feat: production hardening — slog, rate limiting, integration tests, seed data (Phase 4)

- Structured logging: replace log.* with log/slog JSON output across backend - Request logger middleware: logs method, path, status, duration for all non-health requests - Rate limiting: token bucket (5 req/min, burst 10) on AI endpoints (/api/ai/*) - Integration tests: full critical path test (auth -> create case -> add deadline -> dashboard) - Seed demo data: 1 tenant, 5 cases with deadlines/appointments/parties/events - docker-compose.yml: add all required env vars (DATABASE_URL, SUPABASE_*, ANTHROPIC_API_KEY) - .env.example: document all env vars including DATABASE_URL and CalDAV note
2026-03-25 14:32:27 +01:00
parent b49992b9c0
commit c5c3f41e08
10 changed files with 694 additions and 17 deletions
--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -2,13 +2,16 @@ package router

 import (
 	"encoding/json"
+	"log/slog"
 	"net/http"
+	"time"

 	"github.com/jmoiron/sqlx"

 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/config"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/handlers"
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/middleware"
 	"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
 )

@@ -112,10 +115,11 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	scoped.HandleFunc("GET /api/documents/{docId}/meta", docH.GetMeta)
 	scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete)

-	// AI endpoints
+	// AI endpoints (rate limited: 5 req/min burst 10 per IP)
 	if aiH != nil {
-		scoped.HandleFunc("POST /api/ai/extract-deadlines", aiH.ExtractDeadlines)
-		scoped.HandleFunc("POST /api/ai/summarize-case", aiH.SummarizeCase)
+		aiLimiter := middleware.NewTokenBucket(5.0/60.0, 10)
+		scoped.HandleFunc("POST /api/ai/extract-deadlines", aiLimiter.LimitFunc(aiH.ExtractDeadlines))
+		scoped.HandleFunc("POST /api/ai/summarize-case", aiLimiter.LimitFunc(aiH.SummarizeCase))
 	}

 	// CalDAV sync endpoints
@@ -130,7 +134,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se

 	mux.Handle("/api/", authMW.RequireAuth(api))

-	return mux
+	return requestLogger(mux)
 }

 func handleHealth(db *sqlx.DB) http.HandlerFunc {
@@ -145,3 +149,34 @@ func handleHealth(db *sqlx.DB) http.HandlerFunc {
 	}
 }

+type statusWriter struct {
+	http.ResponseWriter
+	status int
+}
+
+func (w *statusWriter) WriteHeader(code int) {
+	w.status = code
+	w.ResponseWriter.WriteHeader(code)
+}
+
+func requestLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip health checks to reduce noise
+		if r.URL.Path == "/health" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		sw := &statusWriter{ResponseWriter: w, status: http.StatusOK}
+		start := time.Now()
+		next.ServeHTTP(sw, r)
+
+		slog.Info("request",
+			"method", r.Method,
+			"path", r.URL.Path,
+			"status", sw.status,
+			"duration_ms", time.Since(start).Milliseconds(),
+		)
+	})
+}
+