Initial commit: MOPC platform with Docker deployment setup

Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth. Includes production Dockerfile (multi-stage, port 7600), docker-compose with registry-based image pull, Gitea Actions CI workflow, nginx config for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 13:41:32 +01:00
commit a606292aaa
290 changed files with 70691 additions and 0 deletions
--- a/src/app/api/auth/[...nextauth]/route.ts
+++ b/src/app/api/auth/[...nextauth]/route.ts
@@ -0,0 +1,38 @@
+import { handlers } from '@/lib/auth'
+import { checkRateLimit } from '@/lib/rate-limit'
+
+const AUTH_RATE_LIMIT = 10 // requests per window
+const AUTH_RATE_WINDOW_MS = 60 * 1000 // 1 minute
+
+function getClientIp(req: Request): string {
+  return (
+    req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
+    req.headers.get('x-real-ip') ||
+    'unknown'
+  )
+}
+
+function withRateLimit(handler: (req: Request) => Promise<Response>) {
+  return async (req: Request) => {
+    // Only rate limit POST requests (sign-in, magic link sends)
+    if (req.method === 'POST') {
+      const ip = getClientIp(req)
+      const { success, resetAt } = checkRateLimit(`auth:${ip}`, AUTH_RATE_LIMIT, AUTH_RATE_WINDOW_MS)
+
+      if (!success) {
+        return new Response(JSON.stringify({ error: 'Too many authentication attempts' }), {
+          status: 429,
+          headers: {
+            'Content-Type': 'application/json',
+            'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),
+          },
+        })
+      }
+    }
+
+    return handler(req)
+  }
+}
+
+export const GET = handlers.GET
+export const POST = withRateLimit(handlers.POST as (req: Request) => Promise<Response>)
--- a/src/app/api/health/route.ts
+++ b/src/app/api/health/route.ts
@@ -0,0 +1,34 @@
+import { NextResponse } from 'next/server'
+import { prisma } from '@/lib/prisma'
+
+export async function GET() {
+  try {
+    // Check database connection
+    await prisma.$queryRaw`SELECT 1`
+
+    return NextResponse.json(
+      {
+        status: 'healthy',
+        timestamp: new Date().toISOString(),
+        services: {
+          database: 'connected',
+        },
+      },
+      { status: 200 }
+    )
+  } catch (error) {
+    console.error('Health check failed:', error)
+
+    return NextResponse.json(
+      {
+        status: 'unhealthy',
+        timestamp: new Date().toISOString(),
+        services: {
+          database: 'disconnected',
+        },
+        error: error instanceof Error ? error.message : 'Unknown error',
+      },
+      { status: 503 }
+    )
+  }
+}
--- a/src/app/api/storage/local/route.ts
+++ b/src/app/api/storage/local/route.ts
@@ -0,0 +1,125 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { LocalStorageProvider } from '@/lib/storage/local-provider'
+import { getContentType } from '@/lib/storage'
+import * as fs from 'fs/promises'
+
+const provider = new LocalStorageProvider()
+
+/**
+ * Handle GET requests for file downloads
+ */
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url)
+  const key = searchParams.get('key')
+  const action = searchParams.get('action')
+  const expires = searchParams.get('expires')
+  const sig = searchParams.get('sig')
+
+  // Validate required parameters
+  if (!key || !action || !expires || !sig) {
+    return NextResponse.json(
+      { error: 'Missing required parameters' },
+      { status: 400 }
+    )
+  }
+
+  // Verify signature and expiry
+  const isValid = LocalStorageProvider.verifySignature(
+    key,
+    action,
+    parseInt(expires),
+    sig
+  )
+
+  if (!isValid) {
+    return NextResponse.json(
+      { error: 'Invalid or expired signature' },
+      { status: 403 }
+    )
+  }
+
+  if (action !== 'download') {
+    return NextResponse.json(
+      { error: 'Invalid action for GET request' },
+      { status: 400 }
+    )
+  }
+
+  try {
+    const filePath = provider.getAbsoluteFilePath(key)
+    const data = await fs.readFile(filePath)
+    const contentType = getContentType(key)
+
+    return new NextResponse(data, {
+      headers: {
+        'Content-Type': contentType,
+        'Cache-Control': 'private, max-age=3600',
+      },
+    })
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+      return NextResponse.json({ error: 'File not found' }, { status: 404 })
+    }
+    console.error('Error serving file:', error)
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
+
+/**
+ * Handle PUT requests for file uploads
+ */
+export async function PUT(request: NextRequest) {
+  const { searchParams } = new URL(request.url)
+  const key = searchParams.get('key')
+  const action = searchParams.get('action')
+  const expires = searchParams.get('expires')
+  const sig = searchParams.get('sig')
+
+  // Validate required parameters
+  if (!key || !action || !expires || !sig) {
+    return NextResponse.json(
+      { error: 'Missing required parameters' },
+      { status: 400 }
+    )
+  }
+
+  // Verify signature and expiry
+  const isValid = LocalStorageProvider.verifySignature(
+    key,
+    action,
+    parseInt(expires),
+    sig
+  )
+
+  if (!isValid) {
+    return NextResponse.json(
+      { error: 'Invalid or expired signature' },
+      { status: 403 }
+    )
+  }
+
+  if (action !== 'upload') {
+    return NextResponse.json(
+      { error: 'Invalid action for PUT request' },
+      { status: 400 }
+    )
+  }
+
+  try {
+    const contentType = request.headers.get('content-type') || 'application/octet-stream'
+    const data = Buffer.from(await request.arrayBuffer())
+
+    await provider.putObject(key, data, contentType)
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    console.error('Error uploading file:', error)
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
--- a/src/app/api/trpc/[trpc]/route.ts
+++ b/src/app/api/trpc/[trpc]/route.ts
@@ -0,0 +1,55 @@
+import { fetchRequestHandler } from '@trpc/server/adapters/fetch'
+import { appRouter } from '@/server/routers/_app'
+import { createContext } from '@/server/context'
+import { checkRateLimit } from '@/lib/rate-limit'
+
+const RATE_LIMIT = 100 // requests per window
+const RATE_WINDOW_MS = 60 * 1000 // 1 minute
+
+function getClientIp(req: Request): string {
+  return (
+    req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
+    req.headers.get('x-real-ip') ||
+    'unknown'
+  )
+}
+
+const handler = (req: Request) => {
+  const ip = getClientIp(req)
+  const { success, remaining, resetAt } = checkRateLimit(`trpc:${ip}`, RATE_LIMIT, RATE_WINDOW_MS)
+
+  if (!success) {
+    return new Response(JSON.stringify({ error: 'Too many requests' }), {
+      status: 429,
+      headers: {
+        'Content-Type': 'application/json',
+        'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),
+        'X-RateLimit-Limit': String(RATE_LIMIT),
+        'X-RateLimit-Remaining': '0',
+      },
+    })
+  }
+
+  return fetchRequestHandler({
+    endpoint: '/api/trpc',
+    req,
+    router: appRouter,
+    createContext,
+    responseMeta() {
+      return {
+        headers: {
+          'X-RateLimit-Limit': String(RATE_LIMIT),
+          'X-RateLimit-Remaining': String(remaining),
+        },
+      }
+    },
+    onError:
+      process.env.NODE_ENV === 'development'
+        ? ({ path, error }) => {
+            console.error(`❌ tRPC failed on ${path ?? '<no-path>'}:`, error)
+          }
+        : undefined,
+  })
+}
+
+export { handler as GET, handler as POST }