GREACT/KIS-TOiR
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e6b76cef2495d252e4fe29e13410200bfd51b8b
KIS-TOiR/backend/runtime-rules.md
MaKarin 8d6875f4b0 keycloak init
2026-03-21 16:00:27 +03:00

153 lines
4.7 KiB
Markdown
Raw Blame History

# Backend Runtime Rules
This document defines runtime configuration requirements for the generated backend. Generators must produce a project that runs without errors when these rules are followed.
---
# Environment Variables
The backend **must** have a `.env` file at the project root (e.g. `server/.env` or backend package root). This file must **not** be committed with real credentials; provide an example instead (e.g. `.env.example`).
## Required variables
| Variable | Required | Description |
| -------------------- | -------- | ----------- |
| PORT | Yes | Backend listen port |
| DATABASE_URL | Yes | PostgreSQL connection string for Prisma |
| CORS_ALLOWED_ORIGINS | Yes | Comma-separated SPA origins allowed to call the API |
| KEYCLOAK_ISSUER_URL | Yes | Keycloak issuer URL used for JWT verification |
| KEYCLOAK_AUDIENCE | Yes | Backend audience/client expected in access tokens |
| KEYCLOAK_JWKS_URL | No | Optional explicit JWKS URL |
## Example
```env
PORT=3000
DATABASE_URL="postgresql://postgres:postgres@localhost:5432/toir"
CORS_ALLOWED_ORIGINS="http://localhost:5173,https://toir-frontend.greact.ru"
KEYCLOAK_ISSUER_URL="https://sso.greact.ru/realms/toir"
KEYCLOAK_AUDIENCE="toir-backend"
# KEYCLOAK_JWKS_URL="https://sso.greact.ru/realms/toir/protocol/openid-connect/certs"
```
## Generation requirement
When generating the backend, **always** create:
1. **`.env.example`** — with placeholder DATABASE_URL and instructions.
2. **`.env`** — with local development example values so the app can start.
If the generator does not create `.env`, the first run will fail with:
```
Environment variable not found: DATABASE_URL
```
## Fail-fast requirement
The generated backend must validate required runtime and auth variables at startup.
Rules:
1. Missing required auth variables must stop startup immediately.
2. The generated backend must not silently fall back to production auth settings in code.
3. Auth env validation must be implemented explicitly in generated config/bootstrap code.
---
# Authentication Runtime Rules
The generated backend must verify JWTs against Keycloak using:
- issuer
- audience
- JWKS
JWKS resolution priority must be exactly:
1. explicit `KEYCLOAK_JWKS_URL`
2. OIDC discovery
3. `${issuer}/protocol/openid-connect/certs`
The generated backend must extract authorization roles only from `realm_access.roles`.
---
# Prisma Client Generation
After the Prisma schema is generated or modified, the Prisma client must be generated.
## Command
```bash
npx prisma generate
```
## Lifecycle rule
Add to generated `package.json` so that `prisma generate` runs after every `npm install`:
```json
{
"scripts": {
"postinstall": "prisma generate"
}
}
```
This ensures that after cloning or installing dependencies, the Prisma client is available without a manual step.
**Note:** Path may need to be adjusted if Prisma schema lives in a subfolder (e.g. `prisma generate` is typically run from the package root where `prisma/schema.prisma` exists).
---
# Database Migration
The generation process must document and support database migration.
## Command
```bash
npx prisma migrate dev
```
Run after:
1. Prisma schema has been generated or updated.
2. `npx prisma generate` has been run.
## Generation requirement
1. Include migration in the backend generation pipeline (see `generation/backend-generation.md`).
2. Document in README or post-generation validation that the user must run `npx prisma migrate dev` before first run (or provide a setup script that runs it).
---
# CORS Rules
The generated backend must support the SPA -> API bearer-token model explicitly.
Rules:
1. Use `CORS_ALLOWED_ORIGINS` as the allowed origin list.
2. Allow at minimum these example origins in `.env.example`:
- `http://localhost:5173`
- `https://toir-frontend.greact.ru`
3. Allow `Authorization` and JSON content headers.
4. Expose `Content-Range` because React Admin depends on it.
5. Do not enable credentials by default.
---
# Summary
| Requirement | Action |
| ----------------------- | ------ |
| Runtime env | Create `.env` and `.env.example` with DB, auth, and CORS variables |
| Fail-fast config | Validate required auth/runtime variables at startup |
| Prisma client | Run `npx prisma generate`; add `postinstall` script |
| Database schema | Document/run `npx prisma migrate dev` after schema generation |
| JWT verification | Use issuer + audience + JWKS with explicit resolution priority |
| Role extraction | Use only `realm_access.roles` |
| CORS | Support SPA -> API bearer flow and expose `Content-Range` |
Reference in New Issue View Git Blame Copy Permalink