feat(api,astro): ✨ Implement bulk request filing and TanStack Form migration

Implement bulk FOIA request creation API endpoint and integrate it into the frontend.

Key changes:
- **API:** Added `POST /requests/bulk` endpoint to create multiple requests simultaneously.
- **API:** Auto-login user after successful registration, returning token/MFA status.
- **API:** Added custom Hono validation hook for development logging.
- **Astro:** Migrated `LoginForm`, `RegisterForm`, and `NewRequestForm` to use TanStack Form with Zod validation for improved state management and validation.
- **Astro:** Replaced `AgencySearch` with `MultiAgencySelector` to support bulk filing.
- **Astro:** Refactored API calls in `documents-page.tsx` to use the new `ApiClient` class.
- **Astro:** Updated service worker to use `async/await` for `staleWhileRevalidate` strategy.
- **Astro:** Updated Cypress test password to meet new complexity requirements.

Author: WomB0ComB0

apps/api/data/foia-stream.db-shm

@@ -50,7 +50,14 @@ import type { AppBindings, AppOpenAPI } from './types';
 export function createRouter(): OpenAPIHono<AppBindings> {
   return new OpenAPIHono<AppBindings>({
     strict: false,
-    defaultHook,
+    defaultHook: (result, c) => {
+      // Custom hook: log validation errors in development
+      if (!result.success) {
+        console.error('[API Validation Error]', JSON.stringify(result.error.issues, null, 2));
+      }
+      // Call the original defaultHook behavior
+      return defaultHook(result, c);
+    },
   });
 }
 

apps/api/data/foia-stream.db-wal

@@ -65,7 +65,7 @@ const mapUserResponse = (user: Omit<User, 'passwordHash'>) => ({
  * Handler for POST /auth/register
  *
  * @param {Context} c - Hono context with validated request body
- * @returns {Promise<Response>} JSON response with created user or error
+ * @returns {Promise<Response>} JSON response with created user and token or error
  * @compliance NIST 800-53 AC-2 (Account Management)
  * @compliance GDPR Article 7 (Conditions for consent)
  */
@@ -89,10 +89,11 @@ export const register = async (c: Context) => {
       consents?: ConsentData;
     };
 
-    const { consents, ...userData } = data;
+    const { consents, password, ...userData } = data;
     // Ensure role has a default value
     const userDataWithDefaults = {
       ...userData,
+      password,
       role: userData.role || ('civilian' as const),
     };
     const user = await authService.createUser(userDataWithDefaults);
@@ -105,10 +106,23 @@ export const register = async (c: Context) => {
       await consentService.recordRegistrationConsent(user.id, consents, ipAddress, userAgent);
     }
 
+    // Auto-login the user after registration
+    const ipAddress = c.req.header('x-forwarded-for') || c.req.header('x-real-ip');
+    const userAgent = c.req.header('user-agent');
+    const loginResult = await authService.login(data.email, data.password, {
+      ipAddress,
+      userAgent,
+    });
+
     return c.json(
       {
         success: true,
-        data: mapUserResponse(user),
+        data: {
+          token: loginResult.token,
+          user: mapUserResponse(user),
+          requiresMFA: loginResult.requiresMFA,
+          mfaToken: loginResult.mfaToken,
+        },
         message: 'Account created successfully',
       },
       201,

apps/api/src/lib/create-app.ts

@@ -60,7 +60,8 @@ export const ConsentDataSchema = z
     termsAccepted: z.boolean().openapi({ example: true }),
     privacyAccepted: z.boolean().openapi({ example: true }),
     dataProcessingAccepted: z.boolean().openapi({ example: true }),
-    consentTimestamp: z.string().datetime().openapi({ example: '2024-12-25T00:00:00.000Z' }),
+    // Accept any ISO string format from frontend
+    consentTimestamp: z.string().openapi({ example: '2024-12-25T00:00:00.000Z' }),
   })
   .openapi('ConsentData');
 
@@ -329,10 +330,10 @@ export const registerRoute = createRoute({
     [HttpStatusCodes.CREATED]: {
       content: {
         'application/json': {
-          schema: successResponse(UserResponseSchema, 'Account created successfully'),
+          schema: successResponse(LoginResponseSchema, 'Account created successfully'),
         },
       },
-      description: 'User created successfully',
+      description: 'User created and logged in successfully',
     },
     [HttpStatusCodes.BAD_REQUEST]: {
       content: {

apps/api/src/routes/auth/auth.handlers.ts

@@ -60,6 +60,10 @@ router.openapi(routes.getDeadlinesRoute, handlers.getDeadlines);
 router.get('/requests/overdue', authMiddleware);
 router.openapi(routes.getOverdueRoute, handlers.getOverdue);
 
+// Bulk create requests - must be before /requests/:id
+router.post('/requests/bulk', authMiddleware);
+router.openapi(routes.createBulkRequestRoute, handlers.createBulkRequests);
+
 // ============================================
 // Optional Auth Route (GET /requests/:id)
 // Must be after specific routes like /requests/my

apps/api/src/routes/auth/auth.routes.ts

@@ -212,6 +212,46 @@ export const createRequest: AppRouteHandler<typeof createRequestRoute> = async (
   }
 };
 
