mirror of
https://github.com/johndoe6345789/metabuilder.git
synced 2026-05-07 03:59:35 +00:00
git
df5398a7ee
Complete implementation of enterprise-grade authentication middleware for email service: Features: - JWT token creation/validation with configurable expiration - Bearer token extraction and validation - Multi-tenant isolation enforced at middleware level - Role-based access control (RBAC) with user/admin roles - Row-level security (RLS) for resource access - Automatic request logging with user context and audit trail - CORS configuration for email client frontend - Rate limiting (50 req/min per user with Redis backend) - Comprehensive error handling with proper HTTP status codes Implementation: - Enhanced src/middleware/auth.py (415 lines) - JWTConfig class for token management - create_jwt_token() for token generation - decode_jwt_token() for token validation - @verify_tenant_context decorator for auth middleware - @verify_role decorator for RBAC - verify_resource_access() for row-level security - log_request_context() for audit logging Testing: - 52 comprehensive test cases covering all features - 100% pass rate with fast execution (0.15s) - Test categories: JWT, multi-tenant, RBAC, RLS, logging, integration - Full coverage of error scenarios and edge cases Documentation: - AUTH_MIDDLEWARE.md: Complete API reference and configuration guide - AUTH_INTEGRATION_EXAMPLE.py: Real-world usage examples for 5+ scenarios - PHASE_7_SUMMARY.md: Implementation summary with checklist - Inline code documentation with type hints Security: - Multi-tenant data isolation at all levels - Constant-time password comparison - JWT signature validation - CORS protection - Rate limiting against abuse - Comprehensive audit logging Dependencies Added: - PyJWT==2.8.1 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
144 lines
3.7 KiB
YAML
144 lines
3.7 KiB
YAML
# Docker Compose Production Configuration
|
|
# Usage: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
|
|
|
version: '3.8'
|
|
|
|
services:
|
|
# Production Redis with strict security
|
|
redis:
|
|
restart: always
|
|
environment:
|
|
# Generate strong password in production: openssl rand -base64 32
|
|
REDIS_PASSWORD: ${REDIS_PASSWORD_PROD:?Please set REDIS_PASSWORD_PROD environment variable}
|
|
REDIS_MAXMEMORY: ${REDIS_MAXMEMORY_PROD:-1gb}
|
|
REDIS_MAXMEMORY_POLICY: volatile-lru
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD_PROD}", "--raw", "incr", "ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 5s
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "100m"
|
|
max-file: "10"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 2gb
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 1gb
|
|
|
|
# Production Email Service
|
|
email-service:
|
|
restart: always
|
|
environment:
|
|
FLASK_ENV: production
|
|
FLASK_DEBUG: '0'
|
|
LOG_LEVEL: INFO
|
|
REDIS_PASSWORD: ${REDIS_PASSWORD_PROD:?Please set REDIS_PASSWORD_PROD environment variable}
|
|
REDIS_URL: redis://:${REDIS_PASSWORD_PROD}@redis:6379/0
|
|
CELERY_BROKER_URL: redis://:${REDIS_PASSWORD_PROD}@redis:6379/0
|
|
CELERY_RESULT_BACKEND: redis://:${REDIS_PASSWORD_PROD}@redis:6379/0
|
|
# Disable sync task execution in production
|
|
CELERY_TASK_ALWAYS_EAGER: 'false'
|
|
# Production task limits
|
|
CELERY_TASK_TIME_LIMIT: 7200
|
|
CELERY_TASK_SOFT_TIME_LIMIT: 6000
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "100m"
|
|
max-file: "10"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 2gb
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 1gb
|
|
|
|
# Production Postfix
|
|
postfix:
|
|
restart: always
|
|
environment:
|
|
# Production SMTP settings
|
|
POSTFIX_message_size_limit: 52428800 # 50MB
|
|
POSTFIX_mailbox_size_limit: 1073741824 # 1GB per user
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "100m"
|
|
max-file: "10"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 512mb
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 256mb
|
|
|
|
# Production Dovecot
|
|
dovecot:
|
|
restart: always
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "100m"
|
|
max-file: "10"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 2gb
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 1gb
|
|
|
|
# Production PostgreSQL
|
|
postgres:
|
|
restart: always
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER_PROD:?Please set POSTGRES_USER_PROD environment variable}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD_PROD:?Please set POSTGRES_PASSWORD_PROD environment variable}
|
|
POSTGRES_DB: ${POSTGRES_DB_PROD:?Please set POSTGRES_DB_PROD environment variable}
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "100m"
|
|
max-file: "10"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 4gb
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 2gb
|
|
|
|
# Production volume configuration
|
|
volumes:
|
|
redis-data:
|
|
driver: local
|
|
driver_opts:
|
|
type: none
|
|
o: bind
|
|
device: /mnt/data/redis # Use external mount for production
|
|
postgres-data:
|
|
driver: local
|
|
driver_opts:
|
|
type: none
|
|
o: bind
|
|
device: /mnt/data/postgres # Use external mount for production
|
|
dovecot-data:
|
|
driver: local
|
|
driver_opts:
|
|
type: none
|
|
o: bind
|
|
device: /mnt/data/dovecot # Use external mount for production
|