feat(docs): codebase refactor - added src directory

7project/src/backend/app/api/auth.py

@@ -0,0 +1,66 @@
+from fastapi import APIRouter, Depends, status
+from fastapi_users import models
+from fastapi_users.manager import BaseUserManager
+
+from app.schemas.user import UserCreate, UserRead, UserUpdate
+from app.services.user_service import auth_backend, fastapi_users
+
+router = APIRouter()
+
+@router.delete(
+    "/users/me",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["users"],
+    summary="Delete current user",
+    response_description="The user has been successfully deleted.",
+)
+async def delete_me(
+    user: models.UserProtocol = Depends(fastapi_users.current_user(active=True)),
+    user_manager: BaseUserManager = Depends(fastapi_users.get_user_manager),
+):
+    """
+    Delete the currently authenticated user.
+    """
+    await user_manager.delete(user)
+
+# Keep existing paths as-is under /auth/* and /users/*
+from fastapi import Request, Response
+from app.core.security import revoke_token, extract_bearer_token
+
+
+@router.post(
+    "/auth/jwt/logout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["auth"],
+    summary="Log out and revoke current token",
+)
+async def custom_logout(request: Request) -> Response:
+    """Revoke the current bearer token so it cannot be used anymore."""
+    token = extract_bearer_token(request)
+    if token:
+        revoke_token(token)
+    return Response(status_code=status.HTTP_204_NO_CONTENT)
+
+router.include_router(
+    fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
+)
+router.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_reset_password_router(),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_verify_router(UserRead),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_users_router(UserRead, UserUpdate),
+    prefix="/users",
+    tags=["users"],
+)

7project/src/backend/app/api/categories.py

@@ -0,0 +1,108 @@
+from typing import List
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, delete
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.categories import Category
+from app.schemas.category import CategoryCreate, CategoryRead, CategoryUpdate
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/categories", tags=["categories"])
+
+
+@router.post("/create", response_model=CategoryRead, status_code=status.HTTP_201_CREATED)
+async def create_category(
+    payload: CategoryCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Enforce per-user unique name via query to provide 409 feedback
+    res = await session.execute(
+        select(Category).where(Category.user_id == user.id, Category.name == payload.name)
+    )
+    existing = res.scalar_one_or_none()
+    if existing:
+        raise HTTPException(status_code=409, detail="Category with this name already exists")
+
+    category = Category(name=payload.name, description=payload.description, user_id=user.id)
+    session.add(category)
+    await session.commit()
+    await session.refresh(category)
+    return category
+
+
+@router.get("/", response_model=List[CategoryRead])
+async def list_categories(
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(select(Category).where(Category.user_id == user.id))
+    return list(res.scalars())
+
+
+@router.patch("/{category_id}", response_model=CategoryRead)
+async def update_category(
+    category_id: int,
+    payload: CategoryUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    category = res.scalar_one_or_none()
+    if not category:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    # If name changed, check uniqueness per user
+    if payload.name is not None and payload.name != category.name:
+        dup = await session.execute(
+            select(Category.id).where(Category.user_id == user.id, Category.name == payload.name)
+        )
+        if dup.scalar_one_or_none() is not None:
+            raise HTTPException(status_code=409, detail="Category with this name already exists")
+        category.name = payload.name
+
+    if payload.description is not None:
+        category.description = payload.description
+
+    await session.commit()
+    await session.refresh(category)
+    return category
+
+
+@router.get("/{category_id}", response_model=CategoryRead)
+async def get_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    category = res.scalar_one_or_none()
+    if not category:
+        raise HTTPException(status_code=404, detail="Category not found")
+    return category
+
+
+@router.delete("/{category_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category.id).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    if res.scalar_one_or_none() is None:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.execute(
+        delete(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    await session.commit()
+    return None

7project/src/backend/app/api/csas.py

@@ -0,0 +1,40 @@
+import json
+import os
+
+from fastapi import APIRouter
+from fastapi.params import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.user import User
+from app.oauth.csas import CSASOAuth
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+
+router = APIRouter(prefix="/auth/csas", tags=["csas"])
+
+CLIENT_ID = os.getenv("CSAS_CLIENT_ID")
+CLIENT_SECRET = os.getenv("CSAS_CLIENT_SECRET")
+CSAS_OAUTH = CSASOAuth(CLIENT_ID, CLIENT_SECRET)
+
+
+@router.get("/authorize")
+async def csas_authorize():
+    return {"authorization_url":
+                await CSAS_OAUTH.get_authorization_url(os.getenv("FRONTEND_DOMAIN_SCHEME") + "/auth/csas/callback")}
+
+
+@router.get("/callback")
+async def csas_callback(code: str, session: AsyncSession = Depends(get_async_session),
+                        user: User = Depends(current_active_user)):
+    response = await CSAS_OAUTH.get_access_token(code, os.getenv("FRONTEND_DOMAIN_SCHEME") + "/auth/csas/callback")
+
+    if not user.config:
+        user.config = {}
+
+    new_dict = user.config.copy()
+    new_dict["csas"] = json.dumps(response)
+
+    user.config = new_dict
+    await session.commit()
+
+    return "OK"

7project/src/backend/app/api/exchange_rates.py

@@ -0,0 +1,66 @@
+import os
+from typing import List
+
+import httpx
+from fastapi import APIRouter, HTTPException, Query, status
+
+router = APIRouter(prefix="/exchange-rates", tags=["exchange-rates"]) 
+
+
+@router.get("", status_code=status.HTTP_200_OK)
+async def get_exchange_rates(symbols: str = Query("EUR,USD,NOK", description="Comma-separated currency codes to fetch vs CZK")):
+    """
+    Fetch exchange rates from UniRate API on the backend and return CZK-per-target rates.
+    - Always requests CZK in addition to requested symbols to compute conversion from USD-base.
+    - Returns a list of {currencyCode, rate} where rate is CZK per 1 unit of the target currency.
+    """
+    api_key = os.getenv("UNIRATE_API_KEY")
+    if not api_key:
+        raise HTTPException(status_code=500, detail="Server is not configured with UNIRATE_API_KEY")
+
+    # Ensure CZK is included for conversion
+    requested = [s.strip().upper() for s in symbols.split(",") if s.strip()]
+    if "CZK" not in requested:
+        requested.append("CZK")
+    query_symbols = ",".join(sorted(set(requested)))
+
+    url = f"https://unirateapi.com/api/rates?api_key={api_key}&symbols={query_symbols}"
+
+    try:
+        async with httpx.AsyncClient(timeout=httpx.Timeout(15.0)) as client:
+            resp = await client.get(url)
+            if resp.status_code != httpx.codes.OK:
+                raise HTTPException(status_code=502, detail=f"Upstream UniRate error: HTTP {resp.status_code}")
+            data = resp.json()
+    except httpx.HTTPError as e:
+        raise HTTPException(status_code=502, detail=f"Failed to contact UniRate: {str(e)}")
+
+    # Validate response structure
+    rates = data.get("rates") if isinstance(data, dict) else None
+    base = data.get("base") if isinstance(data, dict) else None
+    if not rates or base != "USD" or "CZK" not in rates:
+        # Prefer upstream message when available
+        detail = data.get("message") if isinstance(data, dict) else None
+        if not detail and isinstance(data, dict):
+            err = data.get("error")
+            if isinstance(err, dict):
+                detail = err.get("info")
+        raise HTTPException(status_code=502, detail=detail or "Invalid response from UniRate API")
+
+    czk_per_usd = rates["CZK"]
+
+    # Build result excluding CZK itself
+    result = []
+    for code in requested:
+        if code == "CZK":
+            continue
+        target_per_usd = rates.get(code)
+        if target_per_usd in (None, 0):
+            # Skip unavailable or invalid
+            continue
+        czk_per_target = czk_per_usd / target_per_usd
+        result.append({"currencyCode": code, "rate": czk_per_target})
+
+    return result
+
+

