docs: add AGENTS.md codebase map, bump Go version, clean gitignore

ci: test runner with network config fix
ci: trigger fresh build with DOCKER_NETWORK fix
2026-06-13 01:57:54 +05:00 · 2026-06-12 17:48:29 +05:00 · 2026-06-12 17:44:09 +05:00 · 2026-06-12 17:41:38 +05:00 · 2026-06-12 17:32:03 +05:00 · 2026-06-12 17:01:48 +05:00
15 changed files with 493 additions and 247 deletions
@@ -1,21 +1,21 @@
-PGHOST=db
-PGPORT=5432
-PGUSER=postgres
-PGPASSWORD=postgres
-PGDATABASE=postgres
-SSLmode=disable
-PGURL='postgres://postgres:postgres@db:5432/postgres?sslmode=disable'
-
-# SERVER
-SERVER_PORT=8000
-SECRET_KEY=my_very_secret_key
-
-# MIGRATOR
-MIGRATOR_PORT=3000
-GOOSE_DRIVER=postgres
-GOOSE_DBSTRING='user=postgres dbname=postgres sslmode=disable'
-GOOSE_MIGRATION_DIR=migrations
-
-# FRONTEND SPA
-INNERPORT=80
-OUTERPORT=8088
+PGHOST=db
+PGPORT=5432
+PGUSER=postgres
+PGPASSWORD=HnFxccAF3sdUwnI1EkwmXQ==
+PGDATABASE=postgres
+SSLmode=disable
+PGURL='postgres://postgres:HnFxccAF3sdUwnI1EkwmXQ==@db:5432/postgres?sslmode=disable'
+
+# SERVER
+SERVER_PORT=8000
+SECRET_KEY=lUx8h9lpIPNPdcW9q27sJtgcZD/XlZnJWKQSLQ8t7rc=
+
+# MIGRATOR
+MIGRATOR_PORT=3000
+GOOSE_DRIVER=postgres
+GOOSE_DBSTRING='user=postgres password=HnFxccAF3sdUwnI1EkwmXQ== dbname=postgres sslmode=disable'
+GOOSE_MIGRATION_DIR=migrations
+
+# FRONTEND SPA
+HTTP=80         # ДЛЯ Certbot
+HTTPS=443
@@ -0,0 +1,24 @@
+name: Deploy
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Go binary
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/workspace \
+            -w /workspace/api \
+            golang:1.22.5 \
+            sh -c 'go mod tidy && go build -o /workspace/api/bin/api cmd/main.go'
+
+      - name: Copy binary and restart service
+        run: |
+          cp api/bin/api /home/gaziz/artefacts/tp/main_dc/yalarba/api_yal/bin/api
+          docker compose -f /home/gaziz/artefacts/tp/main_dc/docker-compose.yml restart api_yal
@@ -1,34 +1,38 @@
-/spa/node_modules
-.env
-.vscode
+/spa/node_modules
+.env
+.vscode
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+.DS_Store
+dist
+dist-ssr
+coverage
+*.local
+
+/cypress/videos/
+/cypress/screenshots/
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
+
+*.tsbuildinfo
+
+# Binaries
+api/bin/

