Merge branch 'main' into merge/frontend_basics

feat(infrastructure): remove old deployment
fix(app): add missing env variables
2026-03-22 15:12:08 +01:00 · 2025-10-21 13:31:50 +02:00 · 2025-10-20 19:20:56 +02:00 · 2025-10-17 16:04:52 +02:00 · 2025-10-17 15:59:18 +02:00 · 2025-10-17 15:42:58 +02:00
62 changed files with 2138 additions and 576 deletions
--- a/.github/workflows/deploy-pr.yaml
+++ b/.github/workflows/deploy-pr.yaml
@@ -20,13 +20,26 @@ jobs:
      pr_number: ${{ github.event.pull_request.number }}
    secrets: inherit

+  get_urls:
+    if: github.event.action != 'closed'
+    name: Generate Preview URLs
+    uses: ./.github/workflows/url_generator.yml
+    with:
+      runner: vhs
+      mode: pr
+      pr_number: ${{ github.event.pull_request.number }}
+      base_domain: ${{ vars.DEV_BASE_DOMAIN }}
+    secrets: inherit
+
  frontend:
    if: github.event.action != 'closed'
    name: Frontend - Build and Deploy to Cloudflare Pages (PR)
+    needs: [get_urls]
    uses: ./.github/workflows/frontend-pages.yml
    with:
      mode: pr
      pr_number: ${{ github.event.pull_request.number }}
+      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
    secrets: inherit

  deploy:
@@ -36,7 +49,7 @@ jobs:
    concurrency:
      group: pr-${{ github.event.pull_request.number }}
      cancel-in-progress: false
-    needs: [build, frontend]
+    needs: [build, frontend, get_urls]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -62,25 +75,24 @@ jobs:
          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
-          IMAGE_REPO: ${{ needs.build.outputs.image_repo }}
          DIGEST: ${{ needs.build.outputs.digest }}
+          DOMAIN: "${{ needs.get_urls.outputs.backend_url }}"
+          DOMAIN_SCHEME: "${{ needs.get_urls.outputs.backend_url_scheme }}"
+          FRONTEND_DOMAIN: "${{ needs.get_urls.outputs.frontend_url }}"
+          FRONTEND_DOMAIN_SCHEME: "${{ needs.get_urls.outputs.frontend_url_scheme }}"
        run: |
          PR=${{ github.event.pull_request.number }}
-          if [ -z "$PR" ]; then echo "PR number missing"; exit 1; fi
-          if [ -z "$DEV_BASE_DOMAIN" ]; then echo "Secret DEV_BASE_DOMAIN is required (e.g., dev.example.com)"; exit 1; fi
-          if [ -z "$RABBITMQ_PASSWORD" ]; then echo "Secret DEV_RABBITMQ_PASSWORD is required"; exit 1; fi
-          if [ -z "$DB_PASSWORD" ]; then echo "Secret DEV_DB_PASSWORD is required"; exit 1; fi
          RELEASE=myapp-pr-$PR
          NAMESPACE=pr-$PR
-          DOMAIN=pr-$PR.$DEV_BASE_DOMAIN
-          if [ -z "$IMAGE_REPO" ]; then IMAGE_REPO="lukastrkan/cc-app-demo"; fi
          helm upgrade --install "$RELEASE" ./7project/charts/myapp-chart \
            -n "$NAMESPACE" --create-namespace \
            -f 7project/charts/myapp-chart/values-dev.yaml \
            --set prNumber="$PR" \
            --set deployment="pr-$PR" \
            --set domain="$DOMAIN" \
-            --set image.repository="$IMAGE_REPO" \
+            --set domain_scheme="$DOMAIN_SCHEME" \
+            --set frontend_domain="$FRONTEND_DOMAIN" \
+            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
            --set image.digest="$DIGEST" \
            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
            --set-string database.password="$DB_PASSWORD"
@@ -88,19 +100,16 @@ jobs:
      - name: Post preview URLs as PR comment
        uses: actions/github-script@v7
        env:
-          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
-          FRONTEND_URL: ${{ needs.frontend.outputs.deployed_url }}
+          BACKEND_URL: ${{ needs.get_urls.outputs.backend_url_scheme }}
+          FRONTEND_URL: ${{ needs.get_urls.outputs.frontend_url_scheme }}
        with:
          script: |
            const pr = context.payload.pull_request;
