foodCoreService
- Server: API routes updated for YAZIO provider type
- Server: migrations for provider_type lookup + CHECK constraint
- Server: unit tests (4/4 passing) with mocked API responses
- Frontend: provider settings UI, food search, barcode scanner support
- Mobile: food search screen + hook updated for YAZIO
- .env.example: YAZIO_CLIENT_ID/YAZIO_CLIENT_SECRET config

Notes:
- YAZIO API is unofficial/private — may break if YAZIO changes it
- Credentials loaded via env vars (not hardcoded)
- Provider marked as experimental in UI

Refs: CodeWithCJ#1442
Scale YAZIO density nutrient payloads to per-100g/ml values so imported foods no longer save as 1 kcal with near-zero macros. Preserve provider verified metadata and cover the mapping with regression tests.
@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

PR Validation Results

Change Detection

  • 🖥️ Frontend changes detected
  • ⚙️ Backend changes detected

✅ All checks passed. Thank you!

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements an experimental integration with the YAZIO food provider across the web frontend, mobile app, and backend server. It adds support for YAZIO product searches, barcode lookups, and credential management. Feedback on the backend implementation focuses on improving robustness and error handling in yazioService.ts. Specifically, the reviewer identified a potential division-by-zero bug when scaling nutrients, a concurrency issue with parallel token requests, and potential TypeError crashes if the API returns non-array data or if a null product is mapped.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread SparkyFitnessServer/integrations/yazio/yazioService.ts
Comment thread SparkyFitnessServer/integrations/yazio/yazioService.ts
Comment thread SparkyFitnessServer/integrations/yazio/yazioService.ts Outdated
Comment thread SparkyFitnessServer/integrations/yazio/yazioService.ts
@thorethy1

Copy link
Copy Markdown
Author

Addressed Gemini review feedback in cd16e1a:

  • Guarded variant nutrient scaling against zero/invalid serving weights.
  • Deduplicated concurrent YAZIO OAuth token requests per account/base URL.
  • Treat unexpected non-array search payloads as empty results.
  • Made mapYazioProduct null-safe.

Validation after the fix:

  • corepack pnpm run typecheck
  • corepack pnpm run lint
  • corepack pnpm exec vitest run tests/yazioService.test.ts

All passed locally.

Thore Eichler added 5 commits June 6, 2026 11:29
Propagate the selected online provider into mobile barcode lookups so YAZIO scans query the selected YAZIO provider before OpenFoodFacts fallback.
YAZIO search results do not include EANs for real barcode queries, so hydrate candidate details and match their eans before falling back to OpenFoodFacts. Preserve the scanned barcode in the normalized result.
- Fix YAZIO Client ID/Secret not persisted on edit (merge existing credentials with user edits)
- Add prominent warning about unofficial API, ban risk, and instability
- Remove redundant migration files (yazio already in refactor migration)
- Add yazio to external_provider_types lookup table
- Add regression tests for YAZIO credential merge

No mobile changes — mobile will be separate PR.
- Server: validateYazioProviderCredentials now accepts EITHER login creds (username+password) OR client creds (clientId+clientSecret)
- Server: requireCredentials in yazioService only requires clientId+clientSecret, username+password optional
- Server: getYazioAccessToken only sends username/password in token request if both are provided
- Frontend: yazio providerRequirements only requires yazio_client_id and yazio_client_secret
- Frontend: Added '(Optional)' labels to YAZIO Email/Password fields in ProviderSpecificFields and EditProviderForm
- Frontend: Added helper text explaining email/password are optional
- Tests: Added server tests for YAZIO with only client credentials and for rejecting YAZIO without any credentials
- Tests: Added yazioService test for token request without username/password
- Tests: Updated validateProvider test expectations

No mobile changes - mobile will be separate PR.
@gitguardian

gitguardian Bot commented Jun 6, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
33773161 Triggered Generic Password d7abc7b SparkyFitnessFrontend/src/pages/Settings/ProviderSpecificFields.tsx View secret
33773161 Triggered Generic Password 2372148 SparkyFitnessFrontend/src/pages/Settings/ProviderSpecificFields.tsx View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@thorethy1 thorethy1 force-pushed the feature/yazio-provider-1442 branch from 898ff97 to 4acafc9 Compare June 6, 2026 17:37
Thore Eichler and others added 9 commits June 6, 2026 20:09
- Server: validateYazioProviderCredentials now accepts EITHER login creds (username+password) OR client creds (clientId+clientSecret)
- Server: requireCredentials in yazioService only requires clientId+clientSecret, username+password optional
- Server: getYazioAccessToken only sends username/password in token request if both are provided
- Frontend: yazio providerRequirements only requires yazio_client_id and yazio_client_secret
- Frontend: Added '(Optional)' labels to YAZIO Email/Password fields in ProviderSpecificFields and EditProviderForm
- Frontend: Added helper text explaining email/password are optional
- Tests: Added server tests for YAZIO with only client credentials and for rejecting YAZIO without any credentials
- Tests: Added yazioService test for token request without username/password
- Tests: Updated validateProvider test expectations

No mobile changes - mobile will be separate PR.
Removed YAZIO integration credentials section from example env file.
Comment thread docker/.env.example
@CodeWithCJ CodeWithCJ merged commit b4b16ab into CodeWithCJ:main Jun 6, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Add YAZIO as an external food provider

2 participants