-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-pnpm-debug.log*
-lerna-debug.log*
-
-node_modules
-.DS_Store
-dist
-dist-ssr
-coverage
-*.local
-
-/cypress/videos/
-/cypress/screenshots/
-
-# Editor directories and files
-.vscode/*
-!.vscode/extensions.json
-.idea
-*.suo
-*.ntvs*
-*.njsproj
-*.sln
-*.sw?
-
-*.tsbuildinfo
@@ -0,0 +1,93 @@
+# YalArba (ЯлАрба) — Tourist Aggregator
+
+**Generated:** 2026-06-12
+**Commit:** 165d5a5
+**Branch:** main
+
+## OVERVIEW
+Go REST API backend (chi router + GORM + PostgreSQL) with docker-compose orchestration. SPA frontend via Nginx reverse proxy + Certbot. Goose for DB migrations. JWT auth via HttpOnly cookies.
+
+## STRUCTURE
+```
+./
+├── api/                    # Go backend service
+│   ├── cmd/main.go         # Entry point
+│   ├── src/
+│   │   ├── configs/        # Server + DB config structs
+│   │   ├── initializers/   # Chi routing + GORM DB init
+│   │   ├── models/         # GORM models (User, Essence, Contact, Point)
+│   │   ├── rt/             # Route handlers grouped by domain
+│   │   │   ├── auth/       # Login, Register, JWT middleware
+│   │   │   ├── admin/      # Admin-only endpoints
+│   │   │   ├── prf/        # Profile (stub)
+│   │   │   └── srch/       # Search (stub)
+│   │   └── storages/psql/  # Global *gorm.DB var
+│   └── Dockerfile
+├── migrator/               # Goose migration runner
+│   └── migrations/         # Timestamped SQL migrations
+├── spa/                    # Nginx + static HTML landing + certbot
+│   ├── index.html          # Landing page (Russian)
+│   └── data/nginx/         # Nginx config
+├── docker-compose.yaml     # services: db, api, migrator, spa, certbot
+├── Makefile                # build, run, clean, test
+└── .env                    # Environment variables (DO NOT COMMIT)
+```
+
+## WHERE TO LOOK
+| Task | Location | Notes |
+|------|----------|-------|
+| Add API route | `api/src/initializers/Routing.go` + `api/src/rt/` | Register handler in Routing.go; create handler in rt/ subdir |
+| Add DB model | `api/src/models/` | GORM struct with json + gorm tags; UUID PKs |
+| Add migration | `migrator/migrations/` | Goose format: timestamp_description.sql |
+| Auth logic | `api/src/rt/auth/` | JWT in HttpOnly cookie; claims in request context |
+| DB access | `api/src/storages/psql/psql.go` | Global `PSQL_GORM_DB *gorm.DB` |
+| Config/env vars | `.env` → `os.Getenv()` in code | Config structs in `api/src/configs/` |
+
+## CODE MAP
+| Symbol | Type | Location | Role |
+|--------|------|----------|------|
+| `main` | func | `api/cmd/main.go:16` | Entry: calls InitChiRouting + InitDBconnection |
+| `InitChiRouting` | func | `api/src/initializers/Routing.go:21` | Sets up chi router, middlewares, all routes |
