Merge branch 'main' into codex/implement-security-and-deployment-features

Author: fuzziecoder

.env.example

@@ -9,3 +9,18 @@ VITE_GEMINI_API_KEY=your_gemini_api_key_here
 # These are only used when mockApi.ts is active
 VITE_ADMIN_PASSWORD=your_admin_password_here
 VITE_USER_PASSWORD=your_user_password_here
+
+# Backend server
+PORT=4000
+CORS_ALLOW_ORIGIN=*
+AUTH_TOKEN_SECRET=replace_with_a_long_random_secret
+AUTH_TOKEN_TTL_SECONDS=43200
+LOGIN_RATE_LIMIT_MAX_ATTEMPTS=5
+LOGIN_RATE_LIMIT_WINDOW_MS=900000
+LOGIN_RATE_LIMIT_BLOCK_MS=900000
+
+# BullMQ + Redis
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+REDIS_PASSWORD=
+EVENT_REMINDER_BEFORE_HOURS=2

backend/README.md

@@ -56,26 +56,76 @@ Legacy plaintext records auto-migrate to hashed values at successful login.
 - New orders are validated against DB data (known `spotId`, `userId`, `productId`) and item pricing is always derived from catalog prices in the database.
 
 ## Deployment (Render / Railway / AWS EC2)
+### Issue #31: Redis-backed caching + session/performance primitives
+
+- Added optional Redis integration (`REDIS_URL`) with automatic in-memory fallback when Redis is unavailable.
+- Active auth sessions are now stored in cache (token hash), and protected routes require an active session.
+- Added cache-backed rate limiting primitives for login attempts (window + temporary block).
+- Added short-lived cache for read-heavy endpoints:
+  - `GET /api/catalog` (cached)
+  - `GET /api/spots` (cached)
+- Added real-time presence endpoints:
+  - `POST /api/presence/heartbeat`
+  - `GET /api/presence/active?spotId=...`
+- Added temporary event state endpoints:
+  - `PUT|POST /api/events/state/:eventKey`
+  - `GET /api/events/state/:eventKey`
+- New env vars:
+  - `REDIS_URL`
+  - `REDIS_KEY_PREFIX`
+  - `CACHE_DEFAULT_TTL_SECONDS`
+  - `PRESENCE_TTL_SECONDS`
+  - `EVENT_STATE_DEFAULT_TTL_SECONDS`
+
+### Issue #30: Secure backend data access with signed auth tokens + authorization
 
 See [`backend/deployment.md`](./deployment.md) for step-by-step deployment options and env setup for:
 
 - Backend hosting: **Render**, **Railway**, **AWS EC2**
 - PostgreSQL: **Supabase** or **Neon**
 - Redis: **Upstash**
 - File storage: **AWS S3** or **Cloudinary**
+### Background jobs (BullMQ + Redis)
+
+- The backend initializes BullMQ queues for:
+  - email notification jobs (`email-notifications`) when a new order is created.
+  - scheduled reminder jobs (`spot-reminders`) for upcoming spots/events.
+  - recurring cleanup jobs (`expired-spot-cleanup`) for expired events.
+- Redis connection settings:
+  - `REDIS_HOST` (default `127.0.0.1`)
+  - `REDIS_PORT` (default `6379`)
+  - `REDIS_PASSWORD` (optional)
+- Reminder timing:
+  - `EVENT_REMINDER_BEFORE_HOURS` (default `2`)
+- If BullMQ or Redis dependencies are unavailable, backend continues to run with jobs disabled and logs a warning.
+
+### API Documentation (Swagger/OpenAPI)
+
+- OpenAPI JSON is available at `GET /api/docs/openapi.json`.
+- Swagger UI is available at `GET /api/docs`.
 
