splunk
diff --git a/‎.github/workflows/ci-build.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci-build.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/ci-main.yaml‎
Lines changed: 15 additions & 17 deletions b/‎.github/workflows/ci-main.yaml‎
Lines changed: 15 additions & 17 deletions
diff --git a/‎.github/workflows/ci-release.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci-release.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎backend/Dockerfile‎
Lines changed: 15 additions & 11 deletions b/‎backend/Dockerfile‎
Lines changed: 15 additions & 11 deletions
diff --git a/‎backend/SC4SNMP_UI_backend/__init__.py‎
Lines changed: 163 additions & 20 deletions b/‎backend/SC4SNMP_UI_backend/__init__.py‎
Lines changed: 163 additions & 20 deletions
@@ -78,7 +78,7 @@ jobs:
           cache-to: type=inline
       - uses: actions/setup-node@v4.0.2
         with:
-          node-version: "20.12"
+          node-version: "22"
 
   build-backend:
     name: build-backend
@@ -128,4 +128,4 @@ jobs:
           cache-to: type=inline
       - uses: actions/setup-node@v4.0.2
         with:
-          node-version: "20.12"
+          node-version: "22"
@@ -37,13 +37,15 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - 3.9
+          - "3.12"
     steps:
       - uses: actions/checkout@v4
       - name: Setup python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: backend/requirements.txt
       - name: Install packages
         working-directory: ./backend
         run: pip install -r ./requirements.txt
@@ -56,25 +58,21 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 20.12
+          - 22
     steps:
       - uses: actions/checkout@v4
       - name: Set Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Run install
-        uses: borales/actions-yarn@v4
-        with:
-          cmd: install
-          dir: 'frontend'
+          cache: 'yarn'
+          cache-dependency-path: frontend/yarn.lock
+      - name: Install dependencies
+        working-directory: ./frontend
+        run: yarn install --frozen-lockfile
       - name: Build
-        uses: borales/actions-yarn@v4
-        with:
-          cmd: build
-          dir: 'frontend'
-      - name: Run test in sub-folder
-        uses: borales/actions-yarn@v4
-        with:
-          cmd: test
-          dir: 'frontend'
+        working-directory: ./frontend
+        run: yarn build
+      - name: Run tests
+        working-directory: ./frontend
+        run: yarn test
@@ -74,7 +74,7 @@ jobs:
           cache-to: type=inline
       - uses: actions/setup-node@v4.0.2
         with:
-          node-version: "20.12"
+          node-version: "22"
 
   build-backend:
     name: build-backend
@@ -125,7 +125,7 @@ jobs:
           cache-to: type=inline
       - uses: actions/setup-node@v4.0.2
         with:
-          node-version: "20.12"
+          node-version: "22"
   release:
     name: Release
     needs: [build-frontend, build-backend]
@@ -147,7 +147,7 @@ jobs:
           owner: ${{ github.repository_owner }}
       - uses: actions/setup-node@v4.0.2
         with:
-          node-version: "20.12"
+          node-version: "22"
       - name: Semantic Release
         id: version
         uses: splunk/semantic-release-action@v1.3.4
 
@@ -1,6 +1,8 @@
 # Changelog
 
 ### Changed
+- add fallback for MONGODB and REDIS connection strings, fix logging
+- create MONGODB connection string from environment variables instead of full MONGO_URI variable
 - create REDIS connection string from environment variables instead of full REDIS_URL variable
 
 ## 1.1.0
 
@@ -1,19 +1,23 @@
-FROM python:3.9
+FROM python:3.12-slim
 WORKDIR /app
 
-COPY requirements.txt app.py ./
-COPY SC4SNMP_UI_backend ./SC4SNMP_UI_backend
-RUN pip install -r ./requirements.txt
-ENV FLASK_DEBUG production
+COPY --chown=10000:10000 requirements.txt app.py ./
+COPY --chown=10000:10000 SC4SNMP_UI_backend ./SC4SNMP_UI_backend
+RUN pip install --no-cache-dir -r ./requirements.txt
+ENV FLASK_DEBUG=production
 
+# Copy scripts (executable, owned by non-root user)
+COPY --chown=10000:10000 ./flask_start.sh /flask_start.sh
+COPY --chown=10000:10000 ./celery_start.sh /celery_start.sh
+COPY --chown=10000:10000 construct-connection-strings.sh /app/construct-connection-strings.sh
 
-COPY ./flask_start.sh /flask_start.sh
-RUN chmod +x /flask_start.sh
-
-COPY ./celery_start.sh /celery_start.sh
-RUN chmod +x /celery_start.sh
+# Set executable bit BEFORE USER switch
+RUN chmod 0755 /flask_start.sh /celery_start.sh /app/construct-connection-strings.sh
 
