maxbirkin/gooseek
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: auth service + security audit fixes + cleanup legacy services

Browse Source 
Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier

Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control

Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs

New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*

Made-with: Cursor
This commit is contained in:
home
2026-02-28 01:33:49 +03:00
parent 120fbbaafb
commit a0e3748dde
523 changed files with 10776 additions and 59630 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/deploy/docker/Dockerfile.all
View File

@@ -1,5 +1,5 @@
# Multi-service Dockerfile - builds all services
FROM golang:1.22-alpine AS builder
FROM golang:1.24-alpine AS builder
RUN apk add --no-cache git ca-certificates
@@ -21,17 +21,17 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/discover-svc ./cm
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/collection-svc ./cmd/collection-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/file-svc ./cmd/file-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/thread-svc ./cmd/thread-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/computer-svc ./cmd/computer-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/finance-heatmap-svc ./cmd/finance-heatmap-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/learning-svc ./cmd/learning-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/labs-svc ./cmd/labs-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/podcast-svc ./cmd/podcast-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/browser-svc ./cmd/browser-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/admin-svc ./cmd/admin-svc
# Runtime stage
FROM alpine:3.19
RUN apk add --no-cache ca-certificates tzdata
RUN apk add --no-cache ca-certificates tzdata docker-cli python3 py3-pip && \
pip3 install --break-system-packages openpyxl python-docx reportlab pillow pandas
WORKDIR /app
@@ -41,7 +41,7 @@ COPY --from=builder /bin/* /app/
ENV SERVICE=api-gateway
ENV PORT=3015
EXPOSE 3015 3018 3005 3001 3020 3021 3002 3025 3026 3027 3030
EXPOSE 3015 3018 3005 3001 3020 3021 3002 3025 3026 3027 3040
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:${PORT}/health || exit 1

32
backend/deploy/docker/Dockerfile.computer-svc
View File

@@ -1,32 +0,0 @@
# Dockerfile for computer-svc only
FROM golang:1.22-alpine AS builder
RUN apk add --no-cache git ca-certificates
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Build only computer-svc
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/computer-svc ./cmd/computer-svc
# Runtime stage
FROM alpine:3.19
RUN apk add --no-cache ca-certificates tzdata docker-cli
WORKDIR /app
COPY --from=builder /bin/computer-svc /app/computer-svc
ENV PORT=3030
EXPOSE 3030
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:3030/health || exit 1
CMD ["/app/computer-svc"]