            if (!pr) { core.setFailed('No pull_request context'); return; }
            const prNumber = pr.number;
-            const domainBase = process.env.DEV_BASE_DOMAIN;
-            if (!domainBase) { core.setFailed('DEV_BASE_DOMAIN is required'); return; }
-            const backendDomain = `pr-${prNumber}.${domainBase}`;
-            const backendUrl = `https://${backendDomain}`;
+            const backendUrl = process.env.BACKEND_URL || '(not available)';
            const frontendUrl = process.env.FRONTEND_URL || '(not available)';
-            const marker = '<!-- preview-link -->';
+            const marker = '<!-- preview-comment-marker -->';
            const body = `${marker}\nPreview environment is running\n- Frontend: ${frontendUrl}\n- Backend: ${backendUrl}\n`;
            const { owner, repo } = context.repo;
            const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number: prNumber, per_page: 100 });
@@ -139,4 +148,4 @@ jobs:
          NAMESPACE=pr-$PR
          helm uninstall "$RELEASE" -n "$NAMESPACE" || true
          # Optionally delete the namespace if empty
-          kubectl delete namespace "$NAMESPACE" --ignore-not-found=true || true
+          kubectl delete namespace "$NAMESPACE" --ignore-not-found=true || true
--- a/.github/workflows/deploy-prod.yaml
+++ b/.github/workflows/deploy-prod.yaml
@@ -30,17 +30,28 @@ jobs:
      context: 7project/backend
    secrets: inherit

+  get_urls:
+    name: Generate Production URLs
+    uses: ./.github/workflows/url_generator.yml
+    with:
+      mode: prod
+      runner: vhs
+      base_domain: ${{ vars.PROD_DOMAIN }}
+    secrets: inherit
+
  frontend:
    name: Frontend - Build and Deploy to Cloudflare Pages (prod)
+    needs: [get_urls]
    uses: ./.github/workflows/frontend-pages.yml
    with:
      mode: prod
+      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
    secrets: inherit

  deploy:
    name: Helm upgrade/install (prod)
    runs-on: vhs
-    needs: [build, frontend]
+    needs: [build, frontend, get_urls]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -63,25 +74,32 @@ jobs:

      - name: Helm upgrade/install prod
        env:
-          DOMAIN: ${{ secrets.PROD_DOMAIN }}
+          DOMAIN: ${{ needs.get_urls.outputs.backend_url }}
+          DOMAIN_SCHEME: ${{ needs.get_urls.outputs.backend_url_scheme }}
+          FRONTEND_DOMAIN: ${{ needs.get_urls.outputs.frontend_url }}
+          FRONTEND_DOMAIN_SCHEME: ${{ needs.get_urls.outputs.frontend_url_scheme }}
          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
-          IMAGE_REPO: ${{ needs.build.outputs.image_repo }}
          DIGEST: ${{ needs.build.outputs.digest }}
+          BANKID_CLIENT_ID: ${{ secrets.BANKID_CLIENT_ID }}
+          BANKID_CLIENT_SECRET: ${{ secrets.BANKID_CLIENT_SECRET }}
+          MOJEID_CLIENT_ID: ${{ secrets.MOJEID_CLIENT_ID }}
+          MOJEID_CLIENT_SECRET: ${{ secrets.MOJEID_CLIENT_SECRET }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
        run: |
-          if [ -z "$DOMAIN" ]; then
-            echo "Secret PROD_DOMAIN is required (e.g., app.example.com)"; exit 1; fi
-          if [ -z "$RABBITMQ_PASSWORD" ]; then
-            echo "Secret PROD_RABBITMQ_PASSWORD is required"; exit 1; fi
-          if [ -z "$DB_PASSWORD" ]; then
-            echo "Secret PROD_DB_PASSWORD is required"; exit 1; fi
-          if [ -z "$IMAGE_REPO" ]; then IMAGE_REPO="lukastrkan/cc-app-demo"; fi
          helm upgrade --install myapp ./7project/charts/myapp-chart \
            -n prod --create-namespace \
            -f 7project/charts/myapp-chart/values-prod.yaml \
            --set deployment="prod" \
            --set domain="$DOMAIN" \
-            --set image.repository="$IMAGE_REPO" \
+            --set domain_scheme="$DOMAIN_SCHEME" \