+| `InitDBconnection` | func | `api/src/initializers/PGQL_DB.go:14` | GORM Postgres connection, sets psql.PSQL_GORM_DB |
+| `PSQL_GORM_DB` | var | `api/src/storages/psql/psql.go:5` | Global DB handle |
+| `Login` | func | `api/src/rt/auth/Login.go:21` | Validates creds, issues JWT cookie |
+| `Register` | func | `api/src/rt/auth/Registr.go:54` | Validates input, hashes password, creates user |
+| `AuthMiddleware` | func | `api/src/rt/auth/authMiddleware.go:11` | JWT cookie validation middleware |
+| `AuthAdminMiddleware` | func | `api/src/rt/auth/authAdminMiddlware.go:11` | JWT + role=admin check |
+| `User` | struct | `api/src/models/user.go:5` | GORM model: id, name, email, password, phone, role |
+| `Claims` | struct | `api/src/models/authDataStructs.go:15` | JWT claims: email, phone, role |
+
+## CONVENTIONS
+- **Naming**: Go package names are short abbreviations (auth, prf, srch, admin). File names in PascalCase.
+- **DB**: GORM with UUID PKs (`AutoIncrement:false`). Goose for migrations with timestamp prefixes.
+- **Auth**: JWT stored in HttpOnly/Secure/SameSite cookie. Role stored in claims. Context key is `"email"`.
+- **Config**: All config via `os.Getenv()`, no config files. `.env` loaded by docker-compose.
+- **Logging**: `log/slog` structured logging.
+- **Errors**: `http.Error()` for simple errors. JSON-encoded `validationError` struct for validation.
+- **Password**: bcrypt cost 14. Max password length 72 (bcrypt limit).
+- **Role defaults**: Empty role on registration → "user".
+
+## ANTI-PATTERNS (THIS PROJECT)
+- `os.Exit(2)` on DB failure — kills entire process, no graceful shutdown
+- Duplicate JWT parsing logic between `authMiddleware.go` and `authAdminMiddlware.go`
+- `authAdminMiddlware.go` has typo in filename ("Middlware")
+- `AuthUserMiddleware.go` in prf/ is a dead stub (always 401)
+- Global mutable state (`PSQL_GORM_DB`, package-level `jwtKey`)
+- HTTPS enforced on JWT cookies but HTTP port 80 exposed — mismatch in dev
+- `AGENTS.md` in `.gitignore` because it previously contained secrets — credentials belong in `.env` only
+
+## COMMANDS
+```bash
+make          # docker compose up (default)
+make build    # docker compose build
+make run      # docker compose up
+make clean    # docker builder prune
+make test     # go test ./api/src/auth/... -v
+make tc       # go test -cover
+```
+
+## NOTES
+- `.env` contains real secrets — never commit. The `.gitignore` entry for `AGENTS.md` was added because it previously held credentials. Remove that `.gitignore` line once this file is clean.
+- `Profile` and `Search` handlers are stubs (empty bodies).
+- Docker services depend on each other: db → api → migrator → spa+certbot.
+- Goose migration `GOOSE_DBSTRING` in `.env` must match PG credentials.
@@ -13,4 +13,4 @@ test:
 tc:
 	@go test -cover