7project/src/backend/app/api/mock_bank.py

@@ -0,0 +1,116 @@
+from datetime import datetime, timedelta
+from typing import List, Optional
+import random
+
+from fastapi import APIRouter, Depends
+from pydantic import BaseModel, Field, conint, confloat, validator
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+from app.models.transaction import Transaction
+from app.models.categories import Category
+from app.schemas.transaction import TransactionRead
+
+router = APIRouter(prefix="/mock-bank", tags=["mock-bank"])
+
+
+class GenerateOptions(BaseModel):
+    count: conint(strict=True, gt=0) = Field(default=10, description="Number of transactions to generate")
+    minAmount: confloat(strict=True) = Field(default=-200.0, description="Minimum transaction amount")
+    maxAmount: confloat(strict=True) = Field(default=200.0, description="Maximum transaction amount")
+    startDate: Optional[str] = Field(None, description="Earliest date (YYYY-MM-DD)")
+    endDate: Optional[str] = Field(None, description="Latest date (YYYY-MM-DD)")
+    categoryIds: List[int] = Field(default_factory=list, description="Optional category IDs to assign randomly")
+
+    @validator("maxAmount")
+    def _validate_amounts(cls, v, values):
+        min_amt = values.get("minAmount")
+        if min_amt is not None and v < min_amt:
+            raise ValueError("maxAmount must be greater than or equal to minAmount")
+        return v
+
+    @validator("endDate")
+    def _validate_dates(cls, v, values):
+        sd = values.get("startDate")
+        if v and sd:
+            try:
+                ed = datetime.strptime(v, "%Y-%m-%d").date()
+                st = datetime.strptime(sd, "%Y-%m-%d").date()
+            except ValueError:
+                raise ValueError("Invalid date format, expected YYYY-MM-DD")
+            if ed < st:
+                raise ValueError("endDate must be greater than or equal to startDate")
+        return v
+
+
+class GeneratedTransaction(BaseModel):
+    amount: float
+    date: str  # YYYY-MM-DD
+    category_ids: List[int] = []
+    description: Optional[str] = None
+
+
+@router.post("/generate", response_model=List[GeneratedTransaction])
+async def generate_mock_transactions(
+        options: GenerateOptions,
+        user: User = Depends(current_active_user),
+):
+    # Seed randomness per user to make results less erratic across multiple calls in quick succession
+    seed = int(datetime.utcnow().timestamp()) ^ int(user.id)
+    rnd = random.Random(seed)
+
+    # Determine date range
+    if options.startDate:
+        start_date = datetime.strptime(options.startDate, "%Y-%m-%d").date()
+    else:
+        start_date = (datetime.utcnow() - timedelta(days=365)).date()
+    if options.endDate:
+        end_date = datetime.strptime(options.endDate, "%Y-%m-%d").date()
+    else:
+        end_date = datetime.utcnow().date()
+
+    span_days = max(0, (end_date - start_date).days)
+
+    results: List[GeneratedTransaction] = []
+    for _ in range(options.count):
+        amount = round(rnd.uniform(options.minAmount, options.maxAmount), 2)
+        # Pick a random date in the inclusive range
+        rand_day = rnd.randint(0, span_days) if span_days > 0 else 0
+        tx_date = start_date + timedelta(days=rand_day)
+        # Pick category randomly from provided list, or empty
+        if options.categoryIds:
+            cat = [rnd.choice(options.categoryIds)]
+        else:
+            cat = []
+        # Optional simple description for flavor
+        desc = None
+        # Assemble
+        results.append(GeneratedTransaction(
+            amount=amount,
+            date=tx_date.isoformat(),
+            category_ids=cat,
+            description=desc,
+        ))
+
+    return results
+
+
+@router.get("/scrape")
+async def scrape_mock_bank():
+    # 80% of the time: nothing to scrape
+    if random.random() < 0.8:
+        return []
+
+    transactions = []
+    count = random.randint(1, 10)
+    for _ in range(count):
+        transactions.append({
+            "amount": round(random.uniform(-200.0, 200.0), 2),
+            "date": (datetime.utcnow().date() - timedelta(days=random.randint(0, 30))).isoformat(),
+            "description": "Mock transaction",
+        })
+
+    return transactions

7project/src/backend/app/api/transactions.py

@@ -0,0 +1,280 @@
+from typing import List, Optional
+from datetime import date
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, and_, func
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.transaction import Transaction
+from app.models.categories import Category
+from app.schemas.transaction import (
+    TransactionCreate,
+    TransactionRead,
+    TransactionUpdate,
+)
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/transactions", tags=["transactions"])
+
+
+def _to_read_model(tx: Transaction) -> TransactionRead:
+    return TransactionRead(
+        id=tx.id,
+        amount=tx.amount,
+        description=tx.description,
+        date=tx.date,
+        category_ids=[c.id for c in (tx.categories or [])],
+    )
+
+
+@router.post("/create", response_model=TransactionRead, status_code=status.HTTP_201_CREATED)
+async def create_transaction(
+    payload: TransactionCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Build transaction; set `date` only if provided to let DB default apply otherwise
+    tx_kwargs = dict(
+        amount=payload.amount,
+        description=payload.description,
+        user_id=user.id,
+    )
+    if payload.date is not None:
+        parsed_date = payload.date
+        if isinstance(parsed_date, str):
+            try:
+                parsed_date = date.fromisoformat(parsed_date)
+            except ValueError:
+                raise HTTPException(status_code=400, detail="Invalid date format, expected YYYY-MM-DD")
+        tx_kwargs["date"] = parsed_date
+    tx = Transaction(**tx_kwargs)
+
+    # Attach categories if provided (and owned by user)
+    if payload.category_ids:
+        res = await session.execute(
+            select(Category).where(
+                Category.user_id == user.id, Category.id.in_(payload.category_ids)
+            )
+        )
+        categories = list(res.scalars())
+        if len(categories) != len(set(payload.category_ids)):
+            raise HTTPException(
+                status_code=400,
+                detail="Duplicate category IDs provided or one or more categories not found"
+            )
+        tx.categories = categories
+
+    session.add(tx)
+    await session.commit()
+    await session.refresh(tx)
+    # Ensure categories are loaded
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.get("/", response_model=List[TransactionRead])
+async def list_transactions(
+    start_date: Optional[date] = None,
+    end_date: Optional[date] = None,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    cond = [Transaction.user_id == user.id]
+    if start_date is not None:
+        cond.append(Transaction.date >= start_date)
+    if end_date is not None:
+        cond.append(Transaction.date <= end_date)
+    res = await session.execute(
+        select(Transaction).where(and_(*cond)).order_by(Transaction.date, Transaction.id)
+    )
+    txs = list(res.scalars())
+    # Eagerly load categories for each transaction
+    for tx in txs:
+        await session.refresh(tx, attribute_names=["categories"])
+    return [_to_read_model(tx) for tx in txs]
+
+
+@router.get("/balance_series")
+async def get_balance_series(
+    start_date: Optional[date] = None,
+    end_date: Optional[date] = None,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    cond = [Transaction.user_id == user.id]
+    if start_date is not None:
+        cond.append(Transaction.date >= start_date)
+    if end_date is not None:
+        cond.append(Transaction.date <= end_date)
+    res = await session.execute(
+        select(Transaction).where(and_(*cond)).order_by(Transaction.date, Transaction.id)
+    )
+    txs = list(res.scalars())
+    # Group by date and accumulate
+    daily = {}
+    for tx in txs:
+        key = tx.date.isoformat() if hasattr(tx.date, 'isoformat') else str(tx.date)
+        daily[key] = daily.get(key, 0.0) + float(tx.amount)
+    # Build cumulative series sorted by date
+    series = []
+    running = 0.0
+    for d in sorted(daily.keys()):
+        running += daily[d]
+        series.append({"date": d, "balance": running})
+    return series
+
+
+@router.get("/{transaction_id}", response_model=TransactionRead)
+async def get_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.patch("/{transaction_id}/edit", response_model=TransactionRead)
+async def update_transaction(
+    transaction_id: int,
+    payload: TransactionUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    if payload.amount is not None:
+        tx.amount = payload.amount
+    if payload.description is not None:
+        tx.description = payload.description
+    if payload.date is not None:
+        new_date = payload.date
+        if isinstance(new_date, str):
+            try:
+                new_date = date.fromisoformat(new_date)
+            except ValueError:
+                raise HTTPException(status_code=400, detail="Invalid date format, expected YYYY-MM-DD")
+        tx.date = new_date
+
+    if payload.category_ids is not None:
+        # Preload categories to avoid async lazy-load during assignment
+        await session.refresh(tx, attribute_names=["categories"])
+        if payload.category_ids:
+            # Check for duplicate category IDs in the payload
+            if len(payload.category_ids) != len(set(payload.category_ids)):
+                raise HTTPException(status_code=400, detail="Duplicate category IDs in payload")
+            res = await session.execute(
+                select(Category).where(
+                    Category.user_id == user.id, Category.id.in_(payload.category_ids)
+                )
+            )
+            categories = list(res.scalars())
+            if len(categories) != len(payload.category_ids):
+                raise HTTPException(status_code=400, detail="One or more categories not found")
+            tx.categories = categories
+        else:
+            tx.categories = []
+
+    await session.commit()
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/delete", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    await session.delete(tx)
+    await session.commit()
+    return None
+
+
+@router.post("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def assign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Load transaction and category ensuring ownership
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat not in tx.categories:
+        tx.categories.append(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def unassign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat in tx.categories:
+        tx.categories.remove(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)