125
backend/deploy/docker/docker-compose.yml
View File

@@ -1,6 +1,27 @@
version: '3.8'
services:
auth-svc:
build:
context: ../..
dockerfile: deploy/docker/Dockerfile.all
environment:
- SERVICE=auth-svc
- PORT=3050
- DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
- JWT_SECRET=${JWT_SECRET}
ports:
- "3050:3050"
depends_on:
- postgres
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3050/health"]
interval: 30s
timeout: 10s
retries: 3
networks:
- gooseek
api-gateway:
build:
context: ../..
@@ -8,23 +29,26 @@ services:
environment:
- SERVICE=api-gateway
- PORT=3015
- AUTH_SVC_URL=http://auth-svc:3050
- CHAT_SVC_URL=http://chat-svc:3005
- MASTER_AGENTS_SVC_URL=http://agent-svc:3018
- SEARCH_SVC_URL=http://search-svc:3001
- LLM_SVC_URL=http://llm-svc:3020
- SCRAPER_SVC_URL=http://scraper-svc:3021
- THREAD_SVC_URL=http://thread-svc:3027
- COMPUTER_SVC_URL=http://computer-svc:3030
- DISCOVER_SVC_URL=http://discover-svc:3002
- FINANCE_HEATMAP_SVC_URL=http://finance-heatmap-svc:3033
- LEARNING_SVC_URL=http://learning-svc:3034
- ADMIN_SVC_URL=http://admin-svc:3040
- JWT_SECRET=${JWT_SECRET}
ports:
- "3015:3015"
depends_on:
- auth-svc
- chat-svc
- agent-svc
- thread-svc
- computer-svc
- admin-svc
networks:
- gooseek
@@ -187,53 +211,6 @@ services:
networks:
- gooseek
computer-svc:
build:
context: ../..
dockerfile: deploy/docker/Dockerfile.all
environment:
- SERVICE=computer-svc
- PORT=3030
- COMPUTER_SVC_PORT=3030
- DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
- REDIS_URL=redis://redis:6379
- OPENAI_API_KEY=${OPENAI_API_KEY}
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- GEMINI_API_KEY=${GEMINI_API_KEY}
- TIMEWEB_API_BASE_URL=${TIMEWEB_API_BASE_URL}
- TIMEWEB_AGENT_ACCESS_ID=${TIMEWEB_AGENT_ACCESS_ID}
- TIMEWEB_API_KEY=${TIMEWEB_API_KEY}
- TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN}
- SANDBOX_IMAGE=python:3.11-slim
- BROWSER_SVC_URL=http://browser-svc:3050
ports:
- "3030:3030"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- checkpoints:/data/checkpoints
depends_on:
- postgres
- redis
- browser-svc
networks:
- gooseek
browser-svc:
build:
context: ../..
dockerfile: deploy/docker/Dockerfile.all
environment:
- SERVICE=browser-svc
- PORT=3050
- BROWSER_SVC_PORT=3050
ports:
- "3050:3050"
volumes:
- screenshots:/tmp/gooseek-screenshots
- recordings:/tmp/gooseek-recordings
networks:
- gooseek
labs-svc:
build:
context: ../..
@@ -304,14 +281,60 @@ services:
networks:
- gooseek
admin-svc:
build:
context: ../..
dockerfile: deploy/docker/Dockerfile.all
environment:
- SERVICE=admin-svc
- PORT=3040
- ADMIN_SVC_PORT=3040
- DATABASE_URL=postgres://gooseek:gooseek@postgres:5432/gooseek?sslmode=disable
- JWT_SECRET=${JWT_SECRET}
- AUTH_SVC_URL=${AUTH_SVC_URL}
- MINIO_ENDPOINT=minio:9000
- MINIO_ACCESS_KEY=minioadmin
- MINIO_SECRET_KEY=minioadmin
- MINIO_BUCKET=gooseek
- MINIO_USE_SSL=false
ports:
- "3040:3040"
depends_on:
- postgres
- minio
networks:
- gooseek
minio:
image: minio/minio:latest
command: server /data --console-address ":9001"
environment:
- MINIO_ROOT_USER=minioadmin
- MINIO_ROOT_PASSWORD=minioadmin
volumes:
- minio-data:/data
ports:
- "9000:9000"
- "9001:9001"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 10s
retries: 3
networks:
- gooseek
webui:
build:
context: ../../webui
dockerfile: Dockerfile
args:
- NEXT_PUBLIC_DISABLED_ROUTES=${NEXT_PUBLIC_DISABLED_ROUTES:-/travel,/medicine,/finance,/learning,/spaces,/history}
environment:
- NODE_ENV=production
- API_URL=http://api-gateway:3015
- NEXT_PUBLIC_API_URL=
- NEXT_PUBLIC_DISABLED_ROUTES=${NEXT_PUBLIC_DISABLED_ROUTES:-/travel,/medicine,/finance,/learning,/spaces,/history}
ports:
- "3000:3000"
depends_on:
@@ -379,7 +402,5 @@ volumes:
postgres-data:
redis-data:
file-storage:
checkpoints:
screenshots:
recordings:
podcasts:
minio-data:

137
backend/deploy/k8s/computer-svc.yaml
View File

@@ -1,137 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: computer-svc
namespace: gooseek
labels:
app: computer-svc
spec:
replicas: 1
selector:
matchLabels:
app: computer-svc
template:
metadata:
labels:
app: computer-svc
spec:
containers:
- name: computer-svc
image: gooseek/backend:latest
command: ["/app/computer-svc"]
ports:
- containerPort: 3030
env:
- name: COMPUTER_SVC_PORT
value: "3030"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: DATABASE_URL
- name: REDIS_URL
valueFrom:
configMapKeyRef:
name: gooseek-config
key: REDIS_URL
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: OPENAI_API_KEY
- name: ANTHROPIC_API_KEY
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: ANTHROPIC_API_KEY
optional: true
- name: GEMINI_API_KEY
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: GEMINI_API_KEY
optional: true
- name: TELEGRAM_BOT_TOKEN
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: TELEGRAM_BOT_TOKEN
optional: true
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: SMTP_HOST
optional: true
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: SMTP_USERNAME
optional: true
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: SMTP_PASSWORD
optional: true
- name: S3_ENDPOINT
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: S3_ENDPOINT
optional: true
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: S3_ACCESS_KEY
optional: true
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: gooseek-secrets
key: S3_SECRET_KEY
optional: true
- name: SANDBOX_IMAGE
value: "gooseek/sandbox:latest"
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: /health
port: 3030
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: 3030
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: Socket
---
apiVersion: v1
kind: Service
metadata:
name: computer-svc
namespace: gooseek
spec:
selector:
app: computer-svc
ports:
- port: 3030
targetPort: 3030
type: ClusterIP

1
backend/deploy/k8s/kustomization.yaml
View File

@@ -18,7 +18,6 @@ resources:
- collection-svc.yaml
- file-svc.yaml
- thread-svc.yaml
- computer-svc.yaml
- ingress.yaml
commonLabels: