admin/family_wishlist
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: admin:docs/readme
Branches Tags
admin:main admin:chore/fix-package-versions admin:fix/header-nav-separate-row admin:fix/header-actions-and-uploaded-images admin:refactor/frontend-bem-classes admin:fix/friend-link-layout admin:feature/friend-wishlist-link admin:feature/i18n-avatar-upload admin:chore/update-frontend-port admin:fix/shared-runtime-build admin:fix/backend-runtime-seed admin:fix/frontend-router-type admin:fix/backend-docker-build admin:chore/shared-postgres-db-family admin:docs/readme admin:chore/docker-files admin:feat/frontend admin:feat/backend
..
compare: admin:chore/docker-files
Branches Tags
admin:main admin:chore/fix-package-versions admin:fix/header-nav-separate-row admin:fix/header-actions-and-uploaded-images admin:refactor/frontend-bem-classes admin:fix/friend-link-layout admin:feature/friend-wishlist-link admin:feature/i18n-avatar-upload admin:chore/update-frontend-port admin:fix/shared-runtime-build admin:fix/backend-runtime-seed admin:fix/frontend-router-type admin:fix/backend-docker-build admin:chore/shared-postgres-db-family admin:docs/readme admin:chore/docker-files admin:feat/frontend admin:feat/backend

1 Commits
docs/readm ... chore/dock

Author SHA1 Message Date
Anton
d84b9b5ee7 chore(docker): add containerized deployment and nginx proxy 2026-04-23 16:06:07 +03:00
6 changed files with 192 additions and 238 deletions
Expand all files Collapse all files

