Merge pull request #1 from Zenika/wip

First version of backend, just missing tests

Author: florian-forestier

.dockerignore

@@ -0,0 +1,5 @@
+*.sqlite
+*.db
+.idea/
+*.md
+Dockerfile

.gitignore

@@ -0,0 +1,135 @@
+# Created by https://www.toptal.com/developers/gitignore/api/intellij+all,visualstudiocode,go
+# Edit at https://www.toptal.com/developers/gitignore?templates=intellij+all,visualstudiocode,go
+
+### Go ###
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work
+
+### Intellij+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Intellij+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+# End of https://www.toptal.com/developers/gitignore/api/intellij+all,visualstudiocode,go
+*.sqlite3

Dockerfile

@@ -0,0 +1,14 @@
+FROM golang:1.24-bookworm AS build
+
+WORKDIR /build
+COPY . .
+RUN go mod tidy
+RUN CGO_ENABLED=1 go build -tags=viper_bind_struct -o /build/til ./cmd
+
+FROM debian:bookworm AS run
+
+RUN apt update ; apt install -y ca-certificates
+WORKDIR /
+COPY --from=build /build/til /til
+RUN chmod +x /til
+ENTRYPOINT ["/til"]

README.md

@@ -1,11 +1,156 @@
-# TIL v2
+# Today I Learned (TiL) - v2
 
-Today I Learned is back 😎
+TIL is a simple software that aim to enable article and reflexion-sharing across all Zenika agencies in the world. It
+acts as an aggregator (as
+daily.dev can do), but on-premises and with filters on content to avoid being spammed with news that don't interest us.
 
-Documentation will come shortly
 
-**THIS IS A WIP!**
+## Getting started
 
-Run it: `TIL_SERVER_PORT=9023 TIL_DATABASE_FILE_NAME=toto.db TIL_DEBUG=false TIL_GOOGLE_CLIENT_ID=my_id TIL_GOOGLE_CLIENT_SECRET=my_secret TIL_JWT_SECRET=aaaaaa go run -tags=viper_bind_struct  ./cmd`
+### Developer tools
 