+            --set frontend_domain="$FRONTEND_DOMAIN" \
+            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
            --set image.digest="$DIGEST" \
            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
-            --set-string database.password="$DB_PASSWORD" 
+            --set-string database.password="$DB_PASSWORD" \
+            --set-string oauth.bankid.clientId="$BANKID_CLIENT_ID" \
+            --set-string oauth.bankid.clientSecret="$BANKID_CLIENT_SECRET" \
+            --set-string oauth.mojeid.clientId="$MOJEID_CLIENT_ID" \
+            --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \
+            --set-string sentry_dsn="$SENTRY_DSN" \
--- a/.github/workflows/frontend-pages.yml
+++ b/.github/workflows/frontend-pages.yml
@@ -15,6 +15,10 @@ on:
        description: 'Cloudflare Pages project name (overrides default)'
        required: false
        type: string
+      backend_url_scheme:
+        description: 'The full scheme URL for the backend (e.g., https://api.example.com)'
+        required: true
+        type: string
    secrets:
      CLOUDFLARE_API_TOKEN:
        required: true
@@ -25,14 +29,6 @@ on:
        description: 'URL of deployed frontend'
        value: ${{ jobs.deploy.outputs.deployed_url }}

-# Required repository secrets:
-#   CLOUDFLARE_API_TOKEN     - API token with Pages:Edit (or Account:Workers Scripts:Edit) permissions
-#   CLOUDFLARE_ACCOUNT_ID    - Your Cloudflare account ID
-# Optional repository variables:
-#   CF_PAGES_PROJECT_NAME      - Default Cloudflare Pages project name
-#   PROD_DOMAIN                - App domain for prod releases (e.g., api.example.com or https://api.example.com)
-#   BACKEND_URL_PR_TEMPLATE    - Template for PR backend URL. Use {PR} placeholder for PR number (e.g., https://api-pr-{PR}.example.com)
-
 jobs:
  build:
    name: Build frontend
@@ -54,50 +50,9 @@ jobs:
      - name: Install dependencies
        run: npm ci

-      - name: Compute backend URL for Vite
-        id: be
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }}
-          PR_TEMPLATE: ${{ vars.BACKEND_URL_PR_TEMPLATE }}
-          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
-          PROD_DOMAIN_VAR: ${{ vars.PROD_DOMAIN }}
-          PROD_DOMAIN_SECRET: ${{ secrets.PROD_DOMAIN }}
-          BACKEND_URL_OVERRIDE: ${{ vars.BACKEND_URL || secrets.BACKEND_URL }}
-          MODE: ${{ inputs.mode }}
+      - name: Set backend URL from workflow input
        run: |
-          set -euo pipefail
-          URL=""
-          # 1) Explicit override wins (from repo var or secret)
-          if [ -n "${BACKEND_URL_OVERRIDE:-}" ]; then
-            if echo "$BACKEND_URL_OVERRIDE" | grep -Eiq '^https?://'; then
-              URL="$BACKEND_URL_OVERRIDE"
-            else
-              URL="https://${BACKEND_URL_OVERRIDE}"
-            fi
-          else
-            # 2) PR-specific URL when building for PR
-            if [ "${MODE:-}" = "pr" ] || [ "${EVENT_NAME}" = "pull_request" ]; then
-              if [ -n "${PR_TEMPLATE:-}" ] && [ -n "${PR_NUMBER:-}" ] ; then
-                URL="${PR_TEMPLATE//\{PR\}/${PR_NUMBER}}"
-              elif [ -n "${DEV_BASE_DOMAIN:-}" ] && [ -n "${PR_NUMBER:-}" ]; then
-                URL="https://pr-${PR_NUMBER}.${DEV_BASE_DOMAIN}"
-              fi
-            fi
-            # 3) Fallback to PROD_DOMAIN (prefer repo var, then secret)
-            if [ -z "$URL" ]; then
-              PROD_DOMAIN="${PROD_DOMAIN_VAR:-${PROD_DOMAIN_SECRET:-}}"
-              if [ -n "$PROD_DOMAIN" ]; then
-                if echo "$PROD_DOMAIN" | grep -Eiq '^https?://'; then
-                  URL="$PROD_DOMAIN"
-                else
-                  URL="https://${PROD_DOMAIN}"
-                fi
-              fi
