update redis configuration and README.md

Author: felixevers

.github/workflows/build-docker-proxy.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Build and push docker image
         uses: docker/build-push-action@v6
         with:
-          context: nginx
+          context: proxy
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

README.md

@@ -5,3 +5,91 @@
 ---
 
 ## 🚀 Quick Start
+
+If you simply want to test the application without modifying code, use the production compose file. This pulls official images and runs them behind a reverse proxy.
+
+1.  **Run the Stack**
+    ```bash
+    docker-compose up -d
+    ```
+
+2.  **Access the App**
+    * **App URL:** `http://localhost:80`
+    * **User:** `test` / `test`
+
+---
+
+## Development
+
+This section covers setting up the local environment for coding. You need **PostgreSQL**, **Redis**, and **Keycloak** running to support the backend.
+
+### Environment Configuration
+
+The application relies on the following services. Ensure your environment variables are set (or use the provided `.env.example`):
+
+```bash
+export DATABASE_URL="postgresql+asyncpg://postgres:password@localhost:5432/postgres"
+export REDIS_URL="redis://localhost:6379"
+export ENV=development
+```
+
+### Option A: Manual Setup (Docker Compose)
+Use this if you prefer managing your own Python and Node versions.
+
+1.  **Start Infrastructure**
+    Start Postgres, Redis, and Keycloak:
+    ```bash
+    docker-compose -f docker-compose.dev.yml up -d postgres redis keycloak
+    ```
+
+2.  **Run Backend**
+    ```bash
+    cd backend
+    python -m venv venv
+    source venv/bin/activate
+    pip install -r requirements.txt
+    
+    # Run migrations and start server
+    alembic upgrade head
+    uvicorn main:app --reload
+    ```
+
+3.  **Run Frontend**
+    In a new terminal:
+    ```bash
+    cd web
+    npm install
+    npm run dev
+    ```
+
+### Option B: Automated Setup (Nix)
+Use this to let Nix handle dependencies, environment variables, and helper commands automatically.
+
+1.  **Enter Shell**
+    ```bash
+    nix-shell
+    ```
+
+2.  **Start Everything**
+    ```bash
+    run-dev-all
+    # Starts Docker infra, migrates DB, and runs both Backend & Frontend
+    ```
+
+### Access & Credentials
+
+Once the development environment is running:
+
+| Service | URL | Description |
+| :--- | :--- | :--- |
+| **Web Frontend** | `http://localhost:3000` | The user interface (Next.js/React). |
+| **Backend API** | `http://localhost:8000/graphql` | The GraphQL Playground (Strawberry). |
+| **Keycloak** | `http://localhost:8080` | Identity Provider. |
+
+**Keycloak Realms & Users:**
+* **User Realm:** `http://localhost:8080/realms/tasks` (Redirects automatically from app login)
+    * User: `test`
+    * Password: `test`
+* **Admin Console:** `http://localhost:8080/admin`
+    * User: `admin`
+    * Password: `admin`

backend/auth.py

@@ -1,33 +1,62 @@
+import logging
 from typing import Any
 
 import requests
-from config import CLIENT_ID, ISSUER_URI
-from fastapi import HTTPException, status
+from config import CLIENT_ID, ISSUER_URI, LOGGER, PUBLIC_ISSUER_URI
+from fastapi import HTTPException, Request, status
+from fastapi.responses import RedirectResponse
 from jose import jwk, jwt
+from starlette.requests import HTTPConnection
+
+logger = logging.getLogger(LOGGER)
+
+AUTH_COOKIE_NAME = "access_token"
 
 jwks_cache: dict[str, Any] = {}
-openid_config_cache: dict[str, Any] = {}
 
 
-def get_openid_config() -> dict[str, Any]:
-    global openid_config_cache
-    if openid_config_cache:
-        return openid_config_cache
+def delete_auth_cookie(response):
+    response.delete_cookie(
+        AUTH_COOKIE_NAME,
+        path="/",
+        secure=True,
+        httponly=True,
+        samesite="none",
+    )
+
+
+async def authenticate_connection(connection, token: str | None):
+    user_payload = None
+
+    if token:
+        try:
+            user_payload = verify_token(token)
+        except Exception as e:
+            logger.warning(f"Token validation failed: {e}")
+
+    if user_payload:
+        return user_payload
+
+    if connection.scope["type"] == "http":
+        response = RedirectResponse("/login", status_code=302)
+        delete_auth_cookie(response)
+
+        accept_header = connection.headers.get("accept", "")
+
+        if "text/html" in accept_header:
+            raise UnauthenticatedRedirect(response=response)
 
-    config_url = f"{ISSUER_URI.rstrip('/')}/.well-known/openid-configuration"
-    try:
-        response = requests.get(config_url, timeout=5)
-        response.raise_for_status()
-        config = response.json()
-        openid_config_cache = config
-        return config
-    except Exception as e:
-        print(f"OIDC Config Error: {e}")
         raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Could not fetch OpenID Configuration",
+            status_code=401,
+            detail="Not authenticated",
+            headers={"WWW-Authenticate": "Bearer"},
         )
 
