CentreForDigitalHumanities · XanderVertegaal · Apr 20, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.env.example b/.env.example
@@ -0,0 +1,5 @@
+POSTGRES_USER=
+POSTGRES_PASSWORD=
+POSTGRES_DB=
+DJANGO_SECRET_KEY=
+APP_VERSION=
diff --git a/.gitignore b/.gitignore
@@ -43,3 +43,6 @@ frontend/src/environments/version.ts
 /backend/fracas.xml
 /backend/snli_1.0_dev.txt
 /backend/snli_1.0_test.txt
+
+# Docker container logs
+logs/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -55,20 +55,36 @@ If you are reading this document, you'll likely be working with the integrated p
 
 ### Quickstart with Docker
 
+The application can be run in two modes: development mode and production mode. The former is meant for live development, while the latter is meant for simulating deployment conditions as closely as possible.
+
+Begin by creating a `.env` file in the project root with the following contents:
+
+```env
+POSTGRES_USER=my-user-name
+POSTGRES_PASSWORD=my-password
+POSTGRES_DB=langpro
+DJANGO_SECRET_KEY=my-secret-key
+APP_VERSION=1.0.0
+```
+
+Then update the values after the `=` as needed. The `POSTGRES_*` variables are used to configure the PostgreSQL database. The `DJANGO_SECRET_KEY` variable is used to set the Django `SECRET_KEY` setting. The `APP_VERSION` variable is used to set the version of the application, which is displayed in the frontend.
+
+Finally, run the command below to start the application in development mode.
+
 ```console
-docker compose up -d
+docker compose --profile dev up -d
 ```
 
 This will run the frontend and backend applications and watch all source files for changes. To run the backend unittests:
 
 ```console
-docker compose exec backend pytest
+docker compose exec backend-dev pytest
 ```
 
 To run the frontend unittests:
 
 ```console
-docker compose exec frontend yarn ng test --no-browsers
+docker compose exec frontend-dev yarn ng test --no-browsers
 ```
 
 then open http://localhost:9876 in a browser of choice.

diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -1,11 +1,24 @@
-FROM python:3.11
+FROM python:3.11-slim-trixie
+
+# Set environment variables.
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+# Install dependencies.
+RUN apt update
+RUN pip install gunicorn
 
-WORKDIR /usr/src/app/backend
 COPY requirements.txt .
-RUN pip install -U pip pip-tools && pip-sync
+RUN pip install -r requirements.txt --no-cache-dir
 
+# Set working directory.
+WORKDIR /usr/src/app
+
+# Copy project files.
 COPY . .
 
