feat: add nginx reverse proxy and Let's Encrypt TLS setup

- Add nginx config for SSL termination and HTTP->HTTPS redirect - Add init-letsencrypt.sh script for automated certificate provisioning - Update docker-compose.yml: add nginx service, expose web on internal port only - Fix Evotor OAuth token exchange: move client credentials to form body - Add request logging for token exchange errors - Update BASE_URL to https://evosync.ru and set default in docker-compose - Add refresh_token field to EvotorConnection model Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-06 16:57:46 +03:00
parent 9aeef73b10
commit bacfd8fe54
7 changed files with 208 additions and 12 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,16 +5,21 @@ services:
    build:
      context: .
      dockerfile: Dockerfile.web
-    ports:
-      - "8080:8000"
+    expose:
+      - "8000"
    environment:
      - DATABASE_URL=mysql+pymysql://${DB_USER}:${DB_PASSWORD}@172.25.0.1:3306/${DB_NAME}
      - SECRET_KEY=${SECRET_KEY:-change-me-in-production}
-      - BASE_URL=${BASE_URL:-http://localhost:8080}
+      - BASE_URL=${BASE_URL:-https://evosync.ru}
+      - EVOTOR_CLIENT_ID=${EVOTOR_CLIENT_ID}
+      - EVOTOR_CLIENT_SECRET=${EVOTOR_CLIENT_SECRET}
+      - VK_CLIENT_ID=${VK_CLIENT_ID}
+      - VK_CLIENT_SECRET=${VK_CLIENT_SECRET}
    volumes:
      - ./web:/app/web
      - ./alembic.ini:/app/alembic.ini
      - ./docker-entrypoint.sh:/app/docker-entrypoint.sh
+    restart: unless-stopped

  # sync:
  #   build:
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    server_name evosync.ru www.evosync.ru;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name evosync.ru www.evosync.ru;
+
+    ssl_certificate /etc/letsencrypt/live/evosync.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/evosync.ru/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        proxy_pass http://web:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/scripts/init-letsencrypt.sh
+++ b/scripts/init-letsencrypt.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# Obtain TLS certificates from Let's Encrypt for evosync.ru
+# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
+
+set -euo pipefail
+
+DOMAIN="evosync.ru"
+EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
+COMPOSE="docker compose"
+CERTBOT_DIR="./certbot"
+
+echo "==> Creating certbot directories..."
+mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
+
+echo "==> Starting nginx (HTTP only, for ACME challenge)..."
+# Temporarily use a basic config that doesn't require certs
+cat > nginx/nginx-temp.conf <<'TMPCONF'
+server {
+    listen 80;
+    server_name evosync.ru www.evosync.ru;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 200 'Setting up TLS...';
+        add_header Content-Type text/plain;
+    }
+}
+TMPCONF
+
+$COMPOSE up -d nginx
+
+echo "==> Requesting certificate from Let's Encrypt..."
+docker run --rm \
+    -v "$(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt" \
+    -v "$(pwd)/$CERTBOT_DIR/www:/var/www/certbot" \
+    --network "${COMPOSE_PROJECT_NAME:-evo-syncgit}_default" \
+    certbot/certbot certonly \
+    --webroot \
+    --webroot-path=/var/www/certbot \
+    --email "$EMAIL" \
+    --agree-tos \
+    --no-eff-email \
+    -d "$DOMAIN" \
+    -d "www.$DOMAIN"
+
+echo "==> Restoring production nginx config..."
+rm -f nginx/nginx-temp.conf
+
+echo "==> Restarting nginx with TLS..."
+$COMPOSE restart nginx
+
+echo "==> Done! TLS certificate installed for $DOMAIN"
+echo "    Set up auto-renewal with: sudo crontab -e"
+echo "    Add: 0 3 * * * cd $(pwd) && docker run --rm -v $(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt -v $(pwd)/$CERTBOT_DIR/www:/var/www/certbot certbot/certbot renew --quiet && docker compose restart nginx"
--- a/web/health_checker.py
+++ b/web/health_checker.py
@@ -1,6 +1,6 @@
 import asyncio
 import logging
-from datetime import datetime
+from datetime import datetime, timedelta

 import httpx

@@ -10,9 +10,37 @@ from web.models import EvotorConnection, VkConnection
 logger = logging.getLogger("uvicorn.error")