-.DEFAULT_GOAL=run
+.DEFAULT_GOAL=run
@@ -1,6 +1,6 @@
 module api

-go 1.22.5
+go 1.26.0

 require github.com/go-chi/chi/v5 v5.1.0

@@ -13,7 +13,7 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/crypto v0.25.0
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 )

@@ -23,3 +23,10 @@ require (
 	gorm.io/driver/postgres v1.5.9
 	gorm.io/gorm v1.25.11
 )
+
+require (
+	github.com/go-chi/httprate v0.15.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+)
@@ -3,6 +3,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5g=
+github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -19,6 +21,8 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -26,10 +30,16 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1,68 +1,68 @@
-package initializers
-
-import (
-	"api/src/rt/admin"
-	"api/src/rt/auth"
-	"api/src/rt/prf"
-	"api/src/rt/srch"
-	"log/slog"
-	"os"
-	"time"
-
-	"net/http"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/v5/middleware"
-)
-
-var Done = make(chan bool)
-
-func InitChiRouting() {
-	slog.Info("Init routing")
-	r := chi.NewRouter()
-
-	// middlewares
-	r.Use(middleware.Logger)
-	r.Use(middleware.Timeout(60 * time.Second))
-	r.Use(middleware.RequestID)
-	r.Use(middleware.CleanPath)
-	r.Use(middleware.Heartbeat("/ping"))
-	r.Use(middleware.NoCache)
-	r.Use(middleware.Recoverer)
-	r.NotFound(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(404)
-		w.Write([]byte("route does not exist"))
-	})
-	r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(405)
-		w.Write([]byte("method is not valid"))
-	})
-
-	// public Routes
-	r.Group(func(r chi.Router) {
-		r.Post("/signup", auth.Register) // register
-		r.Post("/signin", auth.Login)    // signin
-		r.Get("/search", srch.Search)
-	})
-
-	// Private Routes
-	// Require Authentication
-	r.Group(func(r chi.Router) {
-		r.Use(auth.AuthMiddleware)
-		r.Get("/profile", prf.Profile)
-		r.Get("/allUsersAdm", admin.GetAllUser)
-		r.Route("/admin", func(r chi.Router) {
-			r.Use(auth.AuthAdminMiddleware)
-			r.Get("/allUsersAdm", admin.GetAllUser) // all users get
-		})
-	})
-
-	// up server on os.Getenv("SERVER_PORT") port on gorutin
-	go func() {
-		defer close(Done)
-		err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
-		if err != nil {
-			slog.Error("Can't start server: ", "error", err)
-		}
-	}()
-}
+package initializers
+
+import (
+	"api/src/rt/admin"
+	"api/src/rt/auth"
+	"api/src/rt/prf"
+	"api/src/rt/srch"
+	"log/slog"
+	"os"
+	"time"
+
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/httprate"
+)
+
+var Done = make(chan bool)
+
+func InitChiRouting() {
+	slog.Info("Init routing")
+	r := chi.NewRouter()
+
+	// middlewares
+	r.Use(middleware.Logger)
+	r.Use(middleware.Timeout(60 * time.Second))
+	r.Use(middleware.RequestID)
+	r.Use(middleware.CleanPath)
+	r.Use(middleware.Heartbeat("/ping"))
+	r.Use(middleware.NoCache)
+	r.Use(middleware.Recoverer)
+	r.NotFound(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(404)
+		w.Write([]byte("route does not exist"))
+	})
+	r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(405)
+		w.Write([]byte("method is not valid"))
+	})
+
+	// public Routes
+	r.Group(func(r chi.Router) {
+		r.Post("/signup", auth.Register)                       // register
+		r.With(httprate.Limit(5, 1*time.Minute)).Post("/signin", auth.Login) // signin with rate limiter
+		r.Get("/search", srch.Search)
+	})
+
+	// Private Routes
+	// Require Authentication
+	r.Group(func(r chi.Router) {
+		r.Use(auth.AuthMiddleware)
+		r.Get("/profile", prf.Profile)
+		r.Route("/admin", func(r chi.Router) {
+			r.Use(auth.AuthAdminMiddleware)
+			r.Get("/allUsersAdm", admin.GetAllUser) // all users get
+		})
+	})
+
+	// up server on os.Getenv("SERVER_PORT") port on gorutin
+	go func() {
+		defer close(Done)
+		err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
+		if err != nil {
+			slog.Error("Can't start server: ", "error", err)
+		}
+	}()
+}
@@ -1,61 +1,68 @@
-package auth
-
-import (
-	"api/src/models"
-	"api/src/storages/psql"
-	"encoding/json"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/golang-jwt/jwt/v4"
-	"golang.org/x/crypto/bcrypt"
-)
-
-var jwtKey = []byte(os.Getenv("SECRET_KEY"))
-
-func Login(w http.ResponseWriter, r *http.Request) {
-	var creds models.Credentials
-	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-	// check user
-	var user models.User
-	// get user by email
-	result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
-	if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-
-	// create jwt token
-	expirationtime := time.Now().Add(5 * time.Minute)
-	claims := &models.Claims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(expirationtime),
-		},
-		Email: user.Email,
-		Phone: user.Phone,
-		Role:  user.Role,
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString(jwtKey)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-
-	http.SetCookie(w, &http.Cookie{
-		Name:    "token",
-		Value:   tokenString,
-		Expires: expirationtime,