-CMD python manage.py check && \
-    python manage.py migrate && \
-    python manage.py runserver --settings glue --pythonpath .. 0.0.0.0:8000
+# Create a directory for Gunicorn logs (production).
+RUN mkdir -p /usr/src/app/logs
+
+# Expose port.
+EXPOSE 8000
diff --git a/backend/langpro_annotator/common_settings.py b/backend/langpro_annotator/common_settings.py
@@ -1,107 +1,110 @@
-INSTALLED_APPS = [
-    "django.contrib.admin",
-    "django.contrib.auth",
-    "django.contrib.contenttypes",
-    "django.contrib.sessions",
-    "django.contrib.messages",
-    "livereload",
-    "django.contrib.staticfiles",
-    "rest_framework",
-    "django.contrib.sites",
-    "rest_framework.authtoken",
-    "dj_rest_auth",
-    "dj_rest_auth.registration",
-    "allauth",
-    "allauth.account",
-    # Required for deleting accounts, but not actually used,
-    # cf. https://github.com/iMerica/dj-rest-auth/pull/110.
-    "allauth.socialaccount",
-    "user",
-    "revproxy",
-    "problem",
-    "annotation",
-]
-
-MIDDLEWARE = [
-    "django.middleware.security.SecurityMiddleware",
-    "django.contrib.sessions.middleware.SessionMiddleware",
-    "django.middleware.locale.LocaleMiddleware",
-    "django.middleware.common.CommonMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
-    "django.contrib.messages.middleware.MessageMiddleware",
-    "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "allauth.account.middleware.AccountMiddleware",
-]
-
-# Internationalization
-# https://docs.djangoproject.com/en/3.0/topics/i18n/
-LANGUAGES = [
-    ("en", "English"),
-    ("nl", "Nederlands"),
-]
-LANGUAGE_CODE = "en"
-
-TIME_ZONE = "Europe/Amsterdam"
-
-USE_I18N = True
-
-USE_TZ = True  # Authentication
-REST_FRAMEWORK = {
-    "DEFAULT_AUTHENTICATION_CLASSES": [
-        "rest_framework.authentication.TokenAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
-    ]
-}
-
-AUTH_USER_MODEL = "user.User"
-ACCOUNT_EMAIL_VERIFICATION = "mandatory"
-ACCOUNT_SIGNUP_FIELDS = ["email*", "username*", "password1*", "password2*"]
-
-SITE_ID = 1
-SITE_NAME = "langpro_annotator"
-
-# Remove this setting in production!
-EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
-
-HOST = "localhost:8000"
-
-REST_AUTH = {
-    "USER_DETAILS_SERIALIZER": "user.serializers.CustomUserDetailsSerializer",
-}
-
-LOGGING = {
-    "version": 1,
-    "disable_existing_loggers": False,
-    "formatters": {
-        "verbose": {
-            "format": "{levelname} {asctime} {module} {message}",
-            "style": "{",
-        },
-        "simple": {
-            "format": "{levelname} {message}",
-            "style": "{",
-        },
-    },
-    "handlers": {
-        "console": {
-            "level": "INFO",
-            "class": "logging.StreamHandler",
-            "formatter": "simple",
-        },
-    },
-    "loggers": {
-        "django": {
-            "handlers": ["console"],
-            "level": "INFO",
-            "propagate": False,
-        },
-        "LangProAnnotator": {
-            "handlers": ["console"],
-            "level": "INFO",
-            "propagate": False,
-        },
-    },
-}
-
-LANGPRO_URL = "http://localhost:8080"
+import os
+
+
+INSTALLED_APPS = [
+    "django.contrib.admin",
+    "django.contrib.auth",
+    "django.contrib.contenttypes",
+    "django.contrib.sessions",
+    "django.contrib.messages",
+    "livereload",
+    "django.contrib.staticfiles",
+    "rest_framework",
+    "django.contrib.sites",
+    "rest_framework.authtoken",
+    "dj_rest_auth",
+    "dj_rest_auth.registration",
+    "allauth",
+    "allauth.account",
+    # Required for deleting accounts, but not actually used,
+    # cf. https://github.com/iMerica/dj-rest-auth/pull/110.
+    "allauth.socialaccount",
+    "user",
+    "revproxy",
+    "problem",
+    "annotation",
+]
+
+MIDDLEWARE = [
+    "django.middleware.security.SecurityMiddleware",
+    "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.locale.LocaleMiddleware",
+    "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django.contrib.messages.middleware.MessageMiddleware",
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "allauth.account.middleware.AccountMiddleware",
+]
+
+# Internationalization
+# https://docs.djangoproject.com/en/3.0/topics/i18n/
+LANGUAGES = [
+    ("en", "English"),
+    ("nl", "Nederlands"),
+]
+LANGUAGE_CODE = "en"
+
+TIME_ZONE = "Europe/Amsterdam"
+
+USE_I18N = True
+
+USE_TZ = True  # Authentication
+REST_FRAMEWORK = {
+    "DEFAULT_AUTHENTICATION_CLASSES": [
+        "rest_framework.authentication.TokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
+    ]
+}
+
+AUTH_USER_MODEL = "user.User"
+ACCOUNT_EMAIL_VERIFICATION = "mandatory"
+ACCOUNT_SIGNUP_FIELDS = ["email*", "username*", "password1*", "password2*"]
+
+SITE_ID = 1
+SITE_NAME = "langpro_annotator"
+
+# Remove this setting in production!
+EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
+
+HOST = "localhost:8000"
+
+REST_AUTH = {
+    "USER_DETAILS_SERIALIZER": "user.serializers.CustomUserDetailsSerializer",
+}
+
+LOGGING = {
+    "version": 1,
+    "disable_existing_loggers": False,
+    "formatters": {
+        "verbose": {
+            "format": "{levelname} {asctime} {module} {message}",
+            "style": "{",
+        },
+        "simple": {
+            "format": "{levelname} {message}",
+            "style": "{",
+        },
+    },
+    "handlers": {
+        "console": {
+            "level": "INFO",
+            "class": "logging.StreamHandler",
+            "formatter": "simple",
+        },
+    },
+    "loggers": {
+        "django": {
+            "handlers": ["console"],
+            "level": "INFO",
+            "propagate": False,
+        },
+        "LangProAnnotator": {
+            "handlers": ["console"],
+            "level": "INFO",
+            "propagate": False,
+        },
+    },
+}
+
+LANGPRO_URL = os.environ.get('LANGPRO_CONTAINER') or 'http://localhost:8080'
diff --git a/backend/langpro_annotator/settings.py b/backend/langpro_annotator/settings.py
@@ -19,13 +19,22 @@
 # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'kxreeb3bds$oibo7ex#f3bi5r+d(1x5zljo-#ms=i2%ih-!pvn'
+SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "django-insecure-1234567890")
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = int(os.getenv("DJANGO_DEBUG", 0)) == 1
 