 EVOTOR_STORES_URL = "https://api.evotor.ru/stores"
+EVOTOR_TOKEN_URL = "https://oauth.evotor.ru/oauth/token"
 VK_USERS_GET_URL = "https://api.vk.com/method/users.get"
 VK_API_VERSION = "5.131"

+# Refresh Evotor token if it expires within this window
+REFRESH_BEFORE_EXPIRY = timedelta(hours=2)
+
+
+async def _refresh_evotor_token(conn: EvotorConnection) -> str | None:
+    """Attempt to refresh the Evotor access token. Returns new access token or None."""
+    from web.config import settings
+    if not conn.refresh_token:
+        return None
+    try:
+        async with httpx.AsyncClient() as client:
+            resp = await client.post(
+                EVOTOR_TOKEN_URL,
+                data={
+                    "grant_type": "refresh_token",
+                    "refresh_token": conn.refresh_token,
+                },
+                auth=(settings.EVOTOR_CLIENT_ID, settings.EVOTOR_CLIENT_SECRET),
+                timeout=15,
+            )
+            if resp.status_code != 200:
+                return None
+            data = resp.json()
+            return data if data.get("access_token") else None
+    except Exception:
+        return None
+

 async def check_evotor_connection(access_token: str) -> bool:
    try:
@@ -46,15 +74,46 @@ async def check_vk_connection(access_token: str) -> bool:
 async def run_health_checks() -> None:
    db = SessionLocal()
    try:
+        now = datetime.utcnow()
+
        evotor_connections = db.query(EvotorConnection).all()
        for conn in evotor_connections:
-            conn.is_online = await check_evotor_connection(conn.access_token)
-            conn.last_checked_at = datetime.utcnow()
+            # Proactively refresh if token expires soon
+            needs_refresh = (
+                conn.refresh_token and
+                conn.token_expires_at and
+                conn.token_expires_at - now < REFRESH_BEFORE_EXPIRY
+            )
+            if needs_refresh:
+                token_data = await _refresh_evotor_token(conn)
+                if token_data:
+                    conn.access_token = token_data["access_token"]
+                    conn.refresh_token = token_data.get("refresh_token", conn.refresh_token)
+                    expires_in = token_data.get("expires_in")
+                    conn.token_expires_at = now + timedelta(seconds=expires_in) if expires_in else None
+                    logger.info("Refreshed Evotor token for user_id=%d", conn.user_id)
+
+            is_online = await check_evotor_connection(conn.access_token)
+
+            # If offline and not yet tried refresh, attempt it now
+            if not is_online and conn.refresh_token and not needs_refresh:
+                token_data = await _refresh_evotor_token(conn)
+                if token_data:
+                    conn.access_token = token_data["access_token"]
+                    conn.refresh_token = token_data.get("refresh_token", conn.refresh_token)
+                    expires_in = token_data.get("expires_in")
+                    conn.token_expires_at = now + timedelta(seconds=expires_in) if expires_in else None
+                    is_online = await check_evotor_connection(conn.access_token)
+                    if is_online:
+                        logger.info("Evotor token refreshed after failed check for user_id=%d", conn.user_id)
+
+            conn.is_online = is_online
+            conn.last_checked_at = now

        vk_connections = db.query(VkConnection).all()
        for conn in vk_connections:
            conn.is_online = await check_vk_connection(conn.access_token)
-            conn.last_checked_at = datetime.utcnow()
+            conn.last_checked_at = now

