ramadhan sjamsani
a7a2a32d27
- Backend: Fastify with two listeners (public + internal), routes, services, DB migration + seed - client_app: Flutter with BLoC, all auth screens (welcome, display name, register, OTP, force-register) - mitra_app: Flutter with BLoC, OTP-only login - control_center: React + Vite, email/password login, mitra/user management, anonymity settings - Docs: phase1 plan, API contract, client app mockup - CLAUDE.md and shared memory for all subprojects Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.4 KiB
1.4 KiB
Halo Bestie — Backend
Fastify.js REST API serving both mobile apps and the internal control center.
See root
CLAUDE.mdfor full project context and architectural decisions.
Stack
- Runtime: Node.js + Fastify.js
- Database: PostgreSQL via GCP Cloud SQL
- Auth: Firebase Auth JWT verification (no session, stateless)
- Payment: Xendit
- Infra: GCP Cloud Run
Two Listeners
Public (0.0.0.0:3000) → client_app + mitra_app routes
Internal (private IP:3001) → control_center routes only
Internal listener must never be exposed to the public internet.
Route Namespacing
/api/client/... → client app routes
/api/mitra/... → mitra app routes
/api/shared/... → shared routes (e.g. auth, lookup)
/internal/... → control center routes (internal listener only)
Auth Flow
- Firebase Auth issues JWT token on mobile/web
- Client sends JWT in
Authorization: Bearer <token>header - Fastify verifies token using Firebase Admin SDK on every request
- User record fetched from PostgreSQL by Firebase UID
Key Conventions
- All routes must be authenticated unless explicitly marked public
- Internal routes have an additional role check (
role: admin) - Use Fastify plugins for shared middleware (auth, error handling, logging)
- Business logic lives in
services/— never directly in route handlers