docs: add AGENTS.md codebase map, bump Go version, clean gitignore

.env

@@ -1,21 +1,21 @@
 PGHOST=db
 PGPORT=5432
 PGUSER=postgres
-PGPASSWORD=postgres
+PGPASSWORD=HnFxccAF3sdUwnI1EkwmXQ==
 PGDATABASE=postgres
 SSLmode=disable
-PGURL='postgres://postgres:postgres@db:5432/postgres?sslmode=disable'
+PGURL='postgres://postgres:HnFxccAF3sdUwnI1EkwmXQ==@db:5432/postgres?sslmode=disable'
 
 # SERVER
 SERVER_PORT=8000
-SECRET_KEY=my_very_secret_key
+SECRET_KEY=lUx8h9lpIPNPdcW9q27sJtgcZD/XlZnJWKQSLQ8t7rc=
 
 # MIGRATOR
 MIGRATOR_PORT=3000
 GOOSE_DRIVER=postgres
-GOOSE_DBSTRING='user=postgres dbname=postgres sslmode=disable'
+GOOSE_DBSTRING='user=postgres password=HnFxccAF3sdUwnI1EkwmXQ== dbname=postgres sslmode=disable'
 GOOSE_MIGRATION_DIR=migrations
 
 # FRONTEND SPA
-INNERPORT=80
+HTTP=80         # ДЛЯ Certbot
-OUTERPORT=8088
+HTTPS=443

.gitea/workflows/deploy.yml

@@ -0,0 +1,24 @@
+name: Deploy
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Go binary
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/workspace \
+            -w /workspace/api \
+            golang:1.22.5 \
+            sh -c 'go mod tidy && go build -o /workspace/api/bin/api cmd/main.go'
+
+      - name: Copy binary and restart service
+        run: |
+          cp api/bin/api /home/gaziz/artefacts/tp/main_dc/yalarba/api_yal/bin/api
+          docker compose -f /home/gaziz/artefacts/tp/main_dc/docker-compose.yml restart api_yal

.gitignore

@@ -32,3 +32,7 @@ coverage
 *.sw?
 