-            fi
-          fi
-          echo "Using backend URL: ${URL:-<empty>}"
-          echo "VITE_BACKEND_URL=${URL}" >> $GITHUB_ENV
+          echo "VITE_BACKEND_URL=${{ inputs.backend_url_scheme }}" >> $GITHUB_ENV

      - name: Build
        run: npm run build
@@ -177,4 +132,4 @@ jobs:
          else
            URL="https://${PBRANCH}.${PNAME}.pages.dev"
          fi
-          echo "deployed_url=$URL" >> $GITHUB_OUTPUT
+          echo "deployed_url=$URL" >> $GITHUB_OUTPUT
--- a/.github/workflows/url_generator.yml
+++ b/.github/workflows/url_generator.yml
@@ -0,0 +1,74 @@
+name: Generate Preview or Production URLs
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        description: "Build mode: 'prod' or 'pr'"
+        required: true
+        type: string
+      pr_number:
+        description: 'PR number (required when mode=pr)'
+        required: false
+        type: string
+      runner:
+        description: 'The runner to use for this job'
+        required: false
+        type: string
+        default: 'ubuntu-latest'
+      base_domain:
+        description: 'The base domain for production URLs (e.g., example.com)'
+        required: true
+        type: string
+
+    outputs:
+      backend_url:
+        description: "The backend URL without scheme (e.g., api.example.com)"
+        value: ${{ jobs.generate-urls.outputs.backend_url }}
+      frontend_url:
+        description: "The frontend URL without scheme (e.g., app.example.com)"
+        value: ${{ jobs.generate-urls.outputs.frontend_url }}
+      backend_url_scheme:
+        description: "The backend URL with scheme (e.g., https://api.example.com)"
+        value: ${{ jobs.generate-urls.outputs.backend_url_scheme }}
+      frontend_url_scheme:
+        description: "The frontend URL with scheme (e.g., https://app.example.com)"
+        value: ${{ jobs.generate-urls.outputs.frontend_url_scheme }}
+
+jobs:
+  generate-urls:
+    permissions:
+      contents: none
+    runs-on: ${{ inputs.runner }}
+
+    outputs:
+      backend_url: ${{ steps.set_urls.outputs.backend_url }}
+      frontend_url: ${{ steps.set_urls.outputs.frontend_url }}
+      backend_url_scheme: ${{ steps.set_urls.outputs.backend_url_scheme }}
+      frontend_url_scheme: ${{ steps.set_urls.outputs.frontend_url_scheme }}
+
+    steps:
+      - name: Generate URLs
+        id: set_urls
+        env:
+          BASE_DOMAIN: ${{ inputs.base_domain }}
+        run: |
+          set -euo pipefail
+          
+          if [ "${{ inputs.mode }}" = "prod" ]; then
+            BACKEND_URL="api.${BASE_DOMAIN}"
+            FRONTEND_URL="finance.${BASE_DOMAIN}"
+          else
+            # This is your current logic
+            FRONTEND_URL="pr-${{ inputs.pr_number }}.group-8-frontend.pages.dev"
+            BACKEND_URL="api-pr-${{ inputs.pr_number }}.${BASE_DOMAIN}"
+          fi
+
+          FRONTEND_URL_SCHEME="https://$FRONTEND_URL"
+          BACKEND_URL_SCHEME="https://$BACKEND_URL"
+          
+          # This part correctly writes to GITHUB_OUTPUT for the step
+          echo "backend_url_scheme=$BACKEND_URL_SCHEME" >> $GITHUB_OUTPUT
+          echo "frontend_url_scheme=$FRONTEND_URL_SCHEME" >> $GITHUB_OUTPUT
+          echo "backend_url=$BACKEND_URL" >> $GITHUB_OUTPUT
+          echo "frontend_url=$FRONTEND_URL" >> $GITHUB_OUTPUT
--- a/6design/design.md
+++ b/6design/design.md
@@ -45,11 +45,11 @@ flowchart LR
    proc_cron[Task planner] --> proc_queue
    proc_queue_worker --> ext_bank[(Bank API)]
    proc_queue_worker --> db
-    client[Client/UI] --> api[API Gateway / Web Server]
-    api --> svc[Web API]
+    client[Client/UI] <--> api[API Gateway / Web Server]
+    api <--> svc[Web API]
    svc --> proc_queue
-    svc --> db[(Database)]
-    svc --> cache[(Cache)]