7project/src/backend/app/app.py

@@ -0,0 +1,176 @@
+import json
+import logging
+import os
+import sys
+from datetime import datetime
+from pythonjsonlogger import jsonlogger
+
+from fastapi import Depends, FastAPI, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from prometheus_fastapi_instrumentator import Instrumentator, metrics
+from starlette.requests import Request
+
+from app.services.prometheus import number_of_users, number_of_transactions
+
+from app.services import bank_scraper
+from app.workers.celery_tasks import load_transactions, load_all_transactions
+from app.models.user import User, OAuthAccount
+
+from app.services.user_service import current_active_verified_user
+from app.api.auth import router as auth_router
+from app.api.csas import router as csas_router
+from app.api.categories import router as categories_router
+from app.api.transactions import router as transactions_router
+from app.api.exchange_rates import router as exchange_rates_router
+from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, \
+    UserManager, get_jwt_strategy
+from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt
+from app.services.user_service import SECRET
+
+from fastapi import FastAPI
+import sentry_sdk
+from fastapi_users.db import SQLAlchemyUserDatabase
+from app.core.db import async_session_maker, engine
+from app.core.base import Base
+
+sentry_sdk.init(
+    dsn=os.getenv("SENTRY_DSN"),
+    send_default_pii=True,
+)
+
+fastApi = FastAPI()
+
+# CORS for frontend dev server
+fastApi.add_middleware(
+    CORSMiddleware,
+    allow_origins=[
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+        os.getenv("FRONTEND_DOMAIN_SCHEME", "")
+    ],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+if not os.getenv("PYTEST_RUN_CONFIG"):
+    prometheus = Instrumentator().instrument(fastApi)
+    # Register custom metrics
+    prometheus.add(number_of_users()).add(number_of_transactions())
+    prometheus.expose(
+        fastApi,
+        endpoint="/metrics",
+        include_in_schema=True,
+    )
+
+fastApi.include_router(auth_router)
+fastApi.include_router(categories_router)
+fastApi.include_router(transactions_router)
+fastApi.include_router(exchange_rates_router)
+from app.api.mock_bank import router as mock_bank_router
+fastApi.include_router(mock_bank_router)
+
+for h in list(logging.root.handlers):
+    logging.root.removeHandler(h)
+
+_log_handler = logging.StreamHandler(sys.stdout)
+_formatter = jsonlogger.JsonFormatter(
+    fmt='%(asctime)s %(levelname)s %(name)s %(message)s %(pathname)s %(lineno)d %(process)d %(thread)d'
+)
+_log_handler.setFormatter(_formatter)
+
+logging.root.setLevel(logging.INFO)
+logging.root.addHandler(_log_handler)
+
+for _name in ("uvicorn", "uvicorn.error", "uvicorn.access"):
+    _logger = logging.getLogger(_name)
+    _logger.handlers = [_log_handler]
+    _logger.propagate = True
+
+
+@fastApi.middleware("http")
+async def auth_guard(request: Request, call_next):
+    # Enforce revoked/expired JWTs are rejected globally
+    token = extract_bearer_token(request)
+    if token:
+        from fastapi import Response, status as _status
+        # Deny if token is revoked
+        if is_token_revoked(token):
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+        # Deny if token is expired or invalid
+        try:
+            decode_and_verify_jwt(token, SECRET)
+        except Exception:
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+    return await call_next(request)
+
+
+@fastApi.middleware("http")
+async def log_traffic(request: Request, call_next):
+    start_time = datetime.now()
+    response = await call_next(request)
+    process_time = (datetime.now() - start_time).total_seconds()
+    client_host = request.client.host
+    log_params = {
+        "request_method": request.method,
+        "request_url": str(request.url),
+        "request_size": request.headers.get("content-length"),
+        "request_headers": dict(request.headers),
+        "response_status": response.status_code,
+        "response_size": response.headers.get("content-length"),
+        "response_headers": dict(response.headers),
+        "process_time": process_time,
+        "client_host": client_host
+    }
+    logging.getLogger(__name__).info("http_request", extra=log_params)
+    return response
+
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("MojeID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+        redirect_url=os.getenv("FRONTEND_DOMAIN_SCHEME", "http://localhost:3000") + "/auth/mojeid/callback",
+    ),
+    prefix="/auth/mojeid",
+    tags=["auth"],
+)
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("BankID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+        redirect_url=os.getenv("FRONTEND_DOMAIN_SCHEME", "http://localhost:3000") + "/auth/bankid/callback",
+    ),
+    prefix="/auth/bankid",
+    tags=["auth"],
+)
+
+fastApi.include_router(csas_router)
+
+
+# Liveness/root endpoint
+@fastApi.get("/", include_in_schema=False)
+async def root():
+    return {"status": "ok"}
+
+
+@fastApi.get("/authenticated-route")
+async def authenticated_route(user: User = Depends(current_active_verified_user)):
+    return {"message": f"Hello {user.email}!"}
+
+
+@fastApi.get("/_cron", include_in_schema=False)
+async def handle_cron(request: Request):
+    # endpoint accessed by Clodflare => return 404
+    if request.headers.get("cf-connecting-ip"):
+        raise HTTPException(status_code=404)
+
+    logging.info("[Cron] Triggering scheduled tasks via HTTP endpoint")
+    task = load_all_transactions.delay()
+    return {"status": "queued", "action": "csas_scrape_all", "task_id": getattr(task, 'id', None)}

