bc9e2d3782
All checks were successful
Build and Push Docker Images / docker (push) Successful in 1m22s
CRITICAL SECURITY FIXES: - Add webhook secret validation to prevent signature bypass - Implement idempotency protection across all webhook handlers - Add atomic database updates to prevent race conditions - Improve CORS security with origin validation and logging - Remove .env from git tracking to protect secrets STRIPE INTEGRATION: - Add support for checkout.session.expired webhook event - Add Stripe publishable key to environment configuration - Fix webhook handlers with proper idempotency checks - Update Order model with atomic updatePaymentAndStatus method - Add comprehensive logging for webhook processing DEPLOYMENT ARCHITECTURE: - Split into two Docker images (frontend-latest, backend-latest) - Update CI/CD to build separate frontend and backend images - Configure backend on port 3801 (internal 3001) - Add production-ready docker-compose.yml - Remove redundant docker-compose.portainer.yml - Update nginx configuration for both frontend and backend DOCUMENTATION: - Add PRODUCTION-SETUP.md with complete deployment guide - Add docs/stripe-security-fixes.md with security audit details - Add docs/stripe-checkout-sessions.md with integration docs - Add docs/stripe-webhooks.md with webhook configuration - Update .env.example with all required variables including Stripe publishable key CONFIGURATION: - Consolidate to single .env.example template - Update .gitignore to protect all .env variants - Add server/Dockerfile for backend container - Update DEPLOYMENT.md with new architecture 🔒 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
# Frontend - Vite React App (static files served by host Nginx)
|
|
web:
|
|
image: code.puffinoffset.com/matt/puffin-app:frontend-latest
|
|
container_name: puffin-frontend
|
|
ports:
|
|
- "3800:3000"
|
|
environment:
|
|
- NODE_ENV=production
|
|
- VITE_API_BASE_URL=${VITE_API_BASE_URL:-https://api.puffinoffset.com}
|
|
- VITE_WREN_API_TOKEN=${VITE_WREN_API_TOKEN}
|
|
- VITE_FORMSPREE_CONTACT_ID=${VITE_FORMSPREE_CONTACT_ID}
|
|
- VITE_FORMSPREE_OFFSET_ID=${VITE_FORMSPREE_OFFSET_ID}
|
|
restart: unless-stopped
|
|
networks:
|
|
- puffin-network
|
|
depends_on:
|
|
backend:
|
|
condition: service_healthy
|
|
|
|
# Backend - Express API Server
|
|
backend:
|
|
image: code.puffinoffset.com/matt/puffin-app:backend-latest
|
|
container_name: puffin-backend
|
|
ports:
|
|
- "3801:3001"
|
|
volumes:
|
|
- puffin-data:/app/data
|
|
environment:
|
|
- NODE_ENV=production
|
|
- PORT=3001
|
|
- FRONTEND_URL=${FRONTEND_URL:-https://puffinoffset.com}
|
|
- STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY}
|
|
- STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET}
|
|
- WREN_API_TOKEN=${WREN_API_TOKEN}
|
|
- WREN_DRY_RUN=${WREN_DRY_RUN:-false}
|
|
- DATABASE_PATH=/app/data/orders.db
|
|
networks:
|
|
- puffin-network
|
|
restart: unless-stopped
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3001/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
|
|
networks:
|
|
puffin-network:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
puffin-data:
|
|
driver: local
|