-Proudly powered by the Dobby Team.
+If you would like to develop TiL, the best way is to simply install Go on your computer ; then run
+`go run -tags=viper_bind_struct ./cmd`. The server
+will start on port 8000.
+
+### Docker
+
+If you simply want to run the application, Docker is the best way to do. Simply run `docker build -t til:latest .`, and
+run it! Full configuration
+reference below. Please think to mount database file in your container if you want persistent data!
+
+## Configuration
+
+All the configuration is done through environment variables. Viper is in charge of automatically parse them and load
+them in our Go application. The
+available environment variables are the following:
+
+* **(Mandatory)** `TIL_JWT_SECRET`: The secret key used to sign JWT tokens issued by the app.
+* **(Mandatory)** `TIL_GOOGLE_CLIENT_ID`: The Client ID for Google Authentication
+* **(Mandatory)** `TIL_GOOGLE_CLIENT_SECRET`: The Client Secret for Google Authentication
+* *(Optional)* `TIL_DEBUG` (default: `false`): Set this variable to `true` if you want to enable debug logs on
+  application. Please be careful: this mode will log WAY MORE information, even secret tokens! The debug mode will also
+  disable token expiry time check, which may lead to a lot of JWT renewal. Do not use this in production.
+* *(Optional)* `TIL_DATABASE_FILE_NAME` (default: `til.sqlite3`): Specify database file name (and location).
+* *(Optional)* `TIL_SERVER_PORT` (default: `8000`): Server port to listen on
+* *(Optional)* `TIL_GOOGLE_TOKEN_ENDPOINT` (default: `https://oauth2.googleapis.com/token`): The Google Authentication
+  endpoint to validate user token
+* *(Optional)* `TIL_DEFAULT_ADMIN` (default: none): The user to immediately promote as admin. Use his Google ID in this
+  variable to make it a superuser of the application. This variable will only take effect if ALL the following conditions are met :
+  * The variable is set to a non-void value;
+  * There is no other user (admin or not) in the database.
+
+
+## Tests
+
+Tests are made using Gherkin (Cucumber). This allows non-technical people to understand and collaborate to tests,
+improving security and coverage.
+
+All the tests can be find in `test/` folder. We are using a mock for the Google Authentication Server so you'll never
+have to provide a secret to run tests. The `test/` folder includes some secrets (notably an RSA key and a JWT secret
+key): these secrets are dedicated to our tests, and have never been used in production. Please do not report them as a
+security issue; we're perfectly aware of it. Obviously, do not use these secrets for your own production (otherwise,
+magic will probably happen!).
+
+All our tests are containerized to avoid configuration issues. To run them, simply type `go test -v ./test/`, and Golang
+will do the rest.
+
+The following sentences are available :
+
+#### Authentication
+
+* `I have a JWT token for my regular|admin user`
+    * This call will connect a user with the defined privilege. Every subsequent API calls will be authenticated using
+      this JWT token.
+* `I clear the current JWT token`
+    * Remove the current JWT token (if any). Every subsequent API calls will be unauthenticated.
+
+#### Database
+
+* `I reset the database`
+    * Reset the database by restarting the container
+
+#### HTTP
+
+* `I send a "GET|POST|PUT|DELETE" request to "ENDPOINT"`
+    * Send a request to the defined endpoint (an endpoint is an API path, for example `/posts`).
+* `I send a "GET|POST|PUT|DELETE" request to "ENDPOINT" with payload`
+    * Same as before, but add a payload to the request. The payload must be placed on the next line, between `"""`. See
+      example below or in `test/features/test.feature` for more details.
+* `the response code should be XXX`
+    * Check that the previous request sent have the defined status code.
+* `the response should have XXX items in path "PATH"`
+    * **WORKS ONLY ON ARRAYS** Count the number of items returned by the server in the JSON file.
+    * The path is the place on the JSON to look, dot-separated. `@` is the main document. For example, if you want to
+      access the `items` part of your JSON, the path will be `@.items`.
+* `I save the "XXXXX" header as "XXXXXX" for suite`
+    * Save the content of a header in a variable for later re-use. For example,
+      `I save the "X-Id" header as "postId" for suite` will allow you to write
+      `I send a "GET" request to "/posts/{{postId}}"` later on.
+* `I save the value "XXX" in path "YYY" as "ZZZ" for suite`
+  * Save the value XXX located in path YYY in a variable for later reuse. For example, `I save the value "id" in path "@" as "userId" for suite`
+* `the response should have the following content in path "XXX"`
+    * **WORKS ONLY ON OBJECTS** Check that the specified values for each key are correct.
+* `the response should have the following items in path "XXX"`
+    * **WORKS ONLY ON ARRAYS** Same as the previous one, but for arrays.
+* `the response should have the key "XXX" in path "YYY"`
+    * Check if the response contains a specified key in the desired path. For example `the response should have the key "id" in path "@.items.0"`
+* `the response should not have the key "XXX" in path "YYY"`
+    * The exact opposite as before ;-)
+
+
+### Example
+
+In this example, we log in as a regular user, then create a post before accessing it.
+
+```gherkin
+Feature: Demo
+
+  Scenario: Demo
+    When I have a JWT token for my regular user
+    And I send a "POST" request to "/posts" with payload
+      """
+      {
+        "title": "Test",
+        "link": "https://lamontagne.fr",
+        "tags": ["lang:fr"]
+      }
+      """
+    And the response code should be 201
+    And I save the "X-Post-Id" header as "postId" for suite
+    And I send a "GET" request to "/posts/"
+    And the response code should be 200
+    And the response should have the following content in path "@"
+      | total_items | total_pages | current_page | items_per_page |
+      | 1           | 1           | 0            | 20             |
+    And the response should have the following items in path "@.items"
+      | id         | title | link                  |
+      | {{postId}} | Test  | https://lamontagne.fr |
+    And the response should have 1 items in path "@.items.0.tags"
+    And the response should have the following items in path "@.items.0.tags"
+      | lang:fr |
+```
+
+## Will it scale?
+
+TiL is conceived following the KISS way of life; but it doesn't mean it won't scale. During our tests, we ran the
+following Locust file, with 50 concurrent users running 131 RPS:
+
+```py
+from locust import HttpUser, between, task
+
+
+class WebsiteUser(HttpUser):
+    @task
+    def index(self):
+        self.client.get("/posts", headers={"Authorization": "token"})
+
+
+    @task
+    def publish(self):
+        self.client.post("/posts", headers={"Authorization": ""}, json={"title":"essai", "link":"https://www.lamontagne.fr/paris-75000/actualites/coupure-de-courant-geante-habitants-dans-la-rue-metros-et-avions-a-l-arret-les-images-du-chaos-en-espagne-et-au-portugal_14679007/", "tags": ["failure", "electricity", "lang:fr"], "content": "severe electricty shortage in Spain and Portugal"})
+```
+
+During 10 minutes, the locust file generated roughly 30k entries in database, and the same amount of article queried.
+The Locust file ended with 0 failure and a MTRR around 600ms, which is a good result stating that our test is far above
+the real frequentation.