 *.tsbuildinfo
+
+# Binaries
+api/bin/
+

AGENTS.md

@@ -0,0 +1,93 @@
+# YalArba (ЯлАрба) — Tourist Aggregator
+
+**Generated:** 2026-06-12
+**Commit:** 165d5a5
+**Branch:** main
+
+## OVERVIEW
+Go REST API backend (chi router + GORM + PostgreSQL) with docker-compose orchestration. SPA frontend via Nginx reverse proxy + Certbot. Goose for DB migrations. JWT auth via HttpOnly cookies.
+
+## STRUCTURE
+```
+./
+├── api/                    # Go backend service
+│   ├── cmd/main.go         # Entry point
+│   ├── src/
+│   │   ├── configs/        # Server + DB config structs
+│   │   ├── initializers/   # Chi routing + GORM DB init
+│   │   ├── models/         # GORM models (User, Essence, Contact, Point)
+│   │   ├── rt/             # Route handlers grouped by domain
+│   │   │   ├── auth/       # Login, Register, JWT middleware
+│   │   │   ├── admin/      # Admin-only endpoints
+│   │   │   ├── prf/        # Profile (stub)
+│   │   │   └── srch/       # Search (stub)
+│   │   └── storages/psql/  # Global *gorm.DB var
+│   └── Dockerfile
+├── migrator/               # Goose migration runner
+│   └── migrations/         # Timestamped SQL migrations
+├── spa/                    # Nginx + static HTML landing + certbot
+│   ├── index.html          # Landing page (Russian)
+│   └── data/nginx/         # Nginx config
+├── docker-compose.yaml     # services: db, api, migrator, spa, certbot
+├── Makefile                # build, run, clean, test
+└── .env                    # Environment variables (DO NOT COMMIT)
+```
+
+## WHERE TO LOOK
+| Task | Location | Notes |
+|------|----------|-------|
+| Add API route | `api/src/initializers/Routing.go` + `api/src/rt/` | Register handler in Routing.go; create handler in rt/ subdir |
+| Add DB model | `api/src/models/` | GORM struct with json + gorm tags; UUID PKs |
+| Add migration | `migrator/migrations/` | Goose format: timestamp_description.sql |
+| Auth logic | `api/src/rt/auth/` | JWT in HttpOnly cookie; claims in request context |
+| DB access | `api/src/storages/psql/psql.go` | Global `PSQL_GORM_DB *gorm.DB` |
+| Config/env vars | `.env` → `os.Getenv()` in code | Config structs in `api/src/configs/` |
+
+## CODE MAP
+| Symbol | Type | Location | Role |
+|--------|------|----------|------|
+| `main` | func | `api/cmd/main.go:16` | Entry: calls InitChiRouting + InitDBconnection |
+| `InitChiRouting` | func | `api/src/initializers/Routing.go:21` | Sets up chi router, middlewares, all routes |
+| `InitDBconnection` | func | `api/src/initializers/PGQL_DB.go:14` | GORM Postgres connection, sets psql.PSQL_GORM_DB |
+| `PSQL_GORM_DB` | var | `api/src/storages/psql/psql.go:5` | Global DB handle |
+| `Login` | func | `api/src/rt/auth/Login.go:21` | Validates creds, issues JWT cookie |
+| `Register` | func | `api/src/rt/auth/Registr.go:54` | Validates input, hashes password, creates user |
+| `AuthMiddleware` | func | `api/src/rt/auth/authMiddleware.go:11` | JWT cookie validation middleware |
+| `AuthAdminMiddleware` | func | `api/src/rt/auth/authAdminMiddlware.go:11` | JWT + role=admin check |
+| `User` | struct | `api/src/models/user.go:5` | GORM model: id, name, email, password, phone, role |
+| `Claims` | struct | `api/src/models/authDataStructs.go:15` | JWT claims: email, phone, role |
+
+## CONVENTIONS
+- **Naming**: Go package names are short abbreviations (auth, prf, srch, admin). File names in PascalCase.
+- **DB**: GORM with UUID PKs (`AutoIncrement:false`). Goose for migrations with timestamp prefixes.
+- **Auth**: JWT stored in HttpOnly/Secure/SameSite cookie. Role stored in claims. Context key is `"email"`.
+- **Config**: All config via `os.Getenv()`, no config files. `.env` loaded by docker-compose.
+- **Logging**: `log/slog` structured logging.
+- **Errors**: `http.Error()` for simple errors. JSON-encoded `validationError` struct for validation.
+- **Password**: bcrypt cost 14. Max password length 72 (bcrypt limit).
+- **Role defaults**: Empty role on registration → "user".
+
+## ANTI-PATTERNS (THIS PROJECT)
+- `os.Exit(2)` on DB failure — kills entire process, no graceful shutdown
+- Duplicate JWT parsing logic between `authMiddleware.go` and `authAdminMiddlware.go`
+- `authAdminMiddlware.go` has typo in filename ("Middlware")
+- `AuthUserMiddleware.go` in prf/ is a dead stub (always 401)
+- Global mutable state (`PSQL_GORM_DB`, package-level `jwtKey`)
+- HTTPS enforced on JWT cookies but HTTP port 80 exposed — mismatch in dev
+- `AGENTS.md` in `.gitignore` because it previously contained secrets — credentials belong in `.env` only
+
+## COMMANDS
+```bash
+make          # docker compose up (default)
+make build    # docker compose build
+make run      # docker compose up
+make clean    # docker builder prune
+make test     # go test ./api/src/auth/... -v
+make tc       # go test -cover
+```
+
+## NOTES
+- `.env` contains real secrets — never commit. The `.gitignore` entry for `AGENTS.md` was added because it previously held credentials. Remove that `.gitignore` line once this file is clean.
+- `Profile` and `Search` handlers are stubs (empty bodies).
+- Docker services depend on each other: db → api → migrator → spa+certbot.
+- Goose migration `GOOSE_DBSTRING` in `.env` must match PG credentials.

