Fix initial user creating

3 hours ago · 66c84ecdeb
parent 3565390a49
commit 66c84ecdeb
16 changed files with 267 additions and 35 deletions
--- a/.env.example
+++ b/.env.example
@ -5,10 +5,18 @@ DB_PASSWORD=your_secure_password_here
 API_KEY_SALT=generate_random_salt_with_openssl
 CORS_ORIGIN=http://localhost:3001

+# Bootstrap admin
+BOOTSTRAP_ADMIN=true
+BOOTSTRAP_ADMIN_RESET_PASSWORD=false
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=change_this_admin_password
+ADMIN_FULL_NAME=Main administrator
+ADMIN_EMAIL=admin@polotsk-transit.local
+
 # Frontend
-API_URL=http://localhost:3000/api/v1
+API_URL=/api/v1

 # Production settings (uncomment for production)
 # NODE_ENV=production
 # CORS_ORIGIN=https://admin.yourdomain.com
-# API_URL=https://api.yourdomain.com/api/v1
+# API_URL=/api/v1
--- a/QUICKSTART.md
+++ b/QUICKSTART.md
@ -26,7 +26,7 @@ cp .env.example .env
 # Сгенерируйте безопасный пароль
 openssl rand -base64 32

-# Отредактируйте .env и вставьте сгенерированный пароль в DB_PASSWORD
+# Отредактируйте .env и вставьте сгенерированные пароли в DB_PASSWORD и ADMIN_PASSWORD
 nano .env
 ```

@ -56,6 +56,8 @@ curl -H "X-API-Key: dev_key_12345678" http://localhost:3000/api/v1/sync/status
 ### Шаг 5: Откройте админ-панель
 Откройте в браузере: http://localhost:3001

+Войдите под `admin` и паролем из `ADMIN_PASSWORD` в `.env`.
+
 **Готово! 🎉**

 ---
--- a/README.md
+++ b/README.md
@ -52,10 +52,11 @@ nano .env
 # Обязательно измените в продакшене!
 DB_PASSWORD=your_secure_password_here
 API_KEY_SALT=generate_random_salt_with_openssl
+ADMIN_PASSWORD=your_secure_admin_password_here

-# Для разработки оставьте как есть
+# Для разработки/деплоя через встроенный proxy оставьте как есть
 CORS_ORIGIN=http://localhost:3001
-API_URL=http://localhost:3000/api/v1
+API_URL=/api/v1
 ```

 Генерация безопасного salt:
@ -82,6 +83,10 @@ docker-compose logs -f
 - **PostgreSQL**: localhost:5432
 - **Redis**: localhost:6379

+Мастер-аккаунт создается автоматически при старте backend:
+- login: `admin`
+- password: значение `ADMIN_PASSWORD` из `.env` (если не задано, fallback `admin123`)
+
 ### 3. Проверка работоспособности

 ```bash
--- a/backend/package.json
+++ b/backend/package.json
@ -7,6 +7,7 @@
    "start": "node src/index.js",
    "dev": "nodemon src/index.js",
    "migrate": "node src/utils/migrate.js",
+    "create-admin": "node scripts/create-admin.js",
    "seed": "node src/utils/seed.js"
  },
  "keywords": [
--- a/backend/scripts/create-admin.js
+++ b/backend/scripts/create-admin.js
@ -1,29 +1,25 @@
-const bcrypt = require('bcrypt');
 const pool = require('../src/config/database');
+const { ensureBootstrapAdmin, readBootstrapAdminConfig } = require('../src/utils/bootstrapAdmin');

 async function createAdmin() {
-  const username = 'admin';
-  const password = 'admin123'; // Измените после первого входа!