+/**
+ * Bulk create FOIA requests handler
+ * Creates multiple requests for different agencies with the same content
+ */
+export const createBulkRequests: AppRouteHandler<typeof createBulkRequestRoute> = async (c) => {
+  try {
+    const { userId } = c.get('user');
+    const { agencyIds, ...requestData } = c.req.valid('json');
+
+    // Create requests for each agency
+    const createdRequests = await Promise.all(
+      agencyIds.map((agencyId: string) =>
+        foiaRequestService.createRequest(userId, {
+          agencyId,
+          ...requestData,
+        }),
+      ),
+    );
+
+    return c.json(
+      {
+        success: true as const,
+        data: {
+          createdRequests,
+          totalCreated: createdRequests.length,
+        },
+        message: `Successfully created ${createdRequests.length} request${createdRequests.length > 1 ? 's' : ''}`,
+      },
+      HttpStatusCodes.CREATED,
+    );
+  } catch (error) {
+    return handleRouteError(
+      c,
+      error,
+      'Failed to create bulk requests',
+      HttpStatusCodes.BAD_REQUEST,
+    );
+  }
+};
+
 /**
  * Submit a draft request handler
  */

apps/api/src/routes/requests/index.ts

@@ -484,6 +484,98 @@ export const createRequestRoute = createRoute({
   },
 });
 
+/**
+ * Bulk create request schema - for sending to multiple agencies
+ */
+const BulkCreateRequestSchema = z
+  .object({
+    agencyIds: z
+      .array(z.string())
+      .min(1, 'At least one agency is required')
+      .max(20, 'Maximum 20 agencies per bulk request')
+      .openapi({ example: ['agency-123', 'agency-456'] }),
+    category: RecordCategorySchema.openapi({ example: 'body_cam_footage' }),
+    title: z
+      .string()
+      .min(1)
+      .max(200)
+      .openapi({ example: 'Body camera footage from incident on Main St' }),
+    description: z.string().min(1).openapi({
+      example:
+        'Requesting all body camera footage from officers responding to incident #12345 on January 15, 2024',
+    }),
+    dateRangeStart: z.string().optional().openapi({ example: '2024-01-15' }),
+    dateRangeEnd: z.string().optional().openapi({ example: '2024-01-15' }),
+    templateId: z.string().optional(),
+    isPublic: z.boolean().default(false).openapi({ example: true }),
+  })
+  .openapi('BulkCreateRequest');
+
+/**
+ * Bulk create FOIA requests
+ */
+export const createBulkRequestRoute = createRoute({
+  tags: ['Requests'],
+  method: 'post',
+  path: '/requests/bulk',
+  summary: 'Bulk create FOIA requests',
+  description:
+    'Create multiple FOIA requests for different agencies with the same content. Useful for sending the same request to multiple agencies simultaneously.',
+  security: [{ bearerAuth: [] }],
+  request: {
+    body: {
+      required: true,
+      description: 'Bulk FOIA request data with multiple agency IDs',
+      content: {
+        'application/json': {
+          schema: BulkCreateRequestSchema,
+        },
+      },
+    },
+  },
+  responses: {
+    [HttpStatusCodes.CREATED]: {
+      description: 'Requests created successfully',
+      content: {
+        'application/json': {
+          schema: z.object({
+            success: z.literal(true),
+            data: z.object({
+              createdRequests: z.array(FOIARequestSchema),
+              totalCreated: z.number(),
+            }),
+            message: z.string().openapi({ type: 'string' }),
+          }),
+        },
+      },
+    },
+    [HttpStatusCodes.BAD_REQUEST]: {
+      description: 'Creation error',
+      content: {
+        'application/json': {
+          schema: ErrorResponseSchema,
+        },
+      },
+    },
+    [HttpStatusCodes.UNAUTHORIZED]: {
+      description: 'Not authenticated',
+      content: {
+        'application/json': {
+          schema: ErrorResponseSchema,
+        },
+      },
+    },
+    [HttpStatusCodes.UNPROCESSABLE_ENTITY]: {
+      description: 'Validation error',
+      content: {
+        'application/json': {
+          schema: ErrorResponseSchema,
+        },
+      },
+    },
+  },
+});
+
 /**
  * Submit a draft request
  */
@@ -650,6 +742,7 @@ export const withdrawRequestRoute = createRoute({
 
 // Export schemas
 export {
+  BulkCreateRequestSchema,
   CreateRequestSchema,
   FOIARequestSchema,
   FOIARequestWithAgencySchema,

apps/api/src/routes/requests/requests.handlers.ts

@@ -105,8 +105,8 @@ describe('Authentication', () => {
       cy.get('input[name="lastName"]').should('not.be.disabled').type('User');
       cy.get('input[name="email"]').should('not.be.disabled').type('newuser@example.com');
       cy.get('input[name="organization"]').should('not.be.disabled').type('New Org');
-      cy.get('input[name="password"]').should('not.be.disabled').type('password123');
-      cy.get('input[name="confirmPassword"]').should('not.be.disabled').type('password123');
+      cy.get('input[name="password"]').should('not.be.disabled').type('Password123');
+      cy.get('input[name="confirmPassword"]').should('not.be.disabled').type('Password123');
 
       // Handle Terms of Service
       cy.contains('button', 'Read & Accept').first().click(); // Opens Terms modal

apps/api/src/routes/requests/requests.routes.ts

@@ -25,6 +25,7 @@
     "@effect/platform": "^0.82.8",
     "@foia-stream/shared": "workspace:*",
     "@nanostores/react": "^0.8.4",
+    "@tanstack/react-form": "^1.27.6",
     "@tanstack/react-query": "^5.90.12",
     "@tanstack/react-query-devtools": "^5.91.1",
     "astro": "^5.8.0",
@@ -36,6 +37,7 @@
     "react": "^19.1.0",
     "react-dom": "^19.1.0",
     "tailwind-merge": "^3.3.0",
+    "zod": "^4.2.1",
     "zustand": "^5.0.9"
   },
   "devDependencies": {