-	})
-	w.WriteHeader(http.StatusOK)
-}
-
-func checkPasswordHash(password, hash string) bool {
-	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
-	return err == nil
-}
+package auth
+
+import (
+	"api/src/models"
+	"api/src/storages/psql"
+	"encoding/json"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	loginErrMsg = "invalid email or password"
+)
+
+var jwtKey = []byte(os.Getenv("SECRET_KEY"))
+
+func Login(w http.ResponseWriter, r *http.Request) {
+	var creds models.Credentials
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	// check user
+	var user models.User
+	result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
+	if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
+		http.Error(w, loginErrMsg, http.StatusUnauthorized)
+		return
+	}
+
+	// create jwt token
+	expirationtime := time.Now().Add(5 * time.Minute)
+	claims := &models.Claims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expirationtime),
+		},
+		Email: user.Email,
+		Phone: user.Phone,
+		Role:  user.Role,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString(jwtKey)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "token",
+		Value:    tokenString,
+		Expires:  expirationtime,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	})
+	w.WriteHeader(http.StatusOK)
+}
+
+func checkPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}
@@ -1,50 +1,97 @@
-package auth
-
-import (
-	"api/src/models"
-	"api/src/storages/psql"
-	"encoding/json"
-	"net/http"
-
-	"github.com/google/uuid"
-
-	"golang.org/x/crypto/bcrypt"
-)
-
-func Register(w http.ResponseWriter, r *http.Request) {
-	var Credentials models.Credentials
-	// Decoe body
-	if err := json.NewDecoder(r.Body).Decode(&Credentials); err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-
-	// shep password
-	hashedPassword, err := hashPassword(Credentials.Password)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-
-	id := uuid.New()
-
-	user := models.User{
-		Id:       id,
-		Name:     Credentials.Name,
-		Email:    Credentials.Email,
-		Password: hashedPassword,
-		Phone:    Credentials.Phone,
-		Role:     Credentials.Role,
-	}
-	result := psql.PSQL_GORM_DB.Create(&user)
-	if result.Error != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-	w.WriteHeader(http.StatusCreated)
-}
-
-func hashPassword(password string) (string, error) {
-	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
-	return string(bytes), err
-}
+package auth
+
+import (
+	"api/src/models"
+	"api/src/storages/psql"
+	"encoding/json"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/google/uuid"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+var (
+	emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`)
+	phoneRegex = regexp.MustCompile(`^\+?[0-9\s\-\(\)]{7,20}$`)
+	validRoles = map[string]bool{"user": true, "admin": true}
+)
+
+type validationError struct {
+	Field   string `json:"field"`
+	Message string `json:"message"`
+}
+
+func validateCredentials(c *models.Credentials) []validationError {
+	var errs []validationError
+
+	c.Name = strings.TrimSpace(c.Name)
+	c.Email = strings.TrimSpace(c.Email)
+	c.Phone = strings.TrimSpace(c.Phone)
+	c.Role = strings.TrimSpace(c.Role)
+
+	if c.Name == "" || len(c.Name) > 50 {
+		errs = append(errs, validationError{"name", "name is required and must be at most 50 characters"})
+	}
+	if c.Email == "" || len(c.Email) > 50 || !emailRegex.MatchString(c.Email) {
+		errs = append(errs, validationError{"email", "valid email is required"})
+	}
+	if c.Password == "" || len(c.Password) < 8 || len(c.Password) > 72 {
+		errs = append(errs, validationError{"password", "password must be between 8 and 72 characters"})
+	}
+	if c.Phone == "" || !phoneRegex.MatchString(c.Phone) {
+		errs = append(errs, validationError{"phone", "valid phone number is required"})
+	}
+	if c.Role != "" && !validRoles[c.Role] {
+		errs = append(errs, validationError{"role", "role must be 'user' or 'admin'"})
+	}
+
+	return errs
+}
+
+func Register(w http.ResponseWriter, r *http.Request) {
+	var creds models.Credentials
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+		http.Error(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	if errs := validateCredentials(&creds); errs != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]interface{}{"errors": errs})
+		return
+	}
+
+	hashedPassword, err := hashPassword(creds.Password)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if creds.Role == "" {
+		creds.Role = "user"
+	}
+
+	user := models.User{
+		Id:       uuid.New(),
+		Name:     creds.Name,
+		Email:    creds.Email,
+		Password: hashedPassword,
+		Phone:    creds.Phone,
+		Role:     creds.Role,
+	}
+	result := psql.PSQL_GORM_DB.Create(&user)
+	if result.Error != nil {
+		http.Error(w, "user with this email or phone already exists", http.StatusConflict)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
+	return string(bytes), err
+}
@@ -41,17 +41,29 @@ services:
    command: goose up

