164 lines
4.8 KiB
Markdown
164 lines
4.8 KiB
Markdown
# Formies Backend
|
|
|
|
A production-ready Rust backend for the Formies application.
|
|
|
|
## Features
|
|
|
|
- RESTful API endpoints
|
|
- SQLite database with connection pooling
|
|
- JWT-based authentication
|
|
- Rate limiting
|
|
- Structured logging
|
|
- Error tracking with Sentry
|
|
- Health check endpoint
|
|
- CORS support
|
|
- Configuration management
|
|
- Metrics endpoint
|
|
|
|
## Prerequisites
|
|
|
|
- Rust 1.70 or later
|
|
- SQLite 3
|
|
- Make (optional, for using Makefile commands)
|
|
|
|
## Configuration
|
|
|
|
The application can be configured using environment variables or a configuration file. The following environment variables are supported:
|
|
|
|
### Required Environment Variables
|
|
|
|
- `DATABASE_URL`: SQLite database URL (default: form_data.db)
|
|
- `BIND_ADDRESS`: Server bind address (default: 127.0.0.1:8080)
|
|
- `INITIAL_ADMIN_USERNAME`: Initial admin username
|
|
- `INITIAL_ADMIN_PASSWORD`: Initial admin password
|
|
|
|
### Optional Environment Variables
|
|
|
|
- `ALLOWED_ORIGIN`: CORS allowed origin
|
|
- `RUST_LOG`: Log level (default: info)
|
|
- `SENTRY_DSN`: Sentry DSN for error tracking
|
|
- `JWT_SECRET`: JWT secret key
|
|
- `JWT_EXPIRATION`: JWT expiration time in seconds
|
|
- `CAPTCHA_ENABLED`: Enable CAPTCHA verification for public form submissions (`true` or `false`, default: `false`)
|
|
- `CAPTCHA_SECRET_KEY`: The secret key provided by your CAPTCHA service (e.g., hCaptcha, reCAPTCHA)
|
|
- `CAPTCHA_VERIFICATION_URL`: The verification endpoint URL for your CAPTCHA service (e.g., `https://hcaptcha.com/siteverify`)
|
|
|
|
## Development
|
|
|
|
1. Clone the repository
|
|
2. Install dependencies:
|
|
```bash
|
|
cargo build
|
|
```
|
|
3. Set up environment variables:
|
|
```bash
|
|
cp .env.example .env
|
|
# Edit .env with your configuration
|
|
```
|
|
4. Run the development server:
|
|
```bash
|
|
cargo run
|
|
```
|
|
|
|
## Production Deployment
|
|
|
|
### Docker
|
|
|
|
1. Build the Docker image:
|
|
|
|
```bash
|
|
docker build -t formies-backend .
|
|
```
|
|
|
|
2. Run the container:
|
|
```bash
|
|
docker run -d \
|
|
--name formies-backend \
|
|
-p 8080:8080 \
|
|
-v $(pwd)/data:/app/data \
|
|
-e DATABASE_URL=/app/data/form_data.db \
|
|
-e BIND_ADDRESS=0.0.0.0:8080 \
|
|
-e INITIAL_ADMIN_USERNAME=admin \
|
|
-e INITIAL_ADMIN_PASSWORD=your-secure-password \
|
|
-e ALLOWED_ORIGIN=https://your-frontend-domain.com \
|
|
-e SENTRY_DSN=your-sentry-dsn \
|
|
formies-backend
|
|
```
|
|
|
|
### Systemd Service
|
|
|
|
1. Create a systemd service file at `/etc/systemd/system/formies-backend.service`:
|
|
|
|
```ini
|
|
[Unit]
|
|
Description=Formies Backend Service
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=formies
|
|
WorkingDirectory=/opt/formies-backend
|
|
ExecStart=/opt/formies-backend/formies-be
|
|
Restart=always
|
|
Environment=DATABASE_URL=/opt/formies-backend/data/form_data.db
|
|
Environment=BIND_ADDRESS=0.0.0.0:8080
|
|
Environment=INITIAL_ADMIN_USERNAME=admin
|
|
Environment=INITIAL_ADMIN_PASSWORD=your-secure-password
|
|
Environment=ALLOWED_ORIGIN=https://your-frontend-domain.com
|
|
Environment=SENTRY_DSN=your-sentry-dsn
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
2. Enable and start the service:
|
|
```bash
|
|
sudo systemctl enable formies-backend
|
|
sudo systemctl start formies-backend
|
|
```
|
|
|
|
## Monitoring
|
|
|
|
### Health Check
|
|
|
|
The application exposes a health check endpoint at `/api/health`:
|
|
|
|
```bash
|
|
curl http://localhost:8080/api/health
|
|
```
|
|
|
|
### Metrics
|
|
|
|
Metrics are available at `/metrics` when enabled in the configuration.
|
|
|
|
### Logging
|
|
|
|
Logs are written to the configured log file and can be viewed using:
|
|
|
|
```bash
|
|
tail -f logs/app.log
|
|
```
|
|
|
|
## Security
|
|
|
|
- All API endpoints are rate-limited
|
|
- CORS is configured to only allow specified origins
|
|
- JWT tokens are used for authentication
|
|
- Passwords are hashed using bcrypt
|
|
- SQLite database is protected with proper file permissions
|
|
|
|
### Form Submission Security
|
|
|
|
The public form submission endpoint (`/api/forms/{form_id}/submissions`) includes several security measures:
|
|
|
|
- **Global Rate Limiting:** The overall number of requests to the API is limited.
|
|
- **Per-Form, Per-IP Rate Limiting:** Limits the number of submissions one IP address can make to a specific form within a time window (e.g., 5 submissions per minute). Configurable in code.
|
|
- **CAPTCHA Verification:** If enabled via environment variables (`CAPTCHA_ENABLED=true`), requires a valid CAPTCHA token (e.g., from hCaptcha, reCAPTCHA, Turnstile) to be sent in the `captcha_token` field of the submission payload. The backend verifies this token with the configured provider.
|
|
- **Payload Size Limit:** The maximum size of the submission payload is limited (e.g., 1MB) to prevent DoS attacks. Configurable in code.
|
|
- **Input Validation:** Submission data is validated against the specific form's field definitions (type, required, length, pattern, etc.).
|
|
- **Notification Throttling:** Limits the rate at which notifications (Email, Ntfy) are sent per form to prevent spamming channels (e.g., max 1 per minute). Configurable in code.
|
|
|
|
## License
|
|
|
|
MIT
|