+    svc <--> db[(Database)]
+    svc <--> cache[(Cache)]
 ```

 - Components and responsibilities: What does each box do?
--- a/7project/backend/Dockerfile
+++ b/7project/backend/Dockerfile
@@ -5,4 +5,4 @@ COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 COPY . .
 EXPOSE 8000
-CMD alembic upgrade head && uvicorn app.app:app --host 0.0.0.0 --port 8000
+CMD alembic upgrade head && uvicorn app.app:fastApi --host 0.0.0.0 --port 8000
--- a/7project/backend/alembic/versions/2025_10_10_1405-7af8f296d089_add_user_oauth.py
+++ b/7project/backend/alembic/versions/2025_10_10_1405-7af8f296d089_add_user_oauth.py
@@ -0,0 +1,48 @@
+"""add user oauth
+
+Revision ID: 7af8f296d089
+Revises: 390041bd839e
+Create Date: 2025-10-10 14:05:00.153376
+
+"""
+from typing import Sequence, Union
+
+import fastapi_users_db_sqlalchemy
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '7af8f296d089'
+down_revision: Union[str, Sequence[str], None] = '390041bd839e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('oauth_account',
+    sa.Column('id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('oauth_name', sa.String(length=100), nullable=False),
+    sa.Column('access_token', sa.String(length=1024), nullable=False),
+    sa.Column('expires_at', sa.Integer(), nullable=True),
+    sa.Column('refresh_token', sa.String(length=1024), nullable=True),
+    sa.Column('account_id', sa.String(length=320), nullable=False),
+    sa.Column('account_email', sa.String(length=320), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='cascade'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_oauth_account_account_id'), 'oauth_account', ['account_id'], unique=False)
+    op.create_index(op.f('ix_oauth_account_oauth_name'), 'oauth_account', ['oauth_name'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_oauth_account_oauth_name'), table_name='oauth_account')
+    op.drop_index(op.f('ix_oauth_account_account_id'), table_name='oauth_account')
+    op.drop_table('oauth_account')
+    # ### end Alembic commands ###
--- a/7project/backend/alembic/versions/2025_10_11_2107-5ab2e654c96e_change_token_lenght.py
+++ b/7project/backend/alembic/versions/2025_10_11_2107-5ab2e654c96e_change_token_lenght.py
@@ -0,0 +1,38 @@
+"""change token length
+
+Revision ID: 5ab2e654c96e
+Revises: 7af8f296d089
+Create Date: 2025-10-11 21:07:41.930470
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = '5ab2e654c96e'
+down_revision: Union[str, Sequence[str], None] = '7af8f296d089'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('oauth_account', 'access_token',
+               existing_type=mysql.VARCHAR(length=1024),
+               type_=sa.String(length=4096),
+               existing_nullable=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('oauth_account', 'access_token',
+               existing_type=sa.String(length=4096),
+               type_=mysql.VARCHAR(length=1024),
+               existing_nullable=False)
+    # ### end Alembic commands ###
--- a/7project/backend/app/api/auth.py
+++ b/7project/backend/app/api/auth.py
@@ -0,0 +1,49 @@
+from fastapi import APIRouter, Depends, status
+from fastapi_users import models
+from fastapi_users.manager import BaseUserManager
+
+from app.schemas.user import UserCreate, UserRead, UserUpdate
+from app.services.user_service import auth_backend, fastapi_users
+
+router = APIRouter()
+
+@router.delete(
+    "/users/me",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["users"],
+    summary="Delete current user",
+    response_description="The user has been successfully deleted.",
+)
+async def delete_me(
+    user: models.UserProtocol = Depends(fastapi_users.current_user(active=True)),
+    user_manager: BaseUserManager = Depends(fastapi_users.get_user_manager),
+):
+    """
+    Delete the currently authenticated user.