-  const passwordHash = await bcrypt.hash(password, 10);
+  const config = readBootstrapAdminConfig();

  try {
-    const result = await pool.query(`
-      INSERT INTO users (username, password_hash, full_name, email, role, is_active)
-      VALUES ($1, $2, $3, $4, $5, $6)
-      ON CONFLICT (username) DO UPDATE 
-      SET password_hash = $2
-      RETURNING id, username, role
-    `, [username, passwordHash, 'Главный администратор', 'admin@polotsk-transit.local', 'admin', true]);
+    const result = await ensureBootstrapAdmin({
+      resetPassword: true,
+      createIfActiveAdminExists: true,
+    });

-    console.log('✅ Мастер-аккаунт создан:', result.rows[0]);
-    console.log('Username: admin');
-    console.log('Password: admin123');
-    console.log('⚠️  ОБЯЗАТЕЛЬНО смените пароль после первого входа!');
+    console.log('Master account is ready:', result.user);
+    console.log(`Username: ${config.username}`);
+    console.log(`Password: ${config.password}`);
+    console.log('Change this password after the first login.');
  } catch (error) {
-    console.error('❌ Ошибка:', error);
+    console.error('Error:', error);
+    process.exitCode = 1;
  } finally {
    await pool.end();
  }
 }

-createAdmin();
+createAdmin();
--- a/backend/src/index.js
+++ b/backend/src/index.js
@ -5,11 +5,13 @@ const compression = require('compression');
 require('dotenv').config();

 const logger = require('./config/logger');
+const pool = require('./config/database');
 const apiRoutes = require('./routes/api');
 const { authenticateApiKey } = require('./middleware/auth');
 const createRateLimiter = require('./middleware/rateLimiter');
 const { ensureRealtimeSchema } = require('./services/realtimeSchema');
 const { attachRealtimeServer, closeRealtimeServer } = require('./services/realtimeService');
+const { ensureBootstrapAdmin } = require('./utils/bootstrapAdmin');

 const app = express();
 const PORT = process.env.PORT || 3000;
@ -133,9 +135,31 @@ function shutdown(signal) {
 process.on('SIGTERM', () => shutdown('SIGTERM'));
 process.on('SIGINT', () => shutdown('SIGINT'));

+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function waitForDatabase({ attempts = 30, delayMs = 1000 } = {}) {
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      await pool.query('SELECT 1');
+      return;
+    } catch (error) {
+      if (attempt === attempts) {
+        throw error;
+      }
+
+      logger.warn(`Database is not ready yet (${attempt}/${attempts}); retrying...`);
+      await sleep(delayMs);
+    }
+  }
+}
+
 async function startServer() {
  try {
+    await waitForDatabase();
    await ensureRealtimeSchema();
+    await ensureBootstrapAdmin();

    server = app.listen(PORT, () => {
      logger.info(`Server is running on port ${PORT}`);
--- a/backend/src/utils/bootstrapAdmin.js
+++ b/backend/src/utils/bootstrapAdmin.js
@ -0,0 +1,122 @@
+const bcrypt = require('bcrypt');
+
+const pool = require('../config/database');
+const logger = require('../config/logger');
+
+const DEFAULT_ADMIN = {
+  username: 'admin',
+  password: 'admin123',
+  fullName: 'Main administrator',
+  email: 'admin@polotsk-transit.local',
+};
+
+function readBoolean(value, defaultValue) {
+  if (value === undefined || value === null || value === '') {
+    return defaultValue;
+  }
+
+  return ['1', 'true', 'yes', 'on'].includes(String(value).toLowerCase());
+}
+
+function readBootstrapAdminConfig(env = process.env) {
+  return {
+    enabled: readBoolean(env.BOOTSTRAP_ADMIN, true),
+    username: env.ADMIN_USERNAME || DEFAULT_ADMIN.username,
+    password: env.ADMIN_PASSWORD || DEFAULT_ADMIN.password,
+    fullName: env.ADMIN_FULL_NAME || DEFAULT_ADMIN.fullName,
+    email: env.ADMIN_EMAIL || DEFAULT_ADMIN.email,
+    resetPassword: readBoolean(env.BOOTSTRAP_ADMIN_RESET_PASSWORD, false),
+  };
+}
+
+async function activeAdminExists() {
+  const result = await pool.query(`
+    SELECT EXISTS (
+      SELECT 1