api/go.mod

@@ -1,6 +1,6 @@
 module api
 
-go 1.22.5
+go 1.26.0
 
 require github.com/go-chi/chi/v5 v5.1.0
 
@@ -13,7 +13,7 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/crypto v0.25.0
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 )
 
@@ -23,3 +23,10 @@ require (
 	gorm.io/driver/postgres v1.5.9
 	gorm.io/gorm v1.25.11
 )
+
+require (
+	github.com/go-chi/httprate v0.15.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+)

api/go.sum

@@ -3,6 +3,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5g=
+github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -19,6 +21,8 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -26,10 +30,16 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

api/src/initializers/Routing.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/httprate"
 )
 
 var Done = make(chan bool)
@@ -41,7 +42,7 @@ func InitChiRouting() {
 	// public Routes
 	r.Group(func(r chi.Router) {
 		r.Post("/signup", auth.Register)                       // register
-		r.Post("/signin", auth.Login)    // signin
+		r.With(httprate.Limit(5, 1*time.Minute)).Post("/signin", auth.Login) // signin with rate limiter
 		r.Get("/search", srch.Search)
 	})
 
@@ -50,7 +51,6 @@ func InitChiRouting() {
 	r.Group(func(r chi.Router) {
 		r.Use(auth.AuthMiddleware)
 		r.Get("/profile", prf.Profile)
-		r.Get("/allUsersAdm", admin.GetAllUser)
 		r.Route("/admin", func(r chi.Router) {
 			r.Use(auth.AuthAdminMiddleware)
 			r.Get("/allUsersAdm", admin.GetAllUser) // all users get

api/src/rt/auth/Login.go

@@ -12,6 +12,10 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+const (
+	loginErrMsg = "invalid email or password"
+)
+
 var jwtKey = []byte(os.Getenv("SECRET_KEY"))
 
 func Login(w http.ResponseWriter, r *http.Request) {
@@ -22,10 +26,9 @@ func Login(w http.ResponseWriter, r *http.Request) {
 	}
 	// check user
 	var user models.User
-	// get user by email
 	result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
 	if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
-		w.WriteHeader(http.StatusInternalServerError)
+		http.Error(w, loginErrMsg, http.StatusUnauthorized)
 		return
 	}
 
@@ -51,6 +54,10 @@ func Login(w http.ResponseWriter, r *http.Request) {
 		Name:     "token",
 		Value:    tokenString,
 		Expires:  expirationtime,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
 	})
 	w.WriteHeader(http.StatusOK)
 }

api/src/rt/auth/Registr.go

@@ -5,40 +5,87 @@ import (
 	"api/src/storages/psql"
 	"encoding/json"
 	"net/http"
+	"regexp"
+	"strings"
 
 	"github.com/google/uuid"
 
 	"golang.org/x/crypto/bcrypt"
 )
 
+var (
+	emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`)
+	phoneRegex = regexp.MustCompile(`^\+?[0-9\s\-\(\)]{7,20}$`)
+	validRoles = map[string]bool{"user": true, "admin": true}
+)
+
+type validationError struct {
+	Field   string `json:"field"`
+	Message string `json:"message"`
+}
+
+func validateCredentials(c *models.Credentials) []validationError {
+	var errs []validationError
+
+	c.Name = strings.TrimSpace(c.Name)
+	c.Email = strings.TrimSpace(c.Email)
+	c.Phone = strings.TrimSpace(c.Phone)
+	c.Role = strings.TrimSpace(c.Role)
+
+	if c.Name == "" || len(c.Name) > 50 {
+		errs = append(errs, validationError{"name", "name is required and must be at most 50 characters"})
+	}
+	if c.Email == "" || len(c.Email) > 50 || !emailRegex.MatchString(c.Email) {
+		errs = append(errs, validationError{"email", "valid email is required"})
+	}
+	if c.Password == "" || len(c.Password) < 8 || len(c.Password) > 72 {
+		errs = append(errs, validationError{"password", "password must be between 8 and 72 characters"})
+	}
+	if c.Phone == "" || !phoneRegex.MatchString(c.Phone) {
+		errs = append(errs, validationError{"phone", "valid phone number is required"})
+	}
+	if c.Role != "" && !validRoles[c.Role] {
+		errs = append(errs, validationError{"role", "role must be 'user' or 'admin'"})
+	}
+
+	return errs
+}
+
 func Register(w http.ResponseWriter, r *http.Request) {
-	var Credentials models.Credentials
+	var creds models.Credentials
-	// Decoe body
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
-	if err := json.NewDecoder(r.Body).Decode(&Credentials); err != nil {
+		http.Error(w, "invalid request body", http.StatusBadRequest)
-		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 
-	// shep password
+	if errs := validateCredentials(&creds); errs != nil {
-	hashedPassword, err := hashPassword(Credentials.Password)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]interface{}{"errors": errs})
+		return
+	}
+
+	hashedPassword, err := hashPassword(creds.Password)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
-	id := uuid.New()
+	if creds.Role == "" {
+		creds.Role = "user"
+	}
 