+    """
+    await user_manager.delete(user)
+
+# Keep existing paths as-is under /auth/* and /users/*
+router.include_router(
+    fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
+)
+router.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_reset_password_router(),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_verify_router(UserRead),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_users_router(UserRead, UserUpdate),
+    prefix="/users",
+    tags=["users"],
+)
--- a/7project/backend/app/api/categories.py
+++ b/7project/backend/app/api/categories.py
@@ -0,0 +1,77 @@
+from typing import List
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, delete
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.categories import Category
+from app.schemas.category import CategoryCreate, CategoryRead
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/categories", tags=["categories"])
+
+
+@router.post("/create", response_model=CategoryRead, status_code=status.HTTP_201_CREATED)
+async def create_category(
+    payload: CategoryCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Enforce per-user unique name via query to provide 409 feedback
+    res = await session.execute(
+        select(Category).where(Category.user_id == user.id, Category.name == payload.name)
+    )
+    existing = res.scalar_one_or_none()
+    if existing:
+        raise HTTPException(status_code=409, detail="Category with this name already exists")
+
+    category = Category(name=payload.name, description=payload.description, user_id=user.id)
+    session.add(category)
+    await session.commit()
+    await session.refresh(category)
+    return category
+
+
+@router.get("/", response_model=List[CategoryRead])
+async def list_categories(
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(select(Category).where(Category.user_id == user.id))
+    return list(res.scalars())
+
+
+@router.get("/{category_id}", response_model=CategoryRead)
+async def get_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    category = res.scalar_one_or_none()
+    if not category:
+        raise HTTPException(status_code=404, detail="Category not found")
+    return category
+
+
+@router.delete("/{category_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category.id).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    if res.scalar_one_or_none() is None:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.execute(
+        delete(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    await session.commit()
+    return None
--- a/7project/backend/app/api/transactions.py
+++ b/7project/backend/app/api/transactions.py
@@ -0,0 +1,219 @@
+from typing import List, Optional
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.transaction import Transaction
+from app.models.categories import Category
+from app.schemas.transaction import (
+    TransactionCreate,
+    TransactionRead,
+    TransactionUpdate,
+)
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/transactions", tags=["transactions"])
+
+
+def _to_read_model(tx: Transaction) -> TransactionRead:
+    return TransactionRead(
+        id=tx.id,
+        amount=tx.amount,
+        description=tx.description,
+        category_ids=[c.id for c in (tx.categories or [])],
+    )
+
+
+@router.post("/create", response_model=TransactionRead, status_code=status.HTTP_201_CREATED)
+async def create_transaction(
+    payload: TransactionCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    tx = Transaction(amount=payload.amount, description=payload.description, user_id=user.id)
+
+    # Attach categories if provided (and owned by user)
+    if payload.category_ids:
+        res = await session.execute(
+            select(Category).where(
+                Category.user_id == user.id, Category.id.in_(payload.category_ids)
+            )
+        )
+        categories = list(res.scalars())
+        if len(categories) != len(set(payload.category_ids)):
+            raise HTTPException(
+                status_code=400,
+                detail="Duplicate category IDs provided or one or more categories not found"
+            )
+        tx.categories = categories
+
+    session.add(tx)
+    await session.commit()
+    await session.refresh(tx)
+    # Ensure categories are loaded
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.get("/", response_model=List[TransactionRead])
+async def list_transactions(
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(Transaction.user_id == user.id).order_by(Transaction.id)
