A production-oriented modular monolith backend for a food-delivery platform. It contains complete workflows for customers, restaurant owners, administrators and delivery partners and is structured so modules can later be separated into microservices.
- JWT access and refresh tokens with Argon2 password hashing
- Role-based access control: customer, restaurant owner, delivery partner and admin
- Customer addresses
- Restaurant onboarding and admin approval
- Menu categories and menu item management
- One-restaurant cart with availability and quantity validation
- Transactional checkout with immutable item-price snapshots
- Tax, delivery fee and minimum-order calculation
- Order status history and validated state transitions
- Idempotent payment creation, cash on delivery and mock-card gateway
- Delivery-partner assignment, pickup, live coordinates and delivery completion
- Admin overview analytics and audit logs
- PostgreSQL, Redis, Celery, Docker Compose and Alembic
- Request IDs, CORS, health/readiness endpoints and automated tests
The payment adapter intentionally simulates a provider. Connect a real PCI-compliant provider such as Razorpay or Stripe on the server; never collect raw card data in this API.
Client applications
|
v
FastAPI REST API
|-- Auth/RBAC
|-- Restaurants & Menu
|-- Cart & Pricing
|-- Orders & Payments
|-- Delivery Operations
|-- Analytics & Audit
|
+------ PostgreSQL
+------ Redis ------ Celery Worker
cp .env.example .env
docker compose up --buildOpen:
- Swagger UI:
http://localhost:8000/docs - ReDoc:
http://localhost:8000/redoc - Health:
http://localhost:8000/health
Seed demo records in another terminal:
docker compose exec api python -m scripts.seedDemo password for every seeded account: Password@123
| Role | |
|---|---|
| Admin | admin@foodapp.local |
| Restaurant owner | owner@foodapp.local |
| Customer | customer@foodapp.local |
| Delivery partner | rider@foodapp.local |
Python 3.11 or 3.12 is recommended.
python -m venv .venv
# Windows PowerShell: .venv\Scripts\Activate.ps1
# Linux/macOS: source .venv/bin/activate
pip install -r requirements.txt
cp .env.example .envFor a zero-infrastructure local run, edit .env:
DATABASE_URL=sqlite:///./food_delivery.db
AUTO_CREATE_TABLES=trueThen run:
python -m scripts.seed
uvicorn app.main:app --reload- Register or use a seeded customer.
- Log in through
POST /api/v1/auth/login. Swagger uses the email in theusernamefield. - Create an address.
- Browse approved restaurants and menu items.
- Add menu items to the cart.
- Checkout to create an order.
- Create a COD or mock-card payment using a unique idempotency key.
- Restaurant owner confirms, prepares and marks the order ready.
- Admin assigns a delivery partner.
- Delivery partner accepts, picks up and delivers the order.
| Method | Endpoint | Role |
|---|---|---|
| POST | /api/v1/auth/register |
Public |
| POST | /api/v1/auth/login |
Public |
| GET | /api/v1/restaurants |
Public |
| GET | /api/v1/restaurants/{id}/menu |
Public |
| POST | /api/v1/users/addresses |
Authenticated |
| POST | /api/v1/cart/items |
Customer |
| POST | /api/v1/orders/checkout |
Customer |
| POST | /api/v1/payments/orders/{order_id} |
Customer |
| PATCH | /api/v1/orders/{order_id}/status |
Owner/Admin |
| POST | /api/v1/deliveries/orders/{order_id}/assign |
Admin |
| PATCH | /api/v1/deliveries/{assignment_id}/status |
Delivery partner |
| GET | /api/v1/analytics/overview |
Admin |
pytest --cov=app --cov-report=term-missing
ruff check .Before a public deployment:
- Replace
SECRET_KEY, use a secrets manager and rotate credentials. - Set
AUTO_CREATE_TABLES=false; use reviewed Alembic migrations. - Put the API behind TLS and a reverse proxy/API gateway.
- Add signed real-payment webhooks and provider-side idempotency.
- Add refresh-token revocation/session storage for high-security deployments.
- Use Redis-backed rate limiting and distributed locks where required.
- Add email/SMS/push providers, object storage and observability exporters.
- Configure backups, database replicas, structured log collection and alerts.
- Run vulnerability, SAST, DAST and load tests before launch.
The strongest future extraction boundaries are:
- Identity service
- Restaurant/catalogue service
- Cart service
- Order service
- Payment service
- Delivery service
- Notification service
- Analytics pipeline
Publish domain events through Kafka or another durable broker only after the operational complexity is justified.