olsch01
dfcd172ef3
Complete SaaS self-service onboarding sprint: - Stripe-powered signup flow: pricing page → checkout → provisioning → activation - Refresh token infrastructure: 1h access tokens + 30-day httpOnly cookie refresh - TOTP MFA with QR setup, recovery codes, and login challenge flow - Google + Azure AD SSO (conditional on env vars) with account linking - WebAuthn passkey registration and passwordless login - Guided onboarding checklist with server-side progress tracking - Stubbed email service (console + DB logging, ready for real provider) - Settings page with tabbed security settings (MFA, passkeys, linked accounts) - Login page enhanced with MFA verification, SSO buttons, passkey login - Database migration 015 with all new tables and columns - Version bump to 2026.03.17 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
118 lines
3.5 KiB
YAML
118 lines
3.5 KiB
YAML
services:
|
|
nginx:
|
|
image: nginx:alpine
|
|
ports:
|
|
- "80:80"
|
|
volumes:
|
|
- ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
|
|
depends_on:
|
|
- backend
|
|
- frontend
|
|
networks:
|
|
- hoanet
|
|
|
|
backend:
|
|
build:
|
|
context: ./backend
|
|
dockerfile: Dockerfile.dev
|
|
# No host port mapping — dev traffic goes through the Docker nginx container.
|
|
# Production overlay maps 127.0.0.1:3000 for the host reverse proxy.
|
|
environment:
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- REDIS_URL=${REDIS_URL}
|
|
- JWT_SECRET=${JWT_SECRET}
|
|
- NODE_ENV=${NODE_ENV}
|
|
- AI_API_URL=${AI_API_URL}
|
|
- AI_API_KEY=${AI_API_KEY}
|
|
- AI_MODEL=${AI_MODEL}
|
|
- AI_DEBUG=${AI_DEBUG:-false}
|
|
- NEW_RELIC_ENABLED=${NEW_RELIC_ENABLED:-false}
|
|
- NEW_RELIC_LICENSE_KEY=${NEW_RELIC_LICENSE_KEY:-}
|
|
- NEW_RELIC_APP_NAME=${NEW_RELIC_APP_NAME:-HOALedgerIQ_App}
|
|
- STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-}
|
|
- STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-}
|
|
- STRIPE_STARTER_PRICE_ID=${STRIPE_STARTER_PRICE_ID:-}
|
|
- STRIPE_PROFESSIONAL_PRICE_ID=${STRIPE_PROFESSIONAL_PRICE_ID:-}
|
|
- STRIPE_ENTERPRISE_PRICE_ID=${STRIPE_ENTERPRISE_PRICE_ID:-}
|
|
- GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
|
|
- GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:-}
|
|
- GOOGLE_CALLBACK_URL=${GOOGLE_CALLBACK_URL:-http://localhost/api/auth/google/callback}
|
|
- AZURE_CLIENT_ID=${AZURE_CLIENT_ID:-}
|
|
- AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET:-}
|
|
- AZURE_TENANT_ID=${AZURE_TENANT_ID:-}
|
|
- AZURE_CALLBACK_URL=${AZURE_CALLBACK_URL:-http://localhost/api/auth/azure/callback}
|
|
- WEBAUTHN_RP_ID=${WEBAUTHN_RP_ID:-localhost}
|
|
- WEBAUTHN_RP_ORIGIN=${WEBAUTHN_RP_ORIGIN:-http://localhost}
|
|
- INVITE_TOKEN_SECRET=${INVITE_TOKEN_SECRET:-dev-invite-secret}
|
|
volumes:
|
|
- ./backend/src:/app/src
|
|
- ./backend/nest-cli.json:/app/nest-cli.json
|
|
- ./backend/tsconfig.json:/app/tsconfig.json
|
|
- ./backend/tsconfig.build.json:/app/tsconfig.build.json
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
networks:
|
|
- hoanet
|
|
|
|
frontend:
|
|
build:
|
|
context: ./frontend
|
|
dockerfile: Dockerfile.dev
|
|
# No host port mapping — dev traffic goes through the Docker nginx container.
|
|
# Production overlay maps 127.0.0.1:3001 for the host reverse proxy.
|
|
environment:
|
|
- NODE_ENV=${NODE_ENV}
|
|
volumes:
|
|
- ./frontend/src:/app/src
|
|
- ./frontend/index.html:/app/index.html
|
|
- ./frontend/vite.config.ts:/app/vite.config.ts
|
|
depends_on:
|
|
- backend
|
|
networks:
|
|
- hoanet
|
|
|
|
postgres:
|
|
image: postgres:15-alpine
|
|
environment:
|
|
- POSTGRES_USER=${POSTGRES_USER}
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
|
- POSTGRES_DB=${POSTGRES_DB}
|
|
ports:
|
|
- "5432:5432"
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
- ./db/init:/docker-entrypoint-initdb.d
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- hoanet
|
|
|
|
redis:
|
|
image: redis:7-alpine
|
|
command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
|
|
ports:
|
|
- "6379:6379"
|
|
volumes:
|
|
- redis_data:/data
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- hoanet
|
|
|
|
volumes:
|
|
postgres_data:
|
|
redis_data:
|
|
|
|
networks:
|
|
hoanet:
|
|
driver: bridge
|