 ## Available endpoints
 
 - `GET /api/health`
 - `POST /api/auth/login`
+- `GET /api/docs`
+- `GET /api/docs/openapi.json`
 - `GET /api/catalog`
+- `POST /api/auth/logout`
+- `GET /api/catalog` (cached)
 - `GET /api/catalog/:category` (`drinks`, `food`, `cigarettes`)
-- `GET /api/spots`
+- `GET /api/spots` (cached)
 - `GET /api/orders?spotId=...&userId=...` (auth required)
 - `GET /api/orders/:id` (auth required)
 - `POST /api/orders` (auth required)
 - `GET /api/bills/:spotId` (admin only)
 - `DELETE /api/users/:userId` (admin only; removes the user and all related records)
+- `POST /api/jobs/reminders/run` (admin only; manually queue reminder jobs)
+- `POST /api/jobs/cleanup/run` (admin only; manually queue expired-event cleanup)
+- `POST /api/presence/heartbeat` (auth required)
+- `GET /api/presence/active?spotId=...` (auth required)
+- `PUT|POST /api/events/state/:eventKey` (auth required)
+- `GET /api/events/state/:eventKey` (auth required)
 
 ## Example login payload
 

backend/cache.js

@@ -0,0 +1,254 @@
+import crypto from 'node:crypto';
+
+const REDIS_URL = process.env.REDIS_URL;
+const REDIS_KEY_PREFIX = process.env.REDIS_KEY_PREFIX || 'brocode';
+const CACHE_DEFAULT_TTL_SECONDS = Number(process.env.CACHE_DEFAULT_TTL_SECONDS || 60);
+const PRESENCE_TTL_SECONDS = Number(process.env.PRESENCE_TTL_SECONDS || 60);
+
+const toKey = (key) => `${REDIS_KEY_PREFIX}:${key}`;
+
+class MemoryStore {
+  constructor() {
+    this.values = new Map();
+    this.expiries = new Map();
+    this.sets = new Map();
+  }
+
+  cleanupExpired(key) {
+    const expiresAt = this.expiries.get(key);
+    if (expiresAt && expiresAt <= Date.now()) {
+      this.values.delete(key);
+      this.expiries.delete(key);
+      return true;
+    }
+
+    return false;
+  }
+
+  async get(key) {
+    this.cleanupExpired(key);
+    return this.values.get(key) ?? null;
+  }
+
+  async set(key, value, options = {}) {
+    this.values.set(key, value);
+
+    const exSeconds = Number(options.EX || 0);
+    if (exSeconds > 0) {
+      this.expiries.set(key, Date.now() + exSeconds * 1000);
+    } else {
+      this.expiries.delete(key);
+    }
+
+    return 'OK';
+  }
+
+  async del(keys) {
+    const arr = Array.isArray(keys) ? keys : [keys];
+    arr.forEach((key) => {
+      this.values.delete(key);
+      this.expiries.delete(key);
+      this.sets.delete(key);
+    });
+    return arr.length;
+  }
+
+  async incr(key) {
+    const current = Number((await this.get(key)) || 0);
+    const next = current + 1;
+    this.values.set(key, String(next));
+    return next;
+  }
+
+  async sAdd(key, member) {
+    const current = this.sets.get(key) || new Set();
+    current.add(member);
+    this.sets.set(key, current);
+    return 1;
+  }
+
+  async sMembers(key) {
+    return [...(this.sets.get(key) || new Set())];
+  }
+
+  async sRem(key, member) {
+    const current = this.sets.get(key);
+    if (!current) {
+      return 0;
+    }
+
+    current.delete(member);
+    if (current.size === 0) {
+      this.sets.delete(key);
+    }
+
+    return 1;
+  }
+}
+
+const createCacheClient = async () => {
+  if (!REDIS_URL) {
+    console.warn('⚠️ REDIS_URL not configured. Falling back to in-memory cache store.');
+    return { client: new MemoryStore(), mode: 'memory' };
+  }
+
+  try {
+    const { createClient } = await import('redis');
+    const client = createClient({ url: REDIS_URL });
+    client.on('error', (error) => {
+      console.error('Redis client error:', error.message);
+    });
+    await client.connect();
+    console.log('✅ Connected to Redis');
+    return { client, mode: 'redis' };
+  } catch (error) {
+    console.warn(`⚠️ Redis unavailable (${error.message}). Falling back to in-memory cache store.`);
+    return { client: new MemoryStore(), mode: 'memory' };
+  }
+};
+
+const parseJson = (raw) => {
+  if (!raw) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+};
