romfast/space-booking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7ce430cc1d70637353aa97fc6a2b7cc115257b7d
space-booking/backend/app/main.py
Claude Agent 7ce430cc1d feat(security): harden for production deployment 
- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 19:44:20 +00:00

85 lines
3.5 KiB
Python
Raw Blame History

"""FastAPI application entry point."""
import os
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from fastapi.staticfiles import StaticFiles
from app.api.attachments import router as attachments_router
from app.api.audit_log import router as audit_log_router
from app.api.auth import router as auth_router
from app.api.booking_templates import router as booking_templates_router
from app.api.bookings import admin_router as bookings_admin_router
from app.api.bookings import bookings_router
from app.api.bookings import router as spaces_bookings_router
from app.api.google_calendar import router as google_calendar_router
from app.api.notifications import router as notifications_router
from app.api.organizations import admin_router as organizations_admin_router
from app.api.organizations import router as organizations_router
from app.api.properties import admin_router as properties_admin_router
from app.api.properties import manager_router as properties_manager_router
from app.api.properties import router as properties_router
from app.api.public import router as public_router
from app.api.reports import router as reports_router
from app.api.settings import router as settings_router
from app.api.spaces import admin_router as spaces_admin_router
from app.api.spaces import router as spaces_router
from app.api.users import admin_router as users_admin_router
from app.api.users import router as users_router
from app.core.config import settings
from app.db.session import Base, engine
# Create database tables
Base.metadata.create_all(bind=engine)
app = FastAPI(title=settings.app_name)
# CORS middleware
# In production only the configured frontend is allowed; localhost is dev-only.
_allowed_origins = [settings.frontend_url]
if settings.debug:
_allowed_origins.append("http://localhost:5173")
app.add_middleware(
CORSMiddleware,
allow_origins=_allowed_origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# Include routers
app.include_router(auth_router, prefix="/api")
app.include_router(users_router, prefix="/api")
app.include_router(users_admin_router, prefix="/api")
app.include_router(spaces_router, prefix="/api")
app.include_router(spaces_admin_router, prefix="/api")
app.include_router(spaces_bookings_router, prefix="/api")
app.include_router(bookings_router, prefix="/api")
app.include_router(bookings_admin_router, prefix="/api")
app.include_router(booking_templates_router, prefix="/api")
app.include_router(settings_router, prefix="/api")
app.include_router(notifications_router, prefix="/api")
app.include_router(audit_log_router, prefix="/api", tags=["audit-log"])
app.include_router(attachments_router, prefix="/api", tags=["attachments"])
app.include_router(reports_router, prefix="/api", tags=["reports"])
app.include_router(google_calendar_router, prefix="/api", tags=["google-calendar"])
app.include_router(properties_router, prefix="/api")
app.include_router(properties_manager_router, prefix="/api")
app.include_router(properties_admin_router, prefix="/api")
app.include_router(organizations_router, prefix="/api")
app.include_router(organizations_admin_router, prefix="/api")
app.include_router(public_router, prefix="/api")
@app.get("/health")
def health() -> dict[str, str]:
"""Health check endpoint."""
return {"status": "ok"}
# Serve Vue.js frontend in production (when /app/dist exists)
_dist_dir = os.path.join(os.path.dirname(__file__), "..", "..", "dist")
if os.path.isdir(_dist_dir):
app.mount("/", StaticFiles(directory=_dist_dir, html=True), name="static")
Reference in New Issue View Git Blame Copy Permalink