tronosfera/Law
1
0
Fork 0
mirror of https://github.com/TronoSfera/Law.git synced 2026-05-18 18:13:46 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
Mirror of https://github.com/TronoSfera/Law.git
24 commits 2 branches 0 tags 1.8 MiB
JavaScript 52.6%
Python 40.4%
CSS 3.7%
Shell 2.1%
HTML 0.8%
Other 0.3%
Find a file
TronoSfera a06f553406 add cert 2.5
2026-03-01 17:31:09 +03:00
.idea first commit 2026-02-22 10:57:49 +03:00
alembic add cert 2.5 2026-03-01 17:31:09 +03:00
app add cert 2.5 2026-03-01 17:31:09 +03:00
context add cert 2.5 2026-03-01 17:31:09 +03:00
deploy add cert 2.5 2026-03-01 17:31:09 +03:00
docs first commit 2026-02-22 10:57:49 +03:00
e2e fix client chat v2 2026-02-27 21:10:01 +03:00
frontend add cert 2.5 2026-03-01 17:31:09 +03:00
scripts/ops add cert 2.5 2026-03-01 17:31:09 +03:00
tests add cert 2.5 2026-03-01 17:31:09 +03:00
tmp Third commit 2026-02-23 17:54:19 +03:00
.gitignore add cert 2.1 2026-02-28 15:39:13 +03:00
alembic.ini first commit 2026-02-22 10:57:49 +03:00
docker-compose.local.yml add cert 2.4 2026-02-28 16:09:47 +03:00
docker-compose.prod.cert.yml add cert 2 2026-02-28 15:36:33 +03:00
docker-compose.prod.nginx.yml add cert 2 2026-02-28 15:36:33 +03:00
docker-compose.prod.yml add deploy 2026-02-28 11:45:08 +03:00
docker-compose.yml add cert 2.5 2026-03-01 17:31:09 +03:00
Dockerfile first commit 2026-02-22 10:57:49 +03:00
Makefile add cert 2.5 2026-03-01 17:31:09 +03:00
README.md add cert 2.5 2026-03-01 17:31:09 +03:00
requirements.txt Task P054-P057 2026-02-27 18:46:07 +03:00

README.md

Legal Case Tracker (FastAPI)

Backend skeleton: public requests + OTP + public JWT cookie + admin (admin/lawyer) + files (self-hosted S3) + SLA/auto-assign (Celery) + quotes + dedicated chat microservice.

Run (Docker)

cp .env.example .env
docker compose -f docker-compose.yml -f docker-compose.local.yml up --build

Landing (frontend): http://localhost:8081 Admin UI: http://localhost:8081/admin API (backend): http://localhost:8002 Swagger: http://localhost:8002/docs Chat service health (via nginx): http://localhost:8081/chat-health Email service health (via nginx): http://localhost:8081/email-health

Production (ruakb.ru + ruakb.online, 80/443, TLS via Nginx + Certbot)

Production stack uses dedicated edge nginx (docker-compose.prod.nginx.yml).

Prerequisites:

  • DNS A record: ruakb.ru -> 45.150.36.116
  • Optional DNS A record: www.ruakb.ru -> 45.150.36.116
  • DNS A record: ruakb.online -> 45.150.36.116
  • Optional DNS A record: www.ruakb.online -> 45.150.36.116
  • Open server ports: 80/tcp, 443/tcp
  • DB credentials in .env must be consistent:
    • DATABASE_URL=postgresql+psycopg://postgres:<password>@db:5432/legal
    • POSTGRES_PASSWORD=<same password>

Initial certificate issue (bootstrap with nginx on port 80 only):

make prod-cert-init LETSENCRYPT_EMAIL=you@example.com DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru

By default prod-cert-init also includes ruakb.online and www.ruakb.online. If needed, override:

make prod-cert-init \
  LETSENCRYPT_EMAIL=you@example.com \
  DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru \
  SECOND_DOMAIN=ruakb.online SECOND_WWW_DOMAIN=www.ruakb.online

Regular production start/update:

make prod-up

Certificate renew:

make prod-cert-renew

Checks:

curl -I https://ruakb.ru
curl -fsS https://ruakb.ru/health
curl -fsS https://ruakb.ru/chat-health
ss -lntp | egrep ':(80|443|5432|6379|8002|8081|9000|9001)\\b'

Migrations

docker compose exec backend alembic upgrade head

Seed Quotes (Upsert)

make seed-quotes

Loads 50 justice-themed quotes into quotes with idempotent upsert by (author, text).

OTP SMS provider (SMS Aero)

OTP sending is implemented through a dedicated SMS service layer (app/services/sms_service.py).