 	user := models.User{
-		Id:       id,
+		Id:       uuid.New(),
-		Name:     Credentials.Name,
+		Name:     creds.Name,
-		Email:    Credentials.Email,
+		Email:    creds.Email,
 		Password: hashedPassword,
-		Phone:    Credentials.Phone,
+		Phone:    creds.Phone,
-		Role:     Credentials.Role,
+		Role:     creds.Role,
 	}
 	result := psql.PSQL_GORM_DB.Create(&user)
 	if result.Error != nil {
-		w.WriteHeader(http.StatusInternalServerError)
+		http.Error(w, "user with this email or phone already exists", http.StatusConflict)
 		return
 	}
 	w.WriteHeader(http.StatusCreated)

docker-compose.yaml

@@ -41,17 +41,29 @@ services:
     command: goose up
 
   spa:
-    build:
+    build: .
-      context: ./spa
-      dockerfile: Dockerfile
     env_file:
       - .env
     ports:
-      - "${OUTERPORT}:${INNERPORT}"
+      - "${HTTP}:${HTTP}"
+      - "${HTTPS}:${HTTPS}"
+    volumes:
+      - ./data/nginx/conf.d:/etc/nginx/conf.d
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
     depends_on:
       - api
       - db
       - migrator
+      - certbot
+  
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    restart: unless-stopped
 
 volumes:
   api:

spa/Dockerfile

@@ -1,11 +1,14 @@
-# Используем официальный образ Nginx
 FROM nginx:alpine
 
-# Копируем index.html в папку Nginx
+# Удаляем дефолтный конфиг Nginx
+RUN rm /etc/nginx/conf.d/default.conf
+
+# Копируем наш конфиг
+COPY ./data/nginx/conf.d/default.conf /etc/nginx/conf.d/
+
+# Копируем index.html
 COPY index.html /usr/share/nginx/html/
 
-# (Опционально) Можно заменить конфиг Nginx
+# Открываем порты
-# COPY nginx/nginx.conf /etc/nginx/conf.d/default.conf
-
-# Порт, который будет слушать Nginx
 EXPOSE 80
+EXPOSE 443

spa/data/nginx/conf.d/default.conf

@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name yalarba.ru www.yalarba.ru;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name yalarba.ru www.yalarba.ru;
+
+    ssl_certificate /etc/letsencrypt/live/yalarba.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/yalarba.ru/privkey.pem;
+
+    location / {
+        root /usr/share/nginx/html;
+        index index.html;
+    }
+}

spa/scripts/init-letsencrypt.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Убедитесь, что домены указаны правильно
+domains="yalarba.ru www.yalarba.ru"
+email="valitovgaziz@yandex.ru"  # Замените на реальный email
+
+# Создаём временный контейнер Nginx для верификации
+docker compose up -d nginx
+
+# Запускаем Certbot для получения сертификатов
+docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot --email $email --agree-tos --no-eff-email -d $domains --force-renewal
+
+# Перезапускаем Nginx с новыми сертификатами
+docker compose restart nginx