+
+export const cache = await createCacheClient();
+
+export const getOrSetJsonCache = async (key, fetcher, ttlSeconds = CACHE_DEFAULT_TTL_SECONDS) => {
+  const cacheKey = toKey(`cache:${key}`);
+  const cached = await cache.client.get(cacheKey);
+  if (cached) {
+    const parsed = parseJson(cached);
+    if (parsed !== null) {
+      return parsed;
+    }
+  }
+
+  const freshValue = await fetcher();
+  await cache.client.set(cacheKey, JSON.stringify(freshValue), { EX: ttlSeconds });
+  return freshValue;
+};
+
+export const sessionStore = {
+  hashToken(token) {
+    return crypto.createHash('sha256').update(token).digest('hex');
+  },
+
+  async setActiveSession(token, userId, ttlSeconds) {
+    const tokenHash = this.hashToken(token);
+    await cache.client.set(toKey(`session:${tokenHash}`), userId, { EX: ttlSeconds });
+  },
+
+  async hasActiveSession(token) {
+    const tokenHash = this.hashToken(token);
+    return Boolean(await cache.client.get(toKey(`session:${tokenHash}`)));
+  },
+
+  async clearActiveSession(token) {
+    const tokenHash = this.hashToken(token);
+    await cache.client.del(toKey(`session:${tokenHash}`));
+  },
+};
+
+export const rateLimiter = {
+  async getBlockedSeconds(key) {
+    const blockedUntil = Number((await cache.client.get(toKey(`ratelimit:block:${key}`))) || 0);
+    if (!blockedUntil) {
+      return 0;
+    }
+
+    const remainingMs = blockedUntil - Date.now();
+    return remainingMs > 0 ? Math.ceil(remainingMs / 1000) : 0;
+  },
+
+  async recordFailure(key, { maxAttempts, windowMs, blockMs }) {
+    const attemptsKey = toKey(`ratelimit:attempts:${key}`);
+    const blockKey = toKey(`ratelimit:block:${key}`);
+
+    const attempts = await cache.client.incr(attemptsKey);
+    if (attempts === 1) {
+      await cache.client.set(attemptsKey, String(attempts), { EX: Math.ceil(windowMs / 1000) });
+    }
+
+    if (attempts >= maxAttempts) {
+      const blockedUntil = Date.now() + blockMs;
+      await cache.client.set(blockKey, String(blockedUntil), { EX: Math.ceil(blockMs / 1000) });
+    }
+  },
+
+  async clear(key) {
+    await cache.client.del([toKey(`ratelimit:attempts:${key}`), toKey(`ratelimit:block:${key}`)]);
+  },
+};
+
+const PRESENCE_SET_KEY = toKey('presence:active-users');
+
+export const presenceStore = {
+  async heartbeat(user, payload = {}) {
+    const key = toKey(`presence:user:${user.id}`);
+    const entry = {
+      userId: user.id,
+      username: user.username,
+      name: user.name,
+      role: user.role,
+      spotId: payload.spotId || null,
+      status: payload.status || 'online',
+      updatedAt: new Date().toISOString(),
+    };
+
+    await cache.client.set(key, JSON.stringify(entry), { EX: PRESENCE_TTL_SECONDS });
+    await cache.client.sAdd(PRESENCE_SET_KEY, user.id);
+    return entry;
+  },
+
+  async listActive(spotId) {
+    const userIds = await cache.client.sMembers(PRESENCE_SET_KEY);
+    const active = [];
+
+    for (const userId of userIds) {
+      const raw = await cache.client.get(toKey(`presence:user:${userId}`));
+      if (!raw) {
+        await cache.client.sRem(PRESENCE_SET_KEY, userId);
+        continue;
+      }
+
+      const parsed = parseJson(raw);
+      if (!parsed) {
+        continue;
+      }
+
+      if (!spotId || parsed.spotId === spotId) {
+        active.push(parsed);
+      }
+    }
+
+    return active;
+  },
+};
+
+export const eventStateStore = {
+  async set(eventKey, state, ttlSeconds = 120) {
+    const key = toKey(`event-state:${eventKey}`);
+    const payload = {
+      eventKey,
+      state,
+      updatedAt: new Date().toISOString(),
+      ttlSeconds,
+    };
+
+    await cache.client.set(key, JSON.stringify(payload), { EX: ttlSeconds });
+    return payload;
+  },
+
+  async get(eventKey) {
+    const key = toKey(`event-state:${eventKey}`);
+    return parseJson(await cache.client.get(key));
+  },
+};