cmd/main.go

@@ -0,0 +1,68 @@
+package main
+
+import (
+	"fmt"
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/zenika/tilv2back/internal/configuration"
+	"github.com/zenika/tilv2back/internal/controllers"
+	"github.com/zenika/tilv2back/internal/repository"
+	"github.com/zenika/tilv2back/internal/structures"
+	"net/http"
+)
+
+func main() {
+	r := chi.NewRouter()
+	r.Use(controllers.HandleCORS)
+	r.Use(middleware.Logger)
+	r.Use(controllers.PaginationMiddleware)
+
+	// Unauthenticated endpoints
+	r.Get("/auth", controllers.RunAuth)
+	r.Get("/configuration", controllers.Configuration)
+
+	// Authenticated endpoints
+	r.Group(func(r chi.Router) {
+		r.Use(controllers.AuthenticationMiddleware)
+
+		r.Route("/posts", func(r chi.Router) {
+			r.Get("/stream", controllers.RealTimePostsUpdates)
+			r.Get("/", controllers.GetPosts)
+			r.Post("/", controllers.CreatePost)
+			r.Delete("/{postId}", controllers.DeletePost)
+			r.Get("/{postId}", controllers.GetPost)
+		})
+
+		r.Route("/users", func(r chi.Router) {
+			r.Get("/", controllers.GetUsers)
+			r.Delete("/{userId}", controllers.DeleteUser)
+			r.Get("/{userId}", controllers.GetUser)
+			r.Put("/{userId}", controllers.UpdateUser)
+			r.Put("/{userId}/renew", controllers.RenewFeedKey)
+		})
+
+		r.Route("/bookmarks", func(r chi.Router) {
+			r.Get("/", controllers.GetBookmarks)
+			r.Put("/{postId}", controllers.AddBookmark)
+			r.Delete("/{postId}", controllers.DeleteBookmark)
+		})
+
+		r.Get("/rss", controllers.GetRSSFeed)
+		r.Get("/tags", controllers.GetTags)
+		r.Get("/renew", controllers.RenewToken)
+	})
+
+	if users, err := repository.GetUsers(structures.Pagination{}, false); err == nil && users.TotalItems == 0 && configuration.Configuration.DefaultAdmin != "" {
+		_, err := repository.CreateUser(structures.User{
+			DisplayName: "Admin",
+			GoogleId:    configuration.Configuration.DefaultAdmin,
+			IsAdmin:     true,
+		})
+		if err != nil {
+			configuration.Logger.Error("Unable to register default admin.", err.Error())
+		}
+	}
+
+	configuration.Logger.Info(fmt.Sprintf("Server is now listening on port %d", configuration.Configuration.ServerPort))
+	_ = http.ListenAndServe(fmt.Sprintf(":%d", configuration.Configuration.ServerPort), r)
+}