7project/src/backend/app/celery_app.py

@@ -0,0 +1,50 @@
+import os
+from celery import Celery
+
+if os.getenv("RABBITMQ_URL"):
+    RABBITMQ_URL = os.getenv("RABBITMQ_URL")  # type: ignore
+else:
+    from urllib.parse import quote
+
+    username = os.getenv("RABBITMQ_USERNAME", "user")
+    password = os.getenv("RABBITMQ_PASSWORD", "bitnami123")
+    host = os.getenv("RABBITMQ_HOST", "localhost")
+    port = os.getenv("RABBITMQ_PORT", "5672")
+    vhost = os.getenv("RABBITMQ_VHOST", "/")
+    use_ssl = os.getenv("RABBITMQ_USE_SSL", "0").lower() in {"1", "true", "yes"}
+    scheme = "amqps" if use_ssl else "amqp"
+
+    # Kombu uses '//' to denote the default '/' vhost. For custom vhosts, URL-encode them.
+    if vhost in ("/", ""):
+        vhost_path = "/"  # will become '//' after concatenation below
+    else:
+        vhost_path = f"/{quote(vhost, safe='')}"
+
+    # Ensure we end up with e.g. amqp://user:pass@host:5672// (for '/')
+    RABBITMQ_URL = f"{scheme}://{username}:{password}@{host}:{port}{vhost_path}"
+    if vhost in ("/", "") and not RABBITMQ_URL.endswith("//"):
+        RABBITMQ_URL += "/"
+
+DEFAULT_QUEUE = os.getenv("MAIL_QUEUE", "mail_queue")
+
+CELERY_BACKEND = os.getenv("CELERY_BACKEND", "rpc://")
+
+celery_app = Celery(
+    "app",
+    broker=RABBITMQ_URL,
+    # backend=CELERY_BACKEND,
+)
+celery_app.autodiscover_tasks(["app.workers"], related_name="celery_tasks")  # discover app.workers.celery_tasks
+
+celery_app.set_default()
+
+celery_app.conf.update(
+    task_default_queue=DEFAULT_QUEUE,
+    task_acks_late=True,
+    worker_prefetch_multiplier=int(os.getenv("CELERY_PREFETCH", "1")),
+    task_serializer="json",
+    result_serializer="json",
+    accept_content=["json"],
+)
+
+__all__ = ["celery_app"]

7project/src/backend/app/core/base.py

@@ -0,0 +1,4 @@
+from sqlalchemy.ext.declarative import DeclarativeMeta, declarative_base
+
+Base: DeclarativeMeta = declarative_base()
+

7project/src/backend/app/core/db.py

@@ -0,0 +1,45 @@
+import os
+from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from app.core.base import Base
+
+DATABASE_URL = os.getenv("DATABASE_URL")
+if not DATABASE_URL:
+    mariadb_host = os.getenv("MARIADB_HOST", "localhost")
+    mariadb_port = os.getenv("MARIADB_PORT", "3306")
+    mariadb_db = os.getenv("MARIADB_DB", "group_project")
+    mariadb_user = os.getenv("MARIADB_USER", "root")
+    mariadb_password = os.getenv("MARIADB_PASSWORD", "strongpassword")
+    if mariadb_host and mariadb_db and mariadb_user and mariadb_password:
+        DATABASE_URL = f"mysql+asyncmy://{mariadb_user}:{mariadb_password}@{mariadb_host}:{mariadb_port}/{mariadb_db}"
+    else:
+        raise Exception("Only MariaDB is supported. Please set the DATABASE_URL environment variable.")
+
+# Load all models to register them
+from app.models.user import User
+from app.models.transaction import Transaction
+from app.models.categories import Category
+
+host_env = os.getenv("MARIADB_HOST", "localhost")
+ssl_enabled = host_env not in {"localhost", "127.0.0.1"}
+connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {}
+
+# Async engine/session for the async parts of the app
+engine = create_async_engine(
+    DATABASE_URL,
+    pool_pre_ping=True,
+    echo=os.getenv("SQL_ECHO", "0") == "1",
+    connect_args=connect_args,
+)
+async_session_maker = async_sessionmaker(engine, expire_on_commit=False)
+
+# Synchronous engine/session for sync utilities (e.g., bank_scraper)
+SYNC_DATABASE_URL = DATABASE_URL.replace("+asyncmy", "+pymysql")
+engine_sync = create_engine(
+    SYNC_DATABASE_URL,
+    pool_pre_ping=True,
+    echo=os.getenv("SQL_ECHO", "0") == "1",
+    connect_args=connect_args,
+)
+sync_session_maker = sessionmaker(bind=engine_sync, expire_on_commit=False)

7project/src/backend/app/core/queue.py

@@ -0,0 +1,6 @@
+import app.celery_app  # noqa: F401
+from app.workers.celery_tasks import send_email
+
+
+def enqueue_email(to: str, subject: str, body: str) -> None:
+    send_email.delay(to, subject, body)

7project/src/backend/app/core/security.py

@@ -0,0 +1,52 @@
+from typing import Optional
+import re
+import jwt
+from fastapi import Request
+
+# Simple in-memory revocation store for revoked JWT tokens.
+# 
+# Limitations:
+# - All revoked tokens will be lost if the process restarts (data loss on restart).
+# - Not suitable for multi-instance deployments: the revocation list is not shared between instances.
+#   A token revoked in one instance will not be recognized as revoked in others.
+# 
+# For production, use a persistent and shared store (e.g., Redis or a database).
+_REVOKED_TOKENS: set[str] = set()
+
+# Bearer token regex
+_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$")
+
+
+def extract_bearer_token(request: Request) -> Optional[str]:
+    auth = request.headers.get("authorization")
+    if not auth:
+        return None
+    m = _BEARER_RE.match(auth)
+    if not m:
+        return None
+    return m.group(1).strip()
+
+
+def revoke_token(token: str) -> None:
+    if token:
+        _REVOKED_TOKENS.add(token)
+
+
+def is_token_revoked(token: str) -> bool:
+    return token in _REVOKED_TOKENS
+
+
+def decode_and_verify_jwt(token: str, secret: str) -> dict:
+    """
+    Decode the JWT using the shared secret, verifying expiration and signature.
+    Audience is not verified here to be compatible with fastapi-users default tokens.
+    Raises jwt.ExpiredSignatureError if expired.
+    Raises jwt.InvalidTokenError for other issues.
+    Returns the decoded payload dict on success.
+    """
+    return jwt.decode(
+        token,
+        secret,
+        algorithms=["HS256"],
+        options={"verify_aud": False},
+    )  # verify_exp is True by default

7project/src/backend/app/models/categories.py

@@ -0,0 +1,25 @@
+from fastapi_users_db_sqlalchemy import GUID
+from sqlalchemy import Column, Integer, String, ForeignKey, Table, UniqueConstraint
+from sqlalchemy.orm import relationship
+
+from app.core.base import Base
+
+association_table = Table(
+    "category_transaction",
+    Base.metadata,
+    Column("category_id", Integer, ForeignKey("categories.id", ondelete="CASCADE"), primary_key=True),
+    Column("transaction_id", Integer, ForeignKey("transaction.id", ondelete="CASCADE"), primary_key=True)
+)
+
+
+class Category(Base):
+    __tablename__ = "categories"
+    __table_args__ = (
+        UniqueConstraint("name", "user_id", name="uix_name_user_id"),
+    )
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(length=100), nullable=False)
+    description = Column(String(length=255), nullable=True)
+    user_id = Column(GUID, ForeignKey("user.id"), nullable=False)
+    user = relationship("User", back_populates="categories")
+    transactions = relationship("Transaction", secondary=association_table, back_populates="categories")