  spa:
-    build:
-      context: ./spa
-      dockerfile: Dockerfile
+    build: .
    env_file:
      - .env
    ports:
-      - "${OUTERPORT}:${INNERPORT}"
+      - "${HTTP}:${HTTP}"
+      - "${HTTPS}:${HTTPS}"
+    volumes:
+      - ./data/nginx/conf.d:/etc/nginx/conf.d
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
    depends_on:
      - api
      - db
      - migrator
+      - certbot
+  
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    restart: unless-stopped

 volumes:
  api:
@@ -1,11 +1,14 @@
-# Используем официальный образ Nginx
 FROM nginx:alpine

-# Копируем index.html в папку Nginx
+# Удаляем дефолтный конфиг Nginx
+RUN rm /etc/nginx/conf.d/default.conf
+
+# Копируем наш конфиг
+COPY ./data/nginx/conf.d/default.conf /etc/nginx/conf.d/
+
+# Копируем index.html
 COPY index.html /usr/share/nginx/html/

-# (Опционально) Можно заменить конфиг Nginx
-# COPY nginx/nginx.conf /etc/nginx/conf.d/default.conf
-
-# Порт, который будет слушать Nginx
-EXPOSE 80
+# Открываем порты
+EXPOSE 80
+EXPOSE 443
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name yalarba.ru www.yalarba.ru;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name yalarba.ru www.yalarba.ru;
+
+    ssl_certificate /etc/letsencrypt/live/yalarba.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/yalarba.ru/privkey.pem;
+
+    location / {
+        root /usr/share/nginx/html;
+        index index.html;
+    }
+}
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Убедитесь, что домены указаны правильно
+domains="yalarba.ru www.yalarba.ru"
+email="valitovgaziz@yandex.ru"  # Замените на реальный email
+
+# Создаём временный контейнер Nginx для верификации
+docker compose up -d nginx
+
+# Запускаем Certbot для получения сертификатов
+docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot --email $email --agree-tos --no-eff-email -d $domains --force-renewal
+
+# Перезапускаем Nginx с новыми сертификатами
+docker compose restart nginx
Author	SHA1	Message	Date
valitovgaziz	2132c1de14	docs: add AGENTS.md codebase map, bump Go version, clean gitignore Deploy / build-and-deploy (push) Failing after 47s Details	2026-06-13 01:57:54 +05:00
valitovgaziz	165d5a5fc6	ci: test runner with network config fix Deploy / build-and-deploy (push) Failing after 55s Details	2026-06-12 17:48:29 +05:00
valitovgaziz	322334e7e2	ci: trigger fresh build with DOCKER_NETWORK fix Deploy / build-and-deploy (push) Failing after 48s Details	2026-06-12 17:44:09 +05:00
valitovgaziz	c26f916525	ci: test runner with DOCKER_NETWORK fix Deploy / build-and-deploy (push) Failing after 46s Details	2026-06-12 17:41:38 +05:00
valitovgaziz	7223ced88d	ci: add Gitea Actions deploy workflow Deploy / build-and-deploy (push) Failing after 42s Details	2026-06-12 17:32:03 +05:00
valitovgaziz	5de587689c	security: rotate secrets, add rate limiter, validate input, harden cookies	2026-06-12 17:01:48 +05:00
valitovgaziz	9f4fb23652	set volumes for api, postgres-db, goose	2025-05-07 16:42:30 +05:00
valitovgaziz	c5d10d3b5d	uncomment and replace mail name and delete hiphen on init scripts	2025-05-07 16:38:35 +05:00
valitovgaziz	8a8ee12779	comment migrator	2025-05-07 16:36:03 +05:00
valitovgaziz	44a6725a8e	add nginx docer image, add certbote image, set settings for	2025-05-07 16:21:30 +05:00
valitovgaziz	c86d4bbf41	Merge https://gitverse.ru/valitovgaziz/tp	2025-05-07 15:58:53 +05:00
root	d6a041df99	Fix the servers docker plugin	2025-05-06 15:50:53 +05:00