238
README.md
View File

@@ -1,238 +0,0 @@
# Family Wishlist
A small, private wishlist app for two users. Each user has their own profile, slug, and independent wishlist. Guests see a public page at `/u/<slug>` and can view active and fulfilled wishes.
- **Backend**: Node.js 20, Fastify 4, Prisma 5, PostgreSQL 16
- **Frontend**: React 18, Vite 5, Tailwind CSS, TanStack Query, React Hook Form + Zod
- **Monorepo**: pnpm workspaces
- **Deploy**: Docker Compose (Postgres + backend + nginx-served frontend)
---
## Features
- Two fixed accounts (credentials in env), password stored only as a **bcrypt hash**.
- Wish entity: title, price, currency, link, comment, image (auto-fetched from link or uploaded).
- Statuses: **Active → Archive / Fulfilled → Trash** (kept for 30 days, then permanently removed by a daily cron job).
- Restore from archive or trash. Duplicate from fulfilled into a new active wish.
- Badges on cards:
- owner: `new` for wishes under 5 days old; `fulfilled`, `archived`, `trash` states.
- guest: `new` if this guest hasn't seen the wish yet (tracked by a cookie-based `guestId`); fulfilled wishes look visually dimmed.
- Archive and trash are visible **only** to the owner.
- Profile page at `/u/:slug`, public and readable by anyone with the link.
---
## Repository layout
```
apps/
backend/ Fastify API, Prisma schema, jobs, scripts
frontend/ React SPA
packages/
shared/ zod schemas + DTO types shared between backend and frontend
docker/ Dockerfiles + nginx.conf
docker-compose.yml prod stack (postgres + backend + frontend)
docker-compose.dev.yml dev helper (postgres only)
.env.example full env template
```
### Backend layout (`apps/backend/src`)
```
config/env.ts zod-validated process.env + resolveUsers()
auth/users.registry.ts in-memory user registry, single source of truth for credentials
plugins/ fastify plugins (auth, cors, cookie, jwt, rate-limit, static, guest, multipart, prisma)
modules/
auth/ login / logout / me
profile/ GET / PATCH current user's profile
wishes/ CRUD + archive/complete/restore/duplicate + soft-delete
images/ OG-image fetcher + multipart upload + reset
public/ public profile and wishes + guest view tracking
meta/ /api/health + /api/version
jobs/purge-trash.ts node-cron daily purge of wishes older than 30 days
utils/ errors, bcrypt helpers, version helper
```
### Database (Prisma)
See `apps/backend/prisma/schema.prisma`. Tables:
- `User``id`, `username`, `slug`, `displayName`, `bio`, `avatarUrl`. **No password hash.**
- `Wish``userId`, `title`, `price`, `currency`, `url`, `comment`, `imageUrl`, `imageSource`, `status`, timestamps, `sourceWishId` (for duplicates).
- `GuestView``(guestId, wishId)` pairs for "already seen" tracking.
### Password storage
The plain password is **never stored** in this application — not in the database, not in env, not in logs. Storage split:
| Value | Location |
|---|---|
| Original password | Owner's password manager only |
| bcrypt hash | `.env` (`USER1_PASSWORD_HASH`, `USER2_PASSWORD_HASH`) |
| Users registry | Built from env on process start, lives in RAM |
| DB | Public fields only (username, slug, displayName) |
| JWT | `{ id, username }` — no credentials |
Verification flow (see `apps/backend/src/modules/auth/auth.service.ts`):
1. Client `POST /api/auth/login` with `{ username, password }` over HTTPS.
2. Server looks up user in the in-memory registry by `username`.
3. `bcrypt.compare(password, user.passwordHash)` runs unconditionally (dummy compare if the username is unknown) — this prevents username enumeration via response timing.
4. On success: signed JWT set as an httpOnly cookie (`fw_auth`). Rate limit: 5 logins / 10 minutes per IP.
5. Fastify logger redacts `req.body.password`, `req.headers.cookie`, `req.headers.authorization`.
---
## Getting started
### Prerequisites
- Node.js 20+
- pnpm 9+ (`corepack enable && corepack prepare pnpm@9.12.0 --activate`)
- Docker + Docker Compose (for the full stack)
- OpenSSL (for generating secrets)
### 1. Initialize git + install deps
```bash
git init -b main
pnpm install
```
### 2. Prepare the environment file
```bash
cp .env.example .env
```
Generate two strong secrets:
```bash
openssl rand -hex 32 # paste into JWT_SECRET
openssl rand -hex 32 # paste into COOKIE_SECRET
```
Generate a bcrypt hash for each user's password (the password is only present in your shell history — clear it afterwards if you care):
```bash
pnpm hash-password "Alice's strong password"
