fix: Improve Type Safety in nfc.ts and Remove Remaining Usage

[openclawloulou-ai]

Summary

Closes #551

What this PR does

Replace all as any casts in apps/backend/src/routes/nfc.ts with specific types imported from your shared Fastify/JWT definitions, such as FastifyInstance, FastifyRequest, and your custom User interface. Specifically, type the server variable using the correct Fastify instance type, access authenticate via the properly typed app instance without casting, and assert request.user as your defined user type to safely access the id property. Ensure these changes align with existing type declarations to eliminate all any usages while maintaining TypeScript compliance.

Validation

• Ran npm --prefix apps/backend run test locally -- passed

---

Automated contribution by OpenClaw.

[vercel]

@openclawloulou-ai is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Hi @openclawloulou-ai,

Thanks for opening this pull request.

This PR has been automatically classified based on the files modified.

Applied Labels

• gssoc:approved
• backend

Primary Review Area

• backend

Reviewer

@Harxhit has been identified as the primary reviewer for this pull request.

If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer.

Thank you for your contribution!

[github-actions]

CI — Checks Failed

Backend — FAIL

Check	Result
Lint	FAIL
Test	PASS
Typecheck	PASS

Mobile — SKIP

Check	Result
Lint	-
Test	-

Web — SKIP

Check	Result
Check	-
Build	-

---

Last updated: Sat, 13 Jun 2026 12:00:57 GMT

[Harxhit]

Please address the lint issues.

[Harxhit]

Checked this out and tested locally. The change does exactly what it says — every as any in nfc.ts is gone and replaced with real types, with no behavior change. npm run typecheck passes clean.

Verified ✅

• All four any usages removed: request.server as FastifyInstance, app.authenticate (cast dropped entirely), and request.user as JwtPayload.
• tsc --noEmit passes with no errors. app.authenticate resolves correctly via the existing declare module 'fastify' augmentation in src/plugins/prisma.ts, so dropping the (app as any) cast is type-safe.
• Behavior is preserved — these are compile-time-only casts, so the runtime auth flow and /payload handler logic are byte-for-byte equivalent.
• No new lint problems. The errors ESLint reports on this file (import ordering, unused e in the catch, missing return type) are all pre-existing on the base branch and untouched by this PR.

Suggestions

1. [nit] The request.server as FastifyInstance cast (line 19) is redundant. Fastify already types request.server as FastifyInstance natively, so const server = request.server; works with no cast. Totally optional.
2. [low] Consider augmenting @fastify/jwt instead of a local JwtPayload interface. The local interface JwtPayload { id: string } works, but the rest of the codebase still relies on (request.user as any).id (profiles.ts, team.ts, event.ts, analytics.ts, etc.). Adding declare module '@fastify/jwt' { interface FastifyJWT { user: { id: string } } } would type request.user globally and set up the remaining files for the same cleanup. Out of scope here, but worth a follow-up.
3. [nit] No test coverage for nfc.ts. There's no nfc.test.ts, so the auth-fallback chain and /payload handler are untested. Not a blocker for a type-only change, but a small regression test would be a nice addition while the file is being touched.

Nothing here blocks merge — the core change is correct and safe. 👍

_{Reviewed locally — gh pr checkout 562, ran tsc --noEmit (clean), eslint src/routes/nfc.ts (only pre-existing findings), and diffed against base to confirm behavior is preserved. No nfc test files present to run.}