+      FROM users
+      WHERE role = 'admin' AND is_active = true
+    ) AS exists
+  `);
+
+  return result.rows[0]?.exists === true;
+}
+
+function validateConfig(config) {
+  if (!config.username) {
+    throw new Error('ADMIN_USERNAME cannot be empty');
+  }
+
+  if (!config.password || config.password.length < 6) {
+    throw new Error('ADMIN_PASSWORD must be at least 6 characters');
+  }
+}
+
+async function ensureBootstrapAdmin(options = {}) {
+  const config = {
+    ...readBootstrapAdminConfig(),
+    ...options,
+  };
+
+  if (!config.enabled) {
+    logger.info('Bootstrap admin is disabled');
+    return { changed: false, reason: 'disabled' };
+  }
+
+  validateConfig(config);
+
+  const existingResult = await pool.query(
+    'SELECT id, username, role, is_active FROM users WHERE username = $1',
+    [config.username]
+  );
+  const existingUser = existingResult.rows[0];
+
+  if (existingUser) {
+    const needsRepair = existingUser.role !== 'admin' || existingUser.is_active !== true;
+    const shouldResetPassword = config.resetPassword || needsRepair;
+
+    if (!needsRepair && !shouldResetPassword) {
+      logger.info(`Bootstrap admin already exists: ${config.username}`);
+      return { changed: false, user: existingUser };
+    }
+
+    const passwordHash = shouldResetPassword
+      ? await bcrypt.hash(config.password, 10)
+      : null;
+
+    const updateResult = await pool.query(`
+      UPDATE users
+      SET role = 'admin',
+          is_active = true,
+          full_name = COALESCE($2, full_name),
+          email = COALESCE($3, email),
+          password_hash = COALESCE($4, password_hash)
+      WHERE username = $1
+      RETURNING id, username, role, is_active
+    `, [config.username, config.fullName || null, config.email || null, passwordHash]);
+
+    logger.info(`Bootstrap admin repaired: ${config.username}`);
+    return { changed: true, user: updateResult.rows[0] };
+  }
+
+  const shouldCreateWithExistingAdmin = options.createIfActiveAdminExists === true;
+  if (!shouldCreateWithExistingAdmin && await activeAdminExists()) {
+    logger.info('Active admin already exists; default bootstrap admin was not created');
+    return { changed: false, reason: 'active-admin-exists' };
+  }
+
+  const passwordHash = await bcrypt.hash(config.password, 10);
+  const insertResult = await pool.query(`
+    INSERT INTO users (username, password_hash, full_name, email, role, is_active)
+    VALUES ($1, $2, $3, $4, 'admin', true)
+    RETURNING id, username, role, is_active
+  `, [config.username, passwordHash, config.fullName || null, config.email || null]);
+
+  logger.info(`Bootstrap admin created: ${config.username}`);
+  return { changed: true, user: insertResult.rows[0] };
+}
+
+module.exports = {
+  DEFAULT_ADMIN,
+  ensureBootstrapAdmin,
+  readBootstrapAdminConfig,
+};
--- a/backups/polotsk_transit.dump
+++ b/backups/polotsk_transit.dump
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
  postgres:
    image: postgis/postgis:15-3.3
@ -13,6 +11,11 @@ services:
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./backend/migrations:/docker-entrypoint-initdb.d
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U transit_admin -d polotsk_transit"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
    networks:
      - transit-network
    restart: unless-stopped
@ -24,6 +27,11 @@ services:
      - "6379:6379"
    volumes:
      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
    networks:
      - transit-network
    restart: unless-stopped
@ -41,11 +49,19 @@ services:
      API_KEY_SALT: ${API_KEY_SALT:-generate_random_salt}
      JWT_SECRET: ${JWT_SECRET:-change_me_in_production_use_random_string}
      CORS_ORIGIN: ${CORS_ORIGIN:-http://localhost:3001}
+      BOOTSTRAP_ADMIN: ${BOOTSTRAP_ADMIN:-true}
+      BOOTSTRAP_ADMIN_RESET_PASSWORD: ${BOOTSTRAP_ADMIN_RESET_PASSWORD:-false}
+      ADMIN_USERNAME: ${ADMIN_USERNAME:-admin}