7project/src/backend/app/models/transaction.py

@@ -0,0 +1,24 @@
+import os
+from fastapi_users_db_sqlalchemy import GUID
+from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func
+from sqlalchemy.orm import relationship
+from sqlalchemy_utils import EncryptedType
+from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine
+
+from app.core.base import Base
+from app.models.categories import association_table
+
+SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev")
+
+
+class Transaction(Base):
+    __tablename__ = "transaction"
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False)
+    description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True)
+    date = Column(Date, nullable=False, server_default=func.current_date())
+    user_id = Column(GUID, ForeignKey("user.id"), nullable=False)
+
+    # Relationship
+    user = relationship("User", back_populates="transactions")
+    categories = relationship("Category", secondary=association_table, back_populates="transactions", passive_deletes=True)

7project/src/backend/app/models/user.py

@@ -0,0 +1,22 @@
+from sqlalchemy import Column, String
+from sqlalchemy.orm import relationship, mapped_column, Mapped
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
+from sqlalchemy.sql.sqltypes import JSON
+
+from app.core.base import Base
+
+
+class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
+    # BankID token is longer than default
+    access_token: Mapped[str] = mapped_column(String(length=4096), nullable=False)
+
+
+class User(SQLAlchemyBaseUserTableUUID, Base):
+    first_name = Column(String(length=100), nullable=True)
+    last_name = Column(String(length=100), nullable=True)
+    oauth_accounts = relationship("OAuthAccount", lazy="joined")
+    config = Column(JSON, default={})
+
+    # Relationship
+    transactions = relationship("Transaction", back_populates="user")
+    categories = relationship("Category", back_populates="user")

7project/src/backend/app/oauth/bank_id.py

@@ -0,0 +1,50 @@
+import secrets
+from typing import Optional, Literal
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class BankID(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://oidc.sandbox.bankid.cz/.well-known/openid-configuration",
+            "BankID",
+            base_scopes=["openid", "profile.email", "profile.name"],
+        )
+
+    async def get_user_info(self, token: str) -> dict:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        if extras_params is None:
+            extras_params = {}
+
+        # BankID requires random nonce parameter for security
+        # https://developer.bankid.cz/docs/security_sep
+        extras_params["nonce"] = secrets.token_urlsafe()
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )

7project/src/backend/app/oauth/csas.py

@@ -0,0 +1,33 @@
+import os
+from os.path import dirname, join
+from typing import Optional, Any
+
+import httpx
+from httpx_oauth.exceptions import GetProfileError
+from httpx_oauth.oauth2 import BaseOAuth2
+
+import app.services.db
+
+BASE_DIR = dirname(__file__)
+certs = (
+    join(BASE_DIR, "public_key.pem"),
+    join(BASE_DIR, "private_key.key")
+)
+
+class CSASOAuth(BaseOAuth2):
+
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            base_scopes=["aisp"],
+            authorize_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/auth",
+            access_token_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/token",
+            refresh_token_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/token"
+        )
+
+
+
+
+
+

7project/src/backend/app/oauth/custom_openid.py

@@ -0,0 +1,6 @@
+from httpx_oauth.clients.openid import OpenID
+
+
+class CustomOpenID(OpenID):
+    async def get_user_info(self, token: str) -> dict:
+        raise NotImplementedError()

7project/src/backend/app/oauth/moje_id.py

@@ -0,0 +1,56 @@
+import json
+from typing import Optional, Literal, Any
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class MojeIDOAuth(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://mojeid.cz/.well-known/openid-configuration/",
+            "MojeID",
+            base_scopes=["openid", "email", "profile"],
+        )
+
+    async def get_user_info(self, token: str) -> Optional[Any]:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        required_fields = {
+            'id_token': {
+                'name': {'essential': True},
+                'given_name': {'essential': True},
+                'family_name': {'essential': True},
+                'email': {'essential': True},
+                'mojeid_valid': {'essential': True},
+            }}
+
+        if extras_params is None:
+            extras_params = {}
+        extras_params["claims"] = json.dumps(required_fields)
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )

7project/src/backend/app/oauth/private_key.key

@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDcr/oxgV074ETd
+DkP/0l8LFnRofru+m2wNNG/ttVCioTqwnvR4oYxwq3U9qIBsT0D+Rx/Ef7qcpzqf
+/w9xt6Hosdv6I5jMHGaVQqLiPuV26/a7WvcmU+PpYuEBmbBHjGVJRBwgPtlUW1VL
+M8Pht9YiaagEKvFa6SUidZLfPv+ECohqgH4mgMrEcG/BTnry0/5xQdadRC9o25cl
+NtZIesS5GPeelhggFTkbh/FaxvMXhIAaRXT61cnxgxtfM71h5ObX5Lwle9z5a+Tw
+xgQhSQq1jbHALYvTwsc4Q/NQGXpGNWy599sb7dg5AkPFSSF4ceXBo/2jOaZCqWrt
+FVONZ+blAgMBAAECggEBAJwQbrRXsaFIRiq1jez5znC+3m+PQCHZM55a+NR3pqB7
+uE9y+ZvdUr3S4sRJxxfRLDsl/Rcu5L8nm9PNwhQ/MmamcNQCHGoro3fmed3ZcNia
+og94ktMt/DztygUhtIHEjVQ0sFc1WufG9xiJcPrM0MfhRAo+fBQ4UCSAVO8/U98B
+a4yukrPNeEA03hyjLB9W41pNQfyOtAHqzwDg9Q5XVaGMCLZT1bjCIquUcht5iMva
+tiw3cwdiYIklLTzTCsPPK9A/AlWZyUXL8KxtN0mU0kkwlXqASoXZ2nqdkhjRye/V
+3JXOmlDtDaJCqWDpH2gHLxMCl7OjfPvuD66bAT3H63kCgYEA5zxW/l6oI3gwYW7+
+j6rEjA2n8LikVnyW2e/PZ7pxBH3iBFe2DHx/imeqd/0IzixcM1zZT/V+PTFPQizG
+lOU7stN6Zg/LuRdxneHPyLWCimJP7BBJCWyJkuxKy9psokyBhGSLR/phL3fP7UkB
+o2I3vGmTFu5A0FzXcNH/cXPMdy8CgYEA9FJw3kyzXlInhJ6Cd63mckLPLYDArUsm
+THBoeH2CVTBS5g0bCbl7N1ZxUoYwZPD4lg5V0nWhZALGf+85ULSjX03PMf1cc6WW
+EIbZIo9hX+mGRa/FudDd+TlbtBnn0jucwABuLQi9mIepE55Hu9tw5/FT3cHeZVQc
+cC0T6ulVvisCgYBCzFeFG+sOdAXl356B+h7VJozBKVWv9kXNp00O9fj4BzVnc78P
+VFezr8a66snEZWQtIkFUq+JP4xK2VyD2mlHoktbk7OM5EOCtbzILFQQk3cmgtAOl
+SUlkvAXPZcXEDL3NdQ4XOOkiQUY7kb97Z0AamZT4JtNqXaeO29si9wS12QKBgHYg
+Hd3864Qg6GZgVOgUNiTsVErFw2KFwQCYIIqQ9CDH+myrzXTILuC0dJnXszI6p5W1
+XJ0irmMyTFKykN2KWKrNbe3Xd4mad5GKARWKiSPcPkUXFNwgNhI3PzU2iTTGCaVz
+D9HKNhC3FnIbxsb29AHQViITh7kqD43U3ZpoMkJ9AoGAZ+sg+CPfuo3ZMpbcdb3B
+ZX2UhAvNKxgHvNnHOjO+pvaM7HiH+BT0650brfBWQ0nTG1dt18mCevVk1UM/5hO9
+AtZw06vCLOJ3p3qpgkSlRZ1H7VokG9M8Od0zXqtJrmeLeBq7dfuDisYOuA+NUEbJ
+UM/UHByieS6ywetruz0LpM0=
+-----END RSA PRIVATE KEY-----