+# Switch to non-root
 USER 10000:10000
 
 EXPOSE 5000
-CMD ["gunicorn", "-b", ":5000", "app:flask_app", "--log-level", "INFO"]
+
+# Use flask_start.sh which sources construct-connection-strings.sh
+CMD ["/flask_start.sh"]
@@ -1,5 +1,13 @@
-from flask import Flask
+import re
+import sys
+import time
+
+from flask import Flask, g
+from flask_cors import CORS
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 from pymongo import MongoClient
+from pymongo.errors import ConnectionFailure, ServerSelectionTimeoutError
 import os
 import logging
 from celery import Celery
@@ -8,63 +16,198 @@
 
 load_dotenv()
 
-__version__ = "1.1.1"
+__version__ = "1.2.0-beta.2"
 
 MONGO_URI = os.getenv("MONGO_URI")
+log = logging.getLogger('gunicorn.error')
+log.setLevel(logging.INFO)
+
+def wait_for_mongodb_replicaset(logger, mongo_uri, max_retries=120, retry_interval=5):
+    """
+    Wait for MongoDB to be ready before starting the application.
+    For replica sets, waits for PRIMARY to be elected.
+    """
+    mongo_mode = os.getenv("MONGODB_MODE", "standalone").lower()
+    if mongo_mode == "standalone":
+        logger.info("MongoDB is in standalone mode, skipping ReplicaSet wait")
+        return
+
+    if not mongo_uri:
+        logger.warning("MONGO_URI not set, exiting application")
+        sys.exit(1)
+
+    logger.info(f"Waiting for MongoDB ReplicaSet to be ready and elect the primary...")
+
+    for attempt in range(1, max_retries + 1):
+        if attempt != 1:
+            time.sleep(retry_interval)
+        try:
+            # Try to connect
+            client = MongoClient(
+                mongo_uri, serverSelectionTimeoutMS=5000, connectTimeoutMS=5000
+            )
+
+            # Execute a simple operation to verify PRIMARY exists
+            client.admin.command("ping")
+
+            # For replica sets, verify PRIMARY exists
+            if "replicaSet=" in mongo_uri:
+                if client.primary is None:
+                    continue
+                logger.info(f"PRIMARY found: {client.primary}")
+
+            client.close()
+            logger.info("MongoDB is ready")
+            return
+
+        except (ServerSelectionTimeoutError, ConnectionFailure, Exception) as e:
+            if attempt >= max_retries:
+                logger.info(f"MongoDB not ready after {max_retries * retry_interval}s")
+                logger.info(f"   Error: {e}")
+                sys.exit(1)
+
+        logger.info(f"  Still waiting... ({attempt}/{max_retries})")
+
+wait_for_mongodb_replicaset(log, MONGO_URI)
 mongo_client = MongoClient(MONGO_URI)
 
 VALUES_DIRECTORY = os.getenv("VALUES_DIRECTORY", "")
 KEEP_TEMP_FILES = os.getenv("KEEP_TEMP_FILES", "false")
 
-REDIS_HOST = os.getenv("REDIS_HOST", "snmp-redis")
-REDIS_PORT = os.getenv("REDIS_PORT", "6379")
-REDIS_PASSWORD = os.getenv("REDIS_PASSWORD", "")
-REDIS_DB = os.getenv("REDIS_DB", "1")
-CELERY_DB = os.getenv("CELERY_DB", "0")
+REDBEAT_URL = os.getenv("REDIS_URL", "redis://snmp-redis-headless:6379")
+CELERY_BROKER_URL = os.getenv("CELERY_BROKER_URL", "sentinel://snmp-redis-sentinel:26379")
+REDIS_SENTINEL_SERVICE = os.getenv("REDIS_SENTINEL_SERVICE", "snmp-redis-sentinel")
+REDIS_MODE = os.getenv("REDIS_MODE", "standalone")
 
-if REDIS_PASSWORD:
-    redis_base = f"redis://:{REDIS_PASSWORD}@{REDIS_HOST}:{REDIS_PORT}"
-else:
-    redis_base = f"redis://{REDIS_HOST}:{REDIS_PORT}"
 
-# fallback
-REDBEAT_URL = os.getenv("REDIS_URL", f"{redis_base}/{REDIS_DB}")
-CELERY_BROKER_URL = os.getenv("CELERY_BROKER_URL", f"{redis_base}/{CELERY_DB}")
+class NoValuesDirectoryException(Exception):
+    pass
 
 
-class NoValuesDirectoryException(Exception):
+class AuthNotConfiguredException(Exception):
     pass
 
+
+limiter = Limiter(key_func=get_remote_address, default_limits=[])
+
+
 def create_app():
     if len(VALUES_DIRECTORY) == 0:
         raise NoValuesDirectoryException
 
     app = Flask(__name__)
 