Public auth mode can be selected via environment:

PUBLIC_AUTH_MODE=sms          # sms | email | sms_or_email | totp
EMAIL_PROVIDER=dummy          # dummy | smtp
EMAIL_SERVICE_URL=http://email-service:8010
INTERNAL_SERVICE_TOKEN=change_me_internal_service_token
OTP_EMAIL_FALLBACK_ENABLED=true
OTP_SMS_MIN_BALANCE=20
ADMIN_AUTH_MODE=password_totp_optional  # password | password_totp_optional | password_totp_required
TOTP_ISSUER=Правовой Трекер

Configure provider in .env:

SMS_PROVIDER=smsaero
SMSAERO_EMAIL=your_email@example.com
SMSAERO_API_KEY=your_api_key
OTP_SMS_TEMPLATE=Your verification code: {code}
OTP_DEV_MODE=false
OTP_AUTOTEST_FORCE_MOCK_SMS=true

For SMTP email OTP:

EMAIL_PROVIDER=smtp
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=mailer@example.com
SMTP_PASSWORD=your_password
SMTP_FROM=mailer@example.com
SMTP_USE_TLS=true
SMTP_USE_SSL=false
OTP_EMAIL_SUBJECT_TEMPLATE=Код подтверждения: {code}
OTP_EMAIL_TEMPLATE=Ваш код подтверждения: {code}

For dedicated email microservice (recommended in production):

EMAIL_PROVIDER=service
EMAIL_SERVICE_URL=http://email-service:8010
INTERNAL_SERVICE_TOKEN=<strong-random-token>

Admin/Lawyer TOTP endpoints:

  • GET /api/admin/auth/totp/status
  • POST /api/admin/auth/totp/setup
  • POST /api/admin/auth/totp/enable
  • POST /api/admin/auth/totp/backup/regenerate
  • POST /api/admin/auth/totp/disable

For local/dev mock mode:

SMS_PROVIDER=dummy

In this mode OTP code is printed to backend logs.

You can also force mock mode with real provider settings:

OTP_DEV_MODE=true

When enabled, real SMS sending is disabled and OTP code is printed to backend logs.

Additionally, to protect SMS budget during automated tests:

OTP_AUTOTEST_FORCE_MOCK_SMS=true

When this flag is enabled and runtime is detected as autotest (pytest/unittest/APP_ENV=test|ci), SMS_PROVIDER=smsaero is automatically forced to mock mode for OTP sending.

Admin health-check endpoint (no SMS send): GET /api/admin/system/sms-provider-health

Secure Chat (encrypted at rest)

Chat logic is isolated in app/services/chat_secure_service.py.

  • Message bodies are encrypted before storing in DB (messages.body) and transparently decrypted on read.
  • Encryption key priority:
    1. CHAT_ENCRYPTION_SECRET
    2. DATA_ENCRYPTION_SECRET
    3. JWT secrets fallback (not recommended for production)

Recommended production config:

CHAT_ENCRYPTION_SECRET=<long-random-secret>
DATA_ENCRYPTION_SECRET=<long-random-secret>

Chat API runs in a dedicated container (chat-service) with separate FastAPI entrypoint: app/chat_main.py

Nginx routes only chat API prefixes to the chat container:

  • /api/public/chat/*
  • /api/admin/chat/*

Attachment antivirus and content checks

Attachment scanning is asynchronous (Celery queue uploads) and supports ClamAV + content policy checks.

Environment flags:

ATTACHMENT_SCAN_ENABLED=true
ATTACHMENT_SCAN_ENFORCE=true
ATTACHMENT_ALLOWED_MIME_TYPES=application/pdf,image/jpeg,image/png,video/mp4,text/plain
CLAMAV_ENABLED=true
CLAMAV_HOST=clamav
CLAMAV_PORT=3310
CLAMAV_TIMEOUT_SECONDS=20

Scan statuses on attachments:

  • PENDING (file uploaded, scan in progress)
  • CLEAN (safe to download)
  • INFECTED (blocked)
  • ERROR (scan failed, blocked when enforcement is on)

When ATTACHMENT_SCAN_ENFORCE=true, public/admin download endpoints block non-clean files.

Container health and alerting

Docker Compose is configured with:

  • restart: unless-stopped for core services
  • healthcheck for db, redis, backend, chat-service, frontend
  • startup ordering via depends_on: condition: service_healthy

Quick checks:

docker compose up -d
docker compose ps
curl -fsS http://localhost:8081/health
curl -fsS http://localhost:8081/chat-health
curl -fsS http://localhost:8081/email-health

Alert-ready smoke script (for cron/CI):

./scripts/ops/check_chat_health.sh

Exit code 0 means healthy, non-zero means alert condition.