7project/src/backend/app/oauth/public_key.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSTCCAzGgAwIBAgIEAQIDBDANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMC
+Q1oxDjAMBgNVBAcTBUN6ZWNoMRMwEQYDVQQKEwpFcnN0ZUdyb3VwMRUwEwYDVQQL
+EwxFcnN0ZUh1YlRlYW0xETAPBgNVBAMTCEVyc3RlSHViMSIwIAYJKoZIhvcNAQkB
+FhNpbmZvQGVyc3RlZ3JvdXAuY29tMB4XDTIyMTIxNDA4MDc1N1oXDTI2MDMxNDA4
+MDc1N1owUjEaMBgGA1UEYRMRUFNEQ1otQ05CLTEyMzQ1NjcxCzAJBgNVBAYTAkNa
+MRYwFAYDVQQDEw1UUFAgVGVzdCBRV0FDMQ8wDQYDVQQKEwZNeSBUUFAwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcr/oxgV074ETdDkP/0l8LFnRofru+
+m2wNNG/ttVCioTqwnvR4oYxwq3U9qIBsT0D+Rx/Ef7qcpzqf/w9xt6Hosdv6I5jM
+HGaVQqLiPuV26/a7WvcmU+PpYuEBmbBHjGVJRBwgPtlUW1VLM8Pht9YiaagEKvFa
+6SUidZLfPv+ECohqgH4mgMrEcG/BTnry0/5xQdadRC9o25clNtZIesS5GPeelhgg
+FTkbh/FaxvMXhIAaRXT61cnxgxtfM71h5ObX5Lwle9z5a+TwxgQhSQq1jbHALYvT
+wsc4Q/NQGXpGNWy599sb7dg5AkPFSSF4ceXBo/2jOaZCqWrtFVONZ+blAgMBAAGj
+gfcwgfQwCwYDVR0PBAQDAgHGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
+AjCBrwYIKwYBBQUHAQMEgaIwgZ8wCAYGBACORgEBMAsGBgQAjkYBAwIBFDAIBgYE
+AI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgMwZwYGBACBmCcCMF0wTDARBgcEAIGY
+JwEBDAZQU1BfQVMwEQYHBACBmCcBAgwGUFNQX1BJMBEGBwQAgZgnAQMMBlBTUF9B
+STARBgcEAIGYJwEEDAZQU1BfSUMMBUVyc3RlDAZBVC1FUlMwFAYDVR0RBA0wC4IJ
+bXl0cHAuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBlTMPSwz46GMRBEPcy+25gV7xE
+5aFS5N6sf3YQyFelRJgPxxPxTHo55WelcK4XmXRQKeQ4VoKf4FgP0Cj74+p0N0gw
+wFJDWPGXH3SdjAXPRtG+FOiHwUSoyrmvbL4kk6Vbrd4cF+qe0BlzHzJ2Q6vFLwsk
+NYvWzkY9YjoItB38nAnQhyYgl1yHUK/uDWyrwHVfZn1AeTws/hr/KufORuiQfaTU
+kvAH1nzi7WSJ6AIQCd2exUEPx/O14Y+oCoJhTVd+RpA/9lkcqebceBijj47b2bvv
+QbjymvyTXqHd3L224Y7zVmh95g+CaJ8PRpApdrImfjfDDRy8PaFWx2pd/v0UQgrQ
+lgbO6jE7ah/tS0T5q5JtwnLAiOOqHPaKRvo5WB65jcZ2fvOH/0/oZ89noxp1Ihus
+vvsjqc9k2h9Rvt2pEjVU40HtQZ6XCmWqgFwK3n9CHrKNV/GqgANIZRNcvXKMCUoB
+VoJORVwi2DF4caKSFmyEWuK+5FyCEILtQ60SY/NHVGsUeOuN7OTjZjECARO6p4hz
+Uw+GCIXrzmIjS6ydh/LRef+NK28+xTbjmLHu/wnHg9rrHEnTPd39is+byfS7eeLV
+Dld/0Xrv88C0wxz63dcwAceiahjyz2mbQm765tOf9rK7EqsvT5M8EXFJ3dP4zwqS
+6mNFoIa0XGbAUT3E1w==
+-----END CERTIFICATE-----

7project/src/backend/app/schemas/category.py

@@ -0,0 +1,21 @@
+from typing import Optional
+from pydantic import BaseModel, ConfigDict
+
+
+class CategoryBase(BaseModel):
+    name: str
+    description: Optional[str] = None
+
+
+class CategoryCreate(CategoryBase):
+    pass
+
+
+class CategoryUpdate(BaseModel):
+    name: Optional[str] = None
+    description: Optional[str] = None
+
+
+class CategoryRead(CategoryBase):
+    id: int
+    model_config = ConfigDict(from_attributes=True)

7project/src/backend/app/schemas/transaction.py

@@ -0,0 +1,26 @@
+from typing import List, Optional, Union
+from datetime import date
+from pydantic import BaseModel, Field, ConfigDict
+
+
+class TransactionBase(BaseModel):
+    amount: float = Field(..., gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+    # accept either ISO date string or date object
+    date: Optional[Union[date, str]] = None
+
+class TransactionCreate(TransactionBase):
+    category_ids: Optional[List[int]] = None
+
+class TransactionUpdate(BaseModel):
+    amount: Optional[float] = Field(None, gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+    # accept either ISO date string or date object
+    date: Optional[Union[date, str]] = None
+    category_ids: Optional[List[int]] = None
+
+class TransactionRead(TransactionBase):
+    id: int
+    category_ids: List[int] = []
+    date: Optional[Union[date, str]]
+    model_config = ConfigDict(from_attributes=True)

7project/src/backend/app/schemas/user.py

@@ -0,0 +1,17 @@
+import uuid
+from typing import Optional, Dict, Any
+from fastapi_users import schemas
+
+class UserRead(schemas.BaseUser[uuid.UUID]):
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
+    config: Optional[Dict[str, Any]] = None
+
+class UserCreate(schemas.BaseUserCreate):
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
+
+class UserUpdate(schemas.BaseUserUpdate):
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
+