+    auth_enabled = os.getenv("AUTH_ENABLED", "true").lower() == "true"
+    if auth_enabled:
+        missing = []
+        for var in ("AUTH_USERNAME", "AUTH_PASSWORD_HASH", "JWT_SECRET"):
+            if not os.getenv(var):
+                missing.append(var)
+        if missing:
+            raise AuthNotConfiguredException(
+                f"AUTH_ENABLED=true but {', '.join(missing)} not set. "
+                "Set these env vars or set AUTH_ENABLED=false to disable authentication."
+            )
+    else:
+        log.warning(
+            "SECURITY: AUTH_ENABLED=false. All endpoints are accessible without authentication. "
+            "Do NOT use this configuration in production or on any network-exposed deployment. "
+            "Restrict access via ClusterIP/NetworkPolicy and use only for local development."
+        )
+
+    allowed_origins_env = os.getenv("ALLOWED_ORIGINS", "").strip()
+    if allowed_origins_env == "*":
+        # Reflect any origin. Intended for local development only.
+        log.warning(
+            "SECURITY: ALLOWED_ORIGINS=* reflects any browser Origin. "
+            "Do NOT use in production; set an explicit allow-list."
+        )
+        cors_origins = [re.compile(r".*")]
+    elif allowed_origins_env:
+        cors_origins = [o.strip() for o in allowed_origins_env.split(",") if o.strip()]
+    elif not auth_enabled:
+        # When auth is disabled (dev mode), reflect any origin so the UI works
+        # out of the box on NodePort setups. Security warning already logged above.
+        cors_origins = [re.compile(r".*")]
+    else:
+        cors_origins = ["http://localhost:8080"]
+
+    CORS(app, origins=cors_origins, supports_credentials=True)
+
+    limiter.init_app(app)
+    limiter.storage_uri = REDBEAT_URL
+
+    if REDIS_MODE == "replication":
+        broker_transport_options = {
+            "priority_steps": list(range(10)),
+            "sep": ":",
+            "queue_order_strategy": "priority",
+            "service_name": "mymaster",
+            "master_name": "mymaster",
+            "socket_timeout": 5,
+            "retry_policy": {
+                "max_retries": 100,
+                "interval_start": 0,
+                "interval_step": 2,
+                "interval_max": 5,
+            },
+            "db": 1,
+            "sentinels": [(REDIS_SENTINEL_SERVICE, 26379)],
+            "password": os.getenv("REDIS_PASSWORD", None),
+        }
+    else:
+        broker_transport_options = {
+            "priority_steps": list(range(10)),
+            "sep": ":",
+            "queue_order_strategy": "priority"
+        }
+
     app.config.from_mapping(
         CELERY=dict(
             task_default_queue="apply_changes",
             broker_url=CELERY_BROKER_URL,
             beat_scheduler="redbeat.RedBeatScheduler",
             redbeat_redis_url = REDBEAT_URL,
-            broker_transport_options={
-                "priority_steps": list(range(10)),
-                "sep": ":",
-                "queue_order_strategy": "priority",
-            },
+            broker_transport_options=broker_transport_options,
             task_ignore_result=True,
             redbeat_lock_key=None,
         ),
     )
     celery_init_app(app)
+
+    from SC4SNMP_UI_backend.auth.routes import auth_blueprint
     from SC4SNMP_UI_backend.profiles.routes import profiles_blueprint
     from SC4SNMP_UI_backend.groups.routes import groups_blueprint
     from SC4SNMP_UI_backend.inventory.routes import inventory_blueprint
     from SC4SNMP_UI_backend.apply_changes.routes import apply_changes_blueprint
+    app.register_blueprint(auth_blueprint)
     app.register_blueprint(profiles_blueprint)
     app.register_blueprint(groups_blueprint)
     app.register_blueprint(inventory_blueprint)
     app.register_blueprint(apply_changes_blueprint)
+
+    from SC4SNMP_UI_backend.auth.utils import (
+        AUTH_ENABLED as _auth_on,
+        refresh_token_payload,
+        make_cookie_kwargs,
+        COOKIE_NAME,
+        JWT_EXPIRY_HOURS as _jwt_hours,
+    )
+
+    @app.after_request
+    def refresh_idle_token(response):
+        if not _auth_on:
+            return response
+        try:
+            should_refresh = g.get("refresh_token", False)
+            payload = g.get("token_payload")
+        except RuntimeError:
+            return response
+        if should_refresh and payload:
+            new_token = refresh_token_payload(payload)
+            response.set_cookie(**make_cookie_kwargs(new_token, max_age=_jwt_hours * 3600))
+        return response
+
     gunicorn_logger = logging.getLogger('gunicorn.error')
     app.logger.handlers = gunicorn_logger.handlers
     app.logger.setLevel(gunicorn_logger.level)