        db.commit()
        logger.info(
--- a/web/migrations/versions/e5f6a7b8c9d0_add_refresh_token_to_evotor_connections.py
+++ b/web/migrations/versions/e5f6a7b8c9d0_add_refresh_token_to_evotor_connections.py
@@ -0,0 +1,24 @@
+"""add refresh_token and token_expires_at to evotor_connections
+
+Revision ID: e5f6a7b8c9d0
+Revises: d4e5f6a7b8c9
+Create Date: 2026-03-06 00:04:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = 'e5f6a7b8c9d0'
+down_revision = 'd4e5f6a7b8c9'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.add_column('evotor_connections', sa.Column('refresh_token', sa.Text(), nullable=True))
+    op.add_column('evotor_connections', sa.Column('token_expires_at', sa.DateTime(), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column('evotor_connections', 'token_expires_at')
+    op.drop_column('evotor_connections', 'refresh_token')
--- a/web/models.py
+++ b/web/models.py
@@ -37,6 +37,8 @@ class EvotorConnection(Base):
    access_token = Column(Text, nullable=False)
    store_id = Column(String(255), nullable=True)
    store_name = Column(String(255), nullable=True)
+    refresh_token = Column(Text, nullable=True)
+    token_expires_at = Column(DateTime, nullable=True)
    is_online = Column(Boolean, default=False, server_default="0", nullable=False)
    last_checked_at = Column(DateTime, nullable=True)
    connected_at = Column(DateTime, server_default=func.now(), nullable=False)
--- a/web/routes/evotor.py
+++ b/web/routes/evotor.py
@@ -1,7 +1,10 @@
 import secrets
+import logging
 import httpx

 from fastapi import APIRouter, Request, Depends
+
+logger = logging.getLogger(__name__)
 from fastapi.responses import RedirectResponse
 from fastapi.templating import Jinja2Templates
 from sqlalchemy.orm import Session
@@ -85,16 +88,23 @@ async def evotor_callback(
                    "grant_type": "authorization_code",
                    "code": code,
                    "redirect_uri": _redirect_uri(),
+                    "client_id": settings.EVOTOR_CLIENT_ID,
+                    "client_secret": settings.EVOTOR_CLIENT_SECRET,
                },
-                auth=(settings.EVOTOR_CLIENT_ID, settings.EVOTOR_CLIENT_SECRET),
                timeout=15,
            )
            token_response.raise_for_status()
            token_data = token_response.json()
-    except Exception:
+    except httpx.HTTPStatusError as e:
+        logger.error("Evotor token exchange HTTP error %s: %s", e.response.status_code, e.response.text)
+        return RedirectResponse("/evotor?error=token_exchange", 303)
+    except Exception as e:
+        logger.error("Evotor token exchange failed: %s", e, exc_info=True)
        return RedirectResponse("/evotor?error=token_exchange", 303)

    access_token = token_data.get("access_token")
+    refresh_token = token_data.get("refresh_token")
+    expires_in = token_data.get("expires_in")
    if not access_token:
        return RedirectResponse("/evotor?error=no_token", 303)

@@ -118,22 +128,29 @@ async def evotor_callback(
        pass  # Store info is optional; token is still saved

    # Save or update connection
-    from datetime import datetime
+    from datetime import datetime, timedelta
+    now = datetime.utcnow()
+    token_expires_at = now + timedelta(seconds=expires_in) if expires_in else None
+
    connection = db.query(EvotorConnection).filter(EvotorConnection.user_id == user.id).first()
    if connection:
        connection.access_token = access_token
+        connection.refresh_token = refresh_token
+        connection.token_expires_at = token_expires_at
        connection.store_id = store_id
        connection.store_name = store_name
        connection.is_online = True
-        connection.last_checked_at = datetime.utcnow()
+        connection.last_checked_at = now
    else:
        connection = EvotorConnection(
            user_id=user.id,
            access_token=access_token,
+            refresh_token=refresh_token,
+            token_expires_at=token_expires_at,
            store_id=store_id,
            store_name=store_name,
            is_online=True,
-            last_checked_at=datetime.utcnow(),
+            last_checked_at=now,
        )
        db.add(connection)
    db.commit()