+      ADMIN_PASSWORD: ${ADMIN_PASSWORD:-admin123}
+      ADMIN_FULL_NAME: ${ADMIN_FULL_NAME:-Main administrator}
+      ADMIN_EMAIL: ${ADMIN_EMAIL:-admin@polotsk-transit.local}
    ports:
      - "3000:3000"
    depends_on:
-      - postgres
-      - redis
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
    networks:
      - transit-network
    restart: unless-stopped
@ -58,10 +74,10 @@ services:
      context: ./frontend
      dockerfile: Dockerfile
      args:
-        VITE_API_URL: ${API_URL:-http://localhost:3000/api/v1}
+        VITE_API_URL: ${API_URL:-/api/v1}
    container_name: polotsk-transit-admin
    environment:
-      VITE_API_URL: ${API_URL:-http://localhost:3000/api/v1}
+      VITE_API_URL: ${API_URL:-/api/v1}
    ports:
      - "3001:80"
    depends_on:
--- a/frontend/.env.example
+++ b/frontend/.env.example
@ -1,2 +1,2 @@
-VITE_API_URL=http://localhost:3000/api/v1
+VITE_API_URL=/api/v1
 VITE_API_KEY=dev_key_12345678
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@ -3,7 +3,7 @@ FROM node:18-alpine as build

 WORKDIR /app

-ARG VITE_API_URL=http://localhost:3000/api/v1
+ARG VITE_API_URL=/api/v1
 ENV VITE_API_URL=$VITE_API_URL

 COPY package*.json ./
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@ -10,6 +10,28 @@ server {
    gzip_min_length 1000;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

+    # Same-origin API proxy for deployed admin panel
+    location /api/ {
+        proxy_pass http://backend:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /ws/ {
+        proxy_pass http://backend:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 3600s;
+    }
+
    # SPA routing
    location / {
        try_files $uri $uri/ /index.html;
--- a/frontend/src/pages/LoginPage.jsx
+++ b/frontend/src/pages/LoginPage.jsx
@ -117,7 +117,7 @@ export default function LoginPage() {
              Мастер-аккаунт по умолчанию:
            </p>
            <p className="text-xs text-gray-500 mt-1">
-              <code className="bg-gray-100 px-2 py-1 rounded">admin / admin123</code>
+              <code className="bg-gray-100 px-2 py-1 rounded">admin / ADMIN_PASSWORD</code>
            </p>
          </div>
        </div>
@ -129,4 +129,4 @@ export default function LoginPage() {
      </div>
    </div>
  );
-}
+}
--- a/frontend/src/utils/apiBaseUrl.js
+++ b/frontend/src/utils/apiBaseUrl.js
@ -1,4 +1,4 @@
-const DEFAULT_API_BASE_URL = 'http://localhost:3000/api/v1';
+const DEFAULT_API_BASE_URL = '/api/v1';

 function normalizePath(pathname) {
  const trimmedPath = (pathname || '').replace(/\/+$/, '');
@ -40,6 +40,6 @@ export function getApiOrigin(rawValue = import.meta.env.VITE_API_URL || DEFAULT_
    const url = new URL(getApiBaseUrl(rawValue));
    return `${url.protocol}//${url.host}`;
  } catch (error) {
-    return 'http://localhost:3000';
+    return typeof window !== 'undefined' ? window.location.origin : 'http://localhost:3000';
  }
 }
--- a/frontend/vite.config.js
+++ b/frontend/vite.config.js
@ -5,7 +5,17 @@ export default defineConfig({
  plugins: [react()],
  server: {
    host: true,
-    port: 3001
+    port: 3001,
+    proxy: {
+      '/api': {
+        target: 'http://localhost:3000',
+        changeOrigin: true
+      },
+      '/ws': {
+        target: 'ws://localhost:3000',
+        ws: true
+      }
+    }
  },
  build: {
    outDir: 'dist',
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -104,6 +104,32 @@ http {
        access_log /var/log/nginx/admin_access.log;
        error_log /var/log/nginx/admin_error.log;

+        location /api/ {
+            limit_req zone=api_limit burst=20 nodelay;
+
+            proxy_pass http://api_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_cache_bypass $http_upgrade;
+        }
+
+        location /ws/ {
+            proxy_pass http://api_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 3600s;
+        }
+
        location / {
            limit_req zone=admin_limit burst=10 nodelay;