7project/src/backend/app/services/bank_scraper.py

@@ -0,0 +1,178 @@
+import json
+import logging
+import os
+from os.path import dirname, join
+from time import strptime
+from uuid import UUID
+
+import httpx
+from sqlalchemy import select
+
+from app.core.db import sync_session_maker
+from app.models.transaction import Transaction
+from app.models.user import User
+
+logger = logging.getLogger(__name__)
+
+OAUTH_DIR = join(dirname(__file__), "..", "oauth")
+CERTS = (
+    join(OAUTH_DIR, "public_key.pem"),
+    join(OAUTH_DIR, "private_key.key"),
+)
+
+
+def load_mock_bank_transactions(user_id: str) -> None:
+    try:
+        uid = UUID(str(user_id))
+    except Exception:
+        logger.error("Invalid user_id provided to bank_scraper (sync): %r", user_id)
+        return
+
+    _load_mock_bank_transactions(uid)
+
+
+def load_all_mock_bank_transactions() -> None:
+    with sync_session_maker() as session:
+        users = session.execute(select(User)).unique().scalars().all()
+        logger.info("[BankScraper] Starting Mock Bank scrape for all users | count=%d", len(users))
+
+    processed = 0
+    for user in users:
+        try:
+            _load_mock_bank_transactions(user.id)
+            processed += 1
+        except Exception:
+            logger.exception("[BankScraper] Error scraping for user id=%s email=%s", user.id,
+                             getattr(user, 'email', None))
+    logger.info("[BankScraper] Finished Mock Bank scrape for all users | processed=%d", processed)
+
+
+def _load_mock_bank_transactions(user_id: UUID) -> None:
+    with sync_session_maker() as session:
+        user: User | None = session.execute(select(User).where(User.id == user_id)).unique().scalar_one_or_none()
+        if user is None:
+            logger.warning("User not found for id=%s", user_id)
+            return
+
+        transactions = []
+        with httpx.Client() as client:
+            response = client.get(f"{os.getenv('APP_POD_URL')}/mock-bank/scrape")
+            if response.status_code != httpx.codes.OK:
+                return
+            for transaction in response.json():
+                transactions.append(
+                    Transaction(
+                        amount=transaction["amount"],
+                        description=transaction.get("description"),
+                        date=strptime(transaction["date"], "%Y-%m-%d"),
+                        user_id=user_id,
+                    )
+                )
+
+        for transaction in transactions:
+            session.add(transaction)
+        session.commit()
+
+
+def load_ceska_sporitelna_transactions(user_id: str) -> None:
+    try:
+        uid = UUID(str(user_id))
+    except Exception:
+        logger.error("Invalid user_id provided to bank_scraper (sync): %r", user_id)
+        return
+
+    _load_ceska_sporitelna_transactions(uid)
+
+
+def load_all_ceska_sporitelna_transactions() -> None:
+    with sync_session_maker() as session:
+        users = session.execute(select(User)).unique().scalars().all()
+        logger.info("[BankScraper] Starting CSAS scrape for all users | count=%d", len(users))
+
+    processed = 0
+    for user in users:
+        try:
+            _load_ceska_sporitelna_transactions(user.id)
+            processed += 1
+        except Exception:
+            logger.exception("[BankScraper] Error scraping for user id=%s email=%s", user.id,
+                             getattr(user, 'email', None))
+    logger.info("[BankScraper] Finished CSAS scrape for all users | processed=%d", processed)
+
+
+def _load_ceska_sporitelna_transactions(user_id: UUID) -> None:
+    with sync_session_maker() as session:
+        user: User | None = session.execute(select(User).where(User.id == user_id)).unique().scalar_one_or_none()
+        if user is None:
+            logger.warning("User not found for id=%s", user_id)
+            return
+
+        cfg = user.config or {}
+        if "csas" not in cfg:
+            return
+
+        cfg = json.loads(cfg["csas"])
+        if "access_token" not in cfg:
+            return
+
+        accounts = []
+        try:
+            with httpx.Client(cert=CERTS, timeout=httpx.Timeout(20.0)) as client:
+                response = client.get(
+                    "https://webapi.developers.erstegroup.com/api/csas/sandbox/v4/account-information/my/accounts?size=10&page=0&sort=iban&order=desc",
+                    headers={
+                        "Authorization": f"Bearer {cfg['access_token']}",
+                        "WEB-API-key": "09fdc637-3c57-4242-95f2-c2205a2438f3",
+                        "user-involved": "false",
+                    },
+                )
+                if response.status_code != httpx.codes.OK:
+                    return
+
+                for account in response.json().get("accounts", []):
+                    accounts.append(account)
+
+        except (httpx.HTTPError,) as e:
+            logger.exception("[BankScraper] HTTP error during CSAS request | user_id=%s", user_id)
+            return
+
+        for account in accounts:
+            acc_id = account.get("id")
+            if not acc_id:
+                continue
+
+            url = f"https://webapi.developers.erstegroup.com/api/csas/sandbox/v4/account-information/my/accounts/{acc_id}/transactions?size=100&page=0&sort=bookingdate&order=desc"
+            with httpx.Client(cert=CERTS) as client:
+                response = client.get(
+                    url,
+                    headers={
+                        "Authorization": f"Bearer {cfg['access_token']}",
+                        "WEB-API-key": "09fdc637-3c57-4242-95f2-c2205a2438f3",
+                        "user-involved": "false",
+                    },
+                )
+                if response.status_code != httpx.codes.OK:
+                    continue
+
+                transactions = response.json().get("transactions", [])
+
+            for transaction in transactions:
+                description = transaction.get("entryDetails", {}).get("transactionDetails", {}).get(
+                    "additionalRemittanceInformation")
+                date_str = transaction.get("bookingDate", {}).get("date")
+                date = strptime(date_str, "%Y-%m-%d") if date_str else None
+                amount = transaction.get("amount", {}).get("value")
+                if transaction.get("creditDebitIndicator") == "DBIT" and amount is not None:
+                    amount = -abs(amount)
+
+                if amount is None:
+                    continue
+
+                obj = Transaction(
+                    amount=amount,
+                    description=description,
+                    date=date,
+                    user_id=user_id,
+                )
+                session.add(obj)
+            session.commit()

7project/src/backend/app/services/db.py

@@ -0,0 +1,16 @@
+from typing import AsyncGenerator
+from fastapi import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+from fastapi_users.db import SQLAlchemyUserDatabase
+
+from ..core.db import async_session_maker
+from ..models.user import User, OAuthAccount
+
+
+async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
+    async with async_session_maker() as session:
+        yield session
+
+
+async def get_user_db(session: AsyncSession = Depends(get_async_session)):
+    yield SQLAlchemyUserDatabase(session, User, OAuthAccount)

7project/src/backend/app/services/prometheus.py

@@ -0,0 +1,48 @@
+from typing import Callable
+from prometheus_fastapi_instrumentator.metrics import Info
+from prometheus_client import Gauge
+from sqlalchemy import select, func
+
+from app.core.db import async_session_maker
+from app.models.transaction import Transaction
+from app.models.user import User
+
+
+def number_of_users() -> Callable[[Info], None]:
+    METRIC = Gauge(
+        "number_of_users_total",
+        "Number of registered users.",
+        labelnames=("users",)
+    )
+
+    async def instrumentation(info: Info) -> None:
+        try:
+            async with async_session_maker() as session:
+                result = await session.execute(select(func.count(User.id)))
+                user_count = result.scalar_one() or 0
+        except Exception:
+            # In case of DB errors, avoid crashing metrics endpoint
+            user_count = 0
+        METRIC.labels(users="total").set(user_count)
+
+    return instrumentation
+
+
+def number_of_transactions() -> Callable[[Info], None]:
+    METRIC = Gauge(
+        "number_of_transactions_total",
+        "Number of transactions stored.",
+        labelnames=("transactions",)
+    )
+
+    async def instrumentation(info: Info) -> None:
+        try:
+            async with async_session_maker() as session:
+                result = await session.execute(select(func.count()).select_from(Transaction))
+                transaction_count = result.scalar_one() or 0
+        except Exception:
+            # In case of DB errors, avoid crashing metrics endpoint
+            transaction_count = 0
+        METRIC.labels(transactions="total").set(transaction_count)
+
+    return instrumentation

