Oliver/adeo-maturity-tool
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adeo-maturity-tool/docker-compose.yml
DJP 8e969fe015 Add login + role-based access (admin/user) backed by Postgres 
Adds a Postgres-backed user store with bcrypt + JWT cookie sessions,
login screen, role-gated UI, and Microsoft SSO scaffolding ready to
fill in.

Backend
- New `db` service (Postgres 16-alpine) in compose, healthcheck-gated
  app startup, free-port autodetect (5435-5499) like other apps.
- `server/db.js` runs versioned `.sql` migrations on boot.
- `server/auth.js`: bcrypt + JWT cookie (httpOnly, sameSite=strict,
  path-scoped to /adeo-maturity), rate-limited login (10/15min),
  dummy bcrypt-compare on missing users to defeat timing oracles.
- `requireAdmin` on all writes (POST/import/sync); `authenticate`
  on all reads. /api/health stays public.
- Microsoft SSO endpoints stubbed at /api/auth/msft/{login,callback}
  (return 501); DB has azure_oid column ready; comments document
  exactly how to wire @azure/msal-node.

Frontend
- Login screen with email/password + greyed-out "Sign in with
  Microsoft" button; init() checks /api/auth/me first.
- Logout button + user badge in header.
- body.role-user CSS hides .admin-only elements (Update tab, New
  Client cards). Server enforces regardless.

Deploy
- deploy.sh generates DB_PASSWORD and AUTH_SECRET on first run and
  persists to .env, then runs `seed-users.js seed-defaults` to
  create admin@oliver.agency + user@oliver.agency with random
  passwords printed once. Subsequent deploys skip seeding unless
  --reseed is passed.
- node server/seed-users.js set-password <email> <pw> for ad-hoc
  resets later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 11:14:19 -04:00

47 lines
1.4 KiB
YAML
Raw Blame History

# Top-level project name pinned per the global Docker policy — prevents
# collision with other apps deployed under /opt that share a parent dir name.
name: adeo-maturity-tool
services:
db:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_DB: ${DB_NAME:-adeo_maturity}
POSTGRES_USER: ${DB_USER:-adeo}
POSTGRES_PASSWORD: ${DB_PASSWORD}
# Host port resolved by deploy/deploy.sh (preferred 5435, scans 5435-5499).
# Bind to 127.0.0.1 only — only the app container needs DB access.
ports:
- "127.0.0.1:${ADEO_DB_PORT:-5435}:5432"
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${DB_USER:-adeo} -d ${DB_NAME:-adeo_maturity}"]
interval: 5s
timeout: 5s
retries: 10
app:
build:
context: .
dockerfile: Dockerfile
restart: unless-stopped
depends_on:
db:
condition: service_healthy
# Host port resolved by deploy/deploy.sh (preferred 3102, scans 3102-3199).
ports:
- "127.0.0.1:${ADEO_PORT:-3102}:3102"
environment:
- PORT=3102
- NODE_ENV=production
- DATABASE_URL=postgres://${DB_USER:-adeo}:${DB_PASSWORD}@db:5432/${DB_NAME:-adeo_maturity}
- AUTH_SECRET=${AUTH_SECRET}
- COOKIE_PATH=${COOKIE_PATH:-/}
- COOKIE_SECURE=${COOKIE_SECURE:-true}
volumes:
- ./clients:/app/clients
volumes:
pgdata:
Reference in a new issue View git blame Copy permalink