-ALLOWED_HOSTS = ['localhost', '127.0.0.1']
+# CSRF trusted origins for cross-origin requests
+CSRF_TRUSTED_ORIGINS = []
 
+ALLOWED_HOSTS = ["la-backend"]
+
+if DEBUG:
+    ALLOWED_HOSTS.append("localhost")
+    CSRF_TRUSTED_ORIGINS.extend([
+        "http://localhost:5000",
+        "http://127.0.0.1:5000",
+    ])
 
 # Application definition
 

diff --git a/backend/langpro_annotator/urls.py b/backend/langpro_annotator/urls.py
@@ -22,6 +22,7 @@
 from rest_framework import routers
 
 from annotation.views import LabelAnnotationView
+from langpro_annotator.views import csrf_token
 from problem.views.problem import ProblemView
 
 from .index import index
@@ -33,10 +34,10 @@
 api_router.register(r"label", LabelAnnotationView, basename="labels")
 
 
-if settings.PROXY_FRONTEND:
-    spa_url = re_path(r"^(?P<path>.*)$", proxy_frontend)
-else:
-    spa_url = re_path(r"", index)
+# if settings.PROXY_FRONTEND:
+#     spa_url = re_path(r"^(?P<path>.*)$", proxy_frontend)
+# else:
+#     spa_url = re_path(r"", index)
 
 urlpatterns = [
     path("admin", RedirectView.as_view(url="/admin/", permanent=True)),
@@ -53,6 +54,7 @@
         ),
     ),
     path("api/i18n/", i18n),
+    path("api/csrf", csrf_token),
     path("users/", include("user.urls")),
-    spa_url,  # catch-all; unknown paths to be handled by a SPA
+    # spa_url,  # catch-all; unknown paths to be handled by a SPA
 ]
diff --git a/backend/langpro_annotator/views.py b/backend/langpro_annotator/views.py
@@ -0,0 +1,6 @@
+from django.views.decorators.csrf import ensure_csrf_cookie
+from django.http import JsonResponse
+
+@ensure_csrf_cookie
+def csrf_token(request):
+    return JsonResponse({"detail": "CSRF cookie set"})
diff --git a/backend/requirements.in b/backend/requirements.in
@@ -2,7 +2,7 @@ Django>=4.0.1,<5
 djangorestframework
 django-livereload-server
 django-revproxy>=0.10.0
-psycopg2
+psycopg2-binary
 pytest
 pytest-django
 pytest-xdist

diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -48,7 +48,7 @@ packaging==24.2
     # via pytest
 pluggy==1.5.0
     # via pytest
-psycopg2==2.9.10
+psycopg2-binary==2.9.10
     # via -r requirements.in
 pytest==8.3.5
     # via