7project/src/backend/app/services/user_service.py

@@ -0,0 +1,117 @@
+import os
+import uuid
+from typing import Optional
+
+from fastapi import Depends, Request
+from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin, models
+from fastapi_users.authentication import (
+    AuthenticationBackend,
+    BearerTransport,
+)
+from fastapi_users.authentication.strategy.jwt import JWTStrategy
+from fastapi_users.db import SQLAlchemyUserDatabase
+from httpx_oauth.oauth2 import BaseOAuth2
+
+from app.models.user import User
+from app.oauth.bank_id import BankID
+from app.oauth.csas import CSASOAuth
+from app.oauth.custom_openid import CustomOpenID
+from app.oauth.moje_id import MojeIDOAuth
+from app.services.db import get_user_db
+from app.core.queue import enqueue_email
+
+SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
+
+FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
+BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")
+
+providers = {
+    "MojeID": MojeIDOAuth(
+        os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+    "BankID": BankID(
+        os.getenv("BANKID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("BANKID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+}
+
+
+def get_oauth_provider(name: str) -> Optional[BaseOAuth2]:
+    if name not in providers:
+        return None
+    return providers[name]
+
+
+class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
+    reset_password_token_secret = SECRET
+    verification_token_secret = SECRET
+
+    async def oauth_callback(self: "BaseUserManager[models.UOAP, models.ID]", oauth_name: str, access_token: str,
+                             account_id: str, account_email: str, expires_at: Optional[int] = None,
+                             refresh_token: Optional[str] = None, request: Optional[Request] = None, *,
+                             associate_by_email: bool = False, is_verified_by_default: bool = False) -> models.UOAP:
+
+        user = await super().oauth_callback(oauth_name, access_token, account_id, account_email, expires_at,
+                                            refresh_token, request, associate_by_email=associate_by_email,
+                                            is_verified_by_default=is_verified_by_default)
+
+        # set additional user info from the OAuth provider
+        provider = get_oauth_provider(oauth_name)
+        if provider is not None and isinstance(provider, CustomOpenID):
+            update_dict = await provider.get_user_info(access_token)
+            await self.user_db.update(user, update_dict)
+
+        return user
+
+    async def on_after_register(self, user: User, request: Optional[Request] = None):
+        await self.request_verify(user, request)
+
+    async def on_after_forgot_password(
+            self, user: User, token: str, request: Optional[Request] = None
+    ):
+        print(f"User {user.id} has forgot their password. Reset token: {token}")
+
+    async def on_after_request_verify(
+            self, user: User, token: str, request: Optional[Request] = None
+    ):
+        verify_frontend_link = f"{FRONTEND_URL}/verify?token={token}"
+        verify_backend_link = f"{BACKEND_URL}/auth/verify?token={token}"
+        subject = "Ověření účtu"
+        body = (
+            "Ahoj,\n\n"
+            "děkujeme za registraci. Prosíme, ověř svůj účet kliknutím na tento odkaz:\n"
+            f"{verify_frontend_link}\n\n"
+            "Pokud by odkaz nefungoval, můžeš použít i přímý odkaz na backend:\n"
+            f"{verify_backend_link}\n\n"
+            "Pokud jsi registraci neprováděl(a), tento email ignoruj.\n"
+        )
+        try:
+            enqueue_email(to=user.email, subject=subject, body=body)
+        except Exception as e:
+            print("[Email Fallback] To:", user.email)
+            print("[Email Fallback] Subject:", subject)
+            print("[Email Fallback] Body:\n", body)
+
+
+async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)):
+    yield UserManager(user_db)
+
+
+bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")
+
+
+def get_jwt_strategy() -> JWTStrategy:
+    return JWTStrategy(secret=SECRET, lifetime_seconds=604800)
+
+
+auth_backend = AuthenticationBackend(
+    name="jwt",
+    transport=bearer_transport,
+    get_strategy=get_jwt_strategy,
+)
+
+fastapi_users = FastAPIUsers[User, uuid.UUID](get_user_manager, [auth_backend])
+
+current_active_user = fastapi_users.current_user(active=True)
+current_active_verified_user = fastapi_users.current_user(active=True, verified=True)

7project/src/backend/app/workers/celery_tasks.py

@@ -0,0 +1,86 @@
+import logging
+import os
+import smtplib
+from email.message import EmailMessage
+
+import app.services.bank_scraper
+from app.celery_app import celery_app
+
+logger = logging.getLogger("celery_tasks")
+if not logger.handlers:
+    _h = logging.StreamHandler()
+    logger.addHandler(_h)
+logger.setLevel(logging.INFO)
+
+
+@celery_app.task(name="workers.send_email")
+def send_email(to: str, subject: str, body: str) -> None:
+    if not (to and subject and body):
+        logger.error("Email task missing fields. to=%r subject=%r body_len=%r", to, subject, len(body) if body else 0)
+        return
+
+    host = os.getenv("SMTP_HOST")
+    if not host:
+        logger.error("SMTP_HOST is not configured; cannot send email")
+        return
+
+    # Configuration
+    port = int(os.getenv("SMTP_PORT", "25"))
+    username = os.getenv("SMTP_USERNAME")
+    password = os.getenv("SMTP_PASSWORD")
+    use_tls = os.getenv("SMTP_USE_TLS", "0").lower() in {"1", "true", "yes"}
+    use_ssl = os.getenv("SMTP_USE_SSL", "0").lower() in {"1", "true", "yes"}
+    timeout = int(os.getenv("SMTP_TIMEOUT", "10"))
+    mail_from = os.getenv("SMTP_FROM") or username or "noreply@localhost"
+
+    # Build message
+    msg = EmailMessage()
+    msg["To"] = to
+    msg["From"] = mail_from
+    msg["Subject"] = subject
+    msg.set_content(body)
+
+    try:
+        if use_ssl:
+            with smtplib.SMTP_SSL(host=host, port=port, timeout=timeout) as smtp:
+                if username and password:
+                    smtp.login(username, password)
+                smtp.send_message(msg)
+        else:
+            with smtplib.SMTP(host=host, port=port, timeout=timeout) as smtp:
+                # STARTTLS if requested
+                if use_tls:
+                    smtp.starttls()
+                if username and password:
+                    smtp.login(username, password)
+                smtp.send_message(msg)
+        logger.info("[Celery] Email sent | to=%s | subject=%s | body_len=%d", to, subject, len(body))
+    except Exception:
+        logger.exception("Failed to send email via SMTP to=%s subject=%s host=%s port=%s tls=%s ssl=%s", to, subject,
+                         host, port, use_tls, use_ssl)
+
+
+@celery_app.task(name="workers.load_transactions")
+def load_transactions(user_id: str) -> None:
+    if not user_id:
+        logger.error("Load transactions task missing user_id.")
+        return
+
+    logger.info("[Celery] Starting load_transactions | user_id=%s", user_id)
+    try:
+        # Use synchronous bank scraper functions directly, mirroring load_all_transactions
+        app.services.bank_scraper.load_mock_bank_transactions(user_id)
+        app.services.bank_scraper.load_ceska_sporitelna_transactions(user_id)
+    except Exception:
+        logger.exception("Failed to load transactions for user_id=%s", user_id)
+    else:
+        logger.info("[Celery] Finished load_transactions | user_id=%s", user_id)
+
+
+@celery_app.task(name="workers.load_all_transactions")
+def load_all_transactions() -> None:
+    logger.info("[Celery] Starting load_all_transactions")
+    # Now use synchronous bank scraper functions directly
+    app.services.bank_scraper.load_all_mock_bank_transactions()
+    app.services.bank_scraper.load_all_ceska_sporitelna_transactions()
+    logger.info("[Celery] Finished load_all_transactions")