+    if connection.scope["type"] == "websocket":
+        raise HTTPException(status_code=403, detail="Not authenticated")
+
+    raise RuntimeError("Unsupported connection type")
+
 
 def get_public_key(token: str) -> Any:
     global jwks_cache
@@ -100,3 +129,34 @@ def verify_token(token: str) -> dict:
         raise HTTPException(status_code=401, detail=f"Invalid token: {e!s}")
     except Exception:
         raise HTTPException(status_code=401, detail="Authentication failed")
+
+
+async def get_token_source(
+    connection: HTTPConnection,
+) -> str | None:
+    auth_header = connection.headers.get("authorization")
+    if auth_header and auth_header.startswith("Bearer "):
+        return auth_header.split(" ")[1]
+
+    return connection.cookies.get(AUTH_COOKIE_NAME)
+
+
+class UnauthenticatedRedirect(Exception):
+    def __init__(self, response=None):
+        self.response = response
+        super().__init__("Unauthenticated - redirect required")
+
+
+async def unauthenticated_redirect_handler(
+    request: Request,
+    _: UnauthenticatedRedirect,
+):
+    redirect_uri = f"{request.base_url}callback"
+    login_url = (
+        f"{PUBLIC_ISSUER_URI}/protocol/openid-connect/auth"
+        f"?client_id={CLIENT_ID}"
+        f"&response_type=code"
+        f"&scope=openid profile email"
+        f"&redirect_uri={redirect_uri}"
+    )
+    return RedirectResponse(url=login_url)

backend/config.py

@@ -11,8 +11,16 @@
     f"postgresql+asyncpg://{_db_username}:{_db_password}@{_db_hostname}:{_db_port}/{_db_name}",
 )
 
+_redis_host = os.getenv("REDIS_HOST", "localhost")
+_redis_port = int(os.getenv("REDIS_PORT", 6379))
+_redis_password = os.getenv("REDIS_PASSWORD", None)
 
-REDIS_URL = os.getenv("REDIS_URL", "redis://localhost:6379")
+if _redis_password:
+    REDIS_URL = f"redis://:{_redis_password}@{_redis_host}:{_redis_port}/"
+else:
+    REDIS_URL = f"redis://{_redis_host}:{_redis_port}/"
+
+REDIS_URL = os.getenv("REDIS_URL", REDIS_URL)
 
 ENV = os.getenv("ENV", "production")
 IS_DEV = ENV == "development"

backend/main.py

@@ -1,86 +1,47 @@
+import logging
+
 import requests
+from starlette.status import HTTP_400_BAD_REQUEST
 from api.context import Context
 from api.resolvers import Mutation, Query, Subscription
-from auth import verify_token
-from config import CLIENT_ID, CLIENT_SECRET, IS_DEV, PUBLIC_ISSUER_URI, ISSUER_URI
+from auth import UnauthenticatedRedirect, authenticate_connection, get_token_source, unauthenticated_redirect_handler, verify_token
+from config import (
+    CLIENT_ID,
+    CLIENT_SECRET,
+    IS_DEV,
+    ISSUER_URI,
+    LOGGER,
+)
 from database.models.user import User
 from database.session import get_db_session
 from fastapi import Depends, FastAPI, HTTPException, Request
 from fastapi.responses import RedirectResponse
-from fastapi.security import OAuth2PasswordBearer
 from sqlalchemy import select
+from starlette.requests import HTTPConnection
 from strawberry import Schema
 from strawberry.fastapi import GraphQLRouter
 
-oauth2_scheme = OAuth2PasswordBearer(
-    tokenUrl=f"{ISSUER_URI}/protocol/openid-connect/token",
-    auto_error=False,
-)
-
-
-async def get_token_source(
-    request: Request,
-    header_token: str | None = Depends(oauth2_scheme),
-) -> str | None:
-    if header_token:
-        return header_token
-
-    return request.cookies.get("access_token")
-
-
-class UnauthenticatedRedirect(Exception):
-    pass
-
-
-async def unauthenticated_redirect_handler(
-    request: Request,
-    _: UnauthenticatedRedirect,
-):
-    redirect_uri = f"{request.base_url}callback"
-
-    login_url = (
-        f"{PUBLIC_ISSUER_URI}/protocol/openid-connect/auth"
-        f"?client_id={CLIENT_ID}"
-        f"&response_type=code"
-        f"&scope=openid profile email"
-        f"&redirect_uri={redirect_uri}"
-    )
-    return RedirectResponse(url=login_url)
+logger = logging.getLogger(LOGGER)
 
 
 async def get_context(
-    request: Request,
+    connection: HTTPConnection,
     token: str | None = Depends(get_token_source),
     session=Depends(get_db_session),
 ) -> Context:
-    user_payload = None
-
-    if token:
-        try:
-            user_payload = verify_token(token)
-        except Exception as e:
-            raise e
-            user_payload = None
-
-    if not user_payload:
-        accept_header = request.headers.get("accept", "")
-        if "text/html" in accept_header:
-            raise UnauthenticatedRedirect
-        raise HTTPException(
-            status_code=401,
-            detail="Not authenticated",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
+    user_payload = await authenticate_connection(connection, token)
 
     user_id = user_payload.get("sub")
     username = (
         user_payload.get("preferred_username")
         or user_payload.get("name")
-        or "Unknown"
     )
     firstname = user_payload.get("given_name")
     lastname = user_payload.get("family_name")
 
+    if not (user_id and username and firstname and lastname):
+        raise HTTPException(status_code=HTTP_400_BAD_REQUEST, detail="Missing required user details.")
+
     result = await session.execute(select(User).where(User.id == user_id))
     db_user = result.scalars().first()
 
@@ -93,7 +54,7 @@ async def get_context(
             title="User",
         )
         session.add(db_user)
-    else:
+    elif db_user.name != username or db_user.firstname != firstname:
         db_user.name = username
         db_user.firstname = firstname
         db_user.lastname = lastname