nessi/NexaPantry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: initial project setup with backend, frontend, and infrastructure
Some checks failed
CI / backend (push) Failing after 31s
Details
CI / frontend (push) Successful in 40s
Details
CI / docker (push) Has been skipped
Details

Browse Source 
Add complete NexaPantry application structure including:
- Docker Compose configuration with PostgreSQL, Redis, FastAPI backend, worker, frontend and Caddy
- Environment configuration template with database, auth, and service settings
- GitHub Actions CI workflow for backend/frontend linting, testing, auditing and Docker builds
- AGPL-3.0 license and comprehensive README with setup, development, and security documentation
- Backend
This commit is contained in:
Sascha Nesterovic
2026-06-04 10:26:38 +02:00
commit 3792ca55e7
74 changed files with 13417 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/architecture.md Normal file
View File

@@ -0,0 +1,15 @@
# Architecture
NexaPantry uses a small but explicit service architecture:
- React/Vite/TypeScript frontend with TailwindCSS and PWA service worker
- FastAPI backend with SQLAlchemy ORM
- PostgreSQL as the system of record
- Redis for future distributed rate limiting and queued job coordination
- Caddy as reverse proxy and security header layer
- Worker process for expiry notifications and mail delivery preparation
Core authorization is home-scoped. Every product, shopping item and recipe request first checks the caller's home membership. Instance admins can manage system settings and users through dedicated admin endpoints.
External barcode lookup is hidden behind `ProductLookup`, currently implemented by `OpenFoodFactsLookup`. A future provider can be added without changing the frontend contract.

13
docs/deployment.md Normal file
View File

@@ -0,0 +1,13 @@
# Deployment
1. Point a domain at the host.
2. Copy `.env.example` to `.env`.
3. Replace all secrets and database passwords.
4. Set `INSTANCE_URL=https://your.domain`.
5. Set `FRONTEND_ORIGIN=https://your.domain`.
6. Set `COOKIE_SECURE=true`.
7. Configure Caddy with your domain instead of `:80` when using automatic TLS.
8. Start with `docker compose up -d`.
For production, expose only Caddy ports. PostgreSQL, Redis, backend and frontend remain on the private Compose network.

25
docs/security.md Normal file
View File

@@ -0,0 +1,25 @@
# Security Checklist
- Passwords: Argon2id via Passlib.
- Session: HttpOnly SameSite cookies with JWT payloads.
- CSRF: double-submit token for unsafe API methods.
- Tokens: invitation and reset tokens are random, expiring and stored as SHA-256 hashes.
- SMTP secret: encrypted with Fernet.
- CORS: explicit allowed origins only.
- CSP: set by Caddy for the frontend surface.
- IDOR: home-scoped APIs verify membership.
- SQL injection: SQLAlchemy query builder and parameter binding.
- Audit logs: admin and sensitive actions are recorded without secrets.
- Rate limits: login, invite and reset-sensitive endpoints are throttled.
Recommended external tools:
```sh
pip-audit
bandit -r backend/app
npm audit --audit-level=moderate
gitleaks detect --source .
trivy fs .
trivy image <image>
```