# => $2b$12$eImiTXuWV... copy this into USER1_PASSWORD_HASH
pnpm hash-password "Bob's strong password"
# => $2b$12$aBcDeFgHi... copy this into USER2_PASSWORD_HASH
```
Review the rest of `.env`:
- `USER1_USERNAME`, `USER1_SLUG`, `USER1_DISPLAY_NAME`
- `USER2_USERNAME`, `USER2_SLUG`, `USER2_DISPLAY_NAME`
- `POSTGRES_*` (used by Docker)
- `PUBLIC_APP_URL` (used for CORS in production)
### 3. Run everything via Docker
```bash
docker compose up --build
```
Opens:
- Frontend: http://localhost:8080
- Backend API: http://localhost:8080/api (proxied by nginx) or http://localhost:3000 if you map `backend`
- Postgres: internal only
On first start, the backend:
1. Runs `prisma db push` against the Postgres service (creates tables from `schema.prisma`; idempotent).
2. Seeds/upserts both users from env (public fields only — password hash stays in env).
3. Starts Fastify on port 3000.
4. Registers the daily trash-purge cron (runs at 03:17 UTC, also once on startup).
> For a stricter migration workflow, switch to `prisma migrate dev` locally to produce
> versioned migration files and change the Docker `CMD` to `prisma migrate deploy`.
### 4. Local development (hot reload)
Run Postgres in a container, apps on the host:
```bash
docker compose -f docker-compose.dev.yml up -d
# Override DATABASE_URL to point to localhost:
# DATABASE_URL=postgresql://wishlist:change_me@localhost:5432/family_wishlist
pnpm --filter @family-wishlist/backend prisma:push # apply schema (first time and on schema changes)
pnpm --filter @family-wishlist/backend seed # upsert two users from env into DB
pnpm dev
```
This starts both apps in parallel:
- Frontend: http://localhost:5173 (proxying `/api` and `/uploads` to http://localhost:3000)
- Backend: http://localhost:3000
### 5. Useful scripts
```bash
pnpm typecheck # typecheck all workspaces
pnpm format # prettier on the whole repo
pnpm hash-password "<password>" # print bcrypt hash to stdout
pnpm --filter @family-wishlist/backend prisma:studio # GUI over DB
```
---
## API
All responses are JSON. Authenticated endpoints require the `fw_auth` cookie.
| Method | Path | Auth | Description |
|---|---|---|---|
| POST | `/api/auth/login` | — | Returns auth user, sets cookie. Rate-limited. |
| POST | `/api/auth/logout` | — | Clears cookie. |
| GET | `/api/auth/me` | owner | Current user. |
| GET | `/api/profile` | owner | Own profile. |
| PATCH | `/api/profile` | owner | Update slug/displayName/bio/avatar. |
| GET | `/api/wishes?status=active\|archived\|completed\|deleted` | owner | List own wishes. |
| POST | `/api/wishes` | owner | Create. |
| GET | `/api/wishes/:id` | owner | Get own wish. |
| PATCH | `/api/wishes/:id` | owner | Update. |
| DELETE | `/api/wishes/:id` | owner | Soft-delete (to trash). |
| POST | `/api/wishes/:id/archive` | owner | |
| POST | `/api/wishes/:id/complete` | owner | |
| POST | `/api/wishes/:id/restore` | owner | From archive or trash back to active. |
| POST | `/api/wishes/:id/duplicate` | owner | Copy fulfilled wish into a new active one. |
| POST | `/api/wishes/:id/image` | owner | Multipart image upload. |
| POST | `/api/wishes/:id/image/refresh-og` | owner | Re-fetch OG image from link. |
| DELETE | `/api/wishes/:id/image` | owner | Reset to default. |
| GET | `/api/public/:slug` | — | Public profile. |
| GET | `/api/public/:slug/wishes` | — | Active + fulfilled wishes. Sets `isNewForGuest`. |
| POST | `/api/public/:slug/views` | — | Body `{ wishIds: [] }`. Marks as seen. |
| GET | `/api/health`, `/api/version` | — | Meta. |
---
## Versioning
Each package has its own version (`apps/backend/package.json` and `apps/frontend/package.json`). The app footer shows both:
```
frontend v0.1.0 · backend v0.1.0
```
Bump them per semver on each change:
- patch — bug fixes and small non-breaking tweaks,
- minor — backward-compatible features,
- major — breaking changes.
---
## Security notes
- Cookies are `httpOnly`, `SameSite=Lax`, `Secure` in production.
- All auth-scoped routes re-check ownership in the service layer (`userId` vs `req.user.id`).
- `/api/auth/login` is rate-limited; username enumeration is mitigated by a constant-time dummy compare.
- Image fetcher has a 10s timeout, a 5 MB cap, and accepts only `image/jpeg|png|webp|gif`.
- Multipart upload cap: 8 MB, one file per request.
- Prisma cascades delete `GuestView` rows when their wish is purged.
- In production, terminate TLS in front of the nginx container (Caddy / Traefik / cloud load balancer).

