dadaloop82
d33b0ca2fe
Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers. Co-authored-by: Cursor <cursoragent@cursor.com>
2.0 KiB
2.0 KiB
EverShelf — Architecture (modular layout)
dispensa/
├── api/
│ ├── bootstrap.php # Shared init: env, security, DB, logger
│ ├── index.php # HTTP handlers + router (split planned per domain)
│ ├── database.php # SQLite schema & migrations
│ ├── logger.php # Rotating file logger (logs/)
│ ├── cron_smart_shopping.php # CLI cron (uses bootstrap + index handlers)
│ ├── lib/
│ │ ├── env.php # .env loader
│ │ ├── constants.php # Paths & pricing constants
│ │ ├── security.php # API auth, CORS, demo mode, scale allowlist
│ │ ├── github.php # Encrypted GitHub Issues token
│ │ └── cron_log.php # data/cron.log rotation
│ └── scale_*.php # Scale gateway helpers (auth + SSRF guards)
├── assets/
│ ├── js/
│ │ ├── core/ # auth.js, dom.js (loaded before app.js)
│ │ └── app.js # SPA logic (domain modules: future split)
│ └── vendor/ # Offline CDN fallbacks (quagga, transformers)
├── data/ # Runtime data (.htaccess: deny all)
├── logs/ # Application logs (.htaccess: deny all)
└── scripts/ # migrate-env-security, fix-permissions, encrypt-gh-token
Security model
API_TOKEN(or legacySETTINGS_TOKEN): when set, every API action requiresX-API-Tokenheader or?api_token=(Home Assistant).- Secrets (
HA_TOKEN,TTS_TOKEN,GEMINI_API_KEY) stay in.env;get_settingsexposes only*_setflags. GH_ISSUE_TOKEN_ENC+GH_ISSUE_TOKEN_KEY: AES-256-GCM encrypted GitHub Issues token.
Planned refactors
- Split
api/index.phphandlers intoapi/handlers/{products,inventory,ai,shopping}.php - Split
assets/js/app.jsinto ES modules underassets/js/features/ - Optional
npm run buildto minify JS/CSS (seepackage.json)