15
docker-compose.dev.yml Normal file
View File

@@ -0,0 +1,15 @@
services:
postgres:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
ports:
- "5432:5432"
volumes:
- pgdata_dev:/var/lib/postgresql/data
volumes:
pgdata_dev:

59
docker-compose.yml Normal file
View File

@@ -0,0 +1,59 @@
services:
postgres:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
interval: 10s
timeout: 5s
retries: 10
backend:
build:
context: .
dockerfile: docker/backend.Dockerfile
restart: unless-stopped
env_file: .env
environment:
NODE_ENV: production
UPLOADS_DIR: /app/apps/backend/uploads
BACKEND_PORT: 3000
DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
depends_on:
postgres:
condition: service_healthy
volumes:
- uploads:/app/apps/backend/uploads
healthcheck:
test:
[
"CMD",
"wget",
"-qO-",
"http://127.0.0.1:3000/api/health",
]
interval: 30s
timeout: 5s
retries: 5
start_period: 20s
frontend:
build:
context: .
dockerfile: docker/frontend.Dockerfile
restart: unless-stopped
depends_on:
backend:
condition: service_started
ports:
- "8080:80"
volumes:
pgdata:
uploads:

51
docker/backend.Dockerfile Normal file
View File

@@ -0,0 +1,51 @@
# syntax=docker/dockerfile:1.7
FROM node:20-alpine AS base
ENV PNPM_HOME=/pnpm
ENV PATH=$PNPM_HOME:$PATH
RUN corepack enable && corepack prepare pnpm@9.12.0 --activate
RUN apk add --no-cache openssl
# ---------- deps ----------
FROM base AS deps
WORKDIR /app
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
COPY tsconfig.base.json ./
COPY packages/shared/package.json packages/shared/
COPY apps/backend/package.json apps/backend/
COPY apps/frontend/package.json apps/frontend/
# Prisma schema is needed before `prisma generate` so we copy it at this stage.
COPY apps/backend/prisma apps/backend/prisma
# Install only the backend workspace and its deps.
RUN pnpm install --filter @family-wishlist/backend... --frozen-lockfile || \
pnpm install --filter @family-wishlist/backend...
# Generate @prisma/client into node_modules so it's present in the runtime stage.
RUN pnpm --filter @family-wishlist/backend prisma:generate
# ---------- build ----------
FROM deps AS build
WORKDIR /app
COPY packages/shared packages/shared
COPY apps/backend apps/backend
RUN pnpm --filter @family-wishlist/backend build
# ---------- runtime ----------
FROM base AS runtime
WORKDIR /app
ENV NODE_ENV=production
# Copy everything needed for running: hoisted node_modules (with the generated
# @prisma/client inside), workspace packages, and the compiled backend.
COPY --from=build /app/node_modules ./node_modules
COPY --from=build /app/package.json ./package.json
COPY --from=build /app/pnpm-workspace.yaml ./pnpm-workspace.yaml
COPY --from=build /app/packages ./packages
COPY --from=build /app/apps/backend/node_modules ./apps/backend/node_modules
COPY --from=build /app/apps/backend/dist ./apps/backend/dist
COPY --from=build /app/apps/backend/prisma ./apps/backend/prisma
COPY --from=build /app/apps/backend/package.json ./apps/backend/package.json
COPY --from=build /app/apps/backend/scripts ./apps/backend/scripts
WORKDIR /app/apps/backend
EXPOSE 3000
# Apply schema (idempotent; uses `db push` so no prior migrations required) +
# seed env users + start server.
CMD ["sh", "-c", "pnpm exec prisma db push --accept-data-loss --skip-generate && pnpm seed && node dist/index.js"]

29
docker/frontend.Dockerfile Normal file
View File

@@ -0,0 +1,29 @@
# syntax=docker/dockerfile:1.7
FROM node:20-alpine AS base
ENV PNPM_HOME=/pnpm
ENV PATH=$PNPM_HOME:$PATH
RUN corepack enable && corepack prepare pnpm@9.12.0 --activate
# ---------- deps ----------
FROM base AS deps
WORKDIR /app
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
COPY tsconfig.base.json ./
COPY packages/shared/package.json packages/shared/
COPY apps/backend/package.json apps/backend/
COPY apps/frontend/package.json apps/frontend/
RUN pnpm install --filter @family-wishlist/frontend... --frozen-lockfile || \
pnpm install --filter @family-wishlist/frontend...
# ---------- build ----------
FROM deps AS build
WORKDIR /app
COPY packages/shared packages/shared
COPY apps/frontend apps/frontend
RUN pnpm --filter @family-wishlist/frontend build
# ---------- runtime (nginx) ----------
FROM nginx:1.27-alpine AS runtime
COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
COPY --from=build /app/apps/frontend/dist /usr/share/nginx/html
EXPOSE 80

38
docker/nginx.conf Normal file
View File

@@ -0,0 +1,38 @@
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Static files with long cache
location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|gif|webp|ico)$ {
expires 7d;
add_header Cache-Control "public";
try_files $uri =404;
}
# API proxy
location /api/ {
proxy_pass http://backend:3000/api/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
client_max_body_size 10m;
}
# Uploaded files (images)
location /uploads/ {
proxy_pass http://backend:3000/uploads/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_valid 200 1h;
}
# SPA fallback
location / {
try_files $uri /index.html;
}
}