+    )
+    txs = list(res.scalars())
+    # Eagerly load categories for each transaction
+    for tx in txs:
+        await session.refresh(tx, attribute_names=["categories"])
+    return [_to_read_model(tx) for tx in txs]
+
+
+@router.get("/{transaction_id}", response_model=TransactionRead)
+async def get_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.patch("/{transaction_id}/edit", response_model=TransactionRead)
+async def update_transaction(
+    transaction_id: int,
+    payload: TransactionUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    if payload.amount is not None:
+        tx.amount = payload.amount
+    if payload.description is not None:
+        tx.description = payload.description
+
+    if payload.category_ids is not None:
+        # Preload categories to avoid async lazy-load during assignment
+        await session.refresh(tx, attribute_names=["categories"])
+        if payload.category_ids:
+            # Check for duplicate category IDs in the payload
+            if len(payload.category_ids) != len(set(payload.category_ids)):
+                raise HTTPException(status_code=400, detail="Duplicate category IDs in payload")
+            res = await session.execute(
+                select(Category).where(
+                    Category.user_id == user.id, Category.id.in_(payload.category_ids)
+                )
+            )
+            categories = list(res.scalars())
+            if len(categories) != len(payload.category_ids):
+                raise HTTPException(status_code=400, detail="One or more categories not found")
+            tx.categories = categories
+        else:
+            tx.categories = []
+
+    await session.commit()
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/delete", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    await session.delete(tx)
+    await session.commit()
+    return None
+
+
+@router.post("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def assign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Load transaction and category ensuring ownership
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat not in tx.categories:
+        tx.categories.append(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def unassign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat in tx.categories:
+        tx.categories.remove(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
--- a/7project/backend/app/app.py
+++ b/7project/backend/app/app.py
@@ -1,56 +1,102 @@
+import logging
+import os
+from datetime import datetime
+
 from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
+from starlette.requests import Request

 from app.models.user import User

-from app.schemas.user import UserCreate, UserRead, UserUpdate
-from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users
+from app.services.user_service import current_active_verified_user
+from app.api.auth import router as auth_router
+from app.api.categories import router as categories_router
+from app.api.transactions import router as transactions_router
+from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider
+
+
+from fastapi import FastAPI
+import sentry_sdk
+
+sentry_sdk.init(
+    dsn=os.getenv("SENTRY_DSN"),
+    send_default_pii=True,
+)

 app = FastAPI()
+fastApi = FastAPI()

 # CORS for frontend dev server
-app.add_middleware(
+fastApi.add_middleware(
    CORSMiddleware,
    allow_origins=[
        "http://localhost:5173",
        "http://127.0.0.1:5173",
+        os.getenv("FRONTEND_DOMAIN_SCHEME", "")
    ],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
 )

-app.include_router(
-    fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
-)
-app.include_router(
-    fastapi_users.get_register_router(UserRead, UserCreate),
-    prefix="/auth",
+fastApi.include_router(auth_router)
+fastApi.include_router(categories_router)
+fastApi.include_router(transactions_router)
+
+logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s')
+@fastApi.middleware("http")
+async def log_traffic(request: Request, call_next):
+    start_time = datetime.now()
+    response = await call_next(request)
+    process_time = (datetime.now() - start_time).total_seconds()
+    client_host = request.client.host
+    log_params = {
+        "request_method": request.method,
+        "request_url": str(request.url),
+        "request_size": request.headers.get("content-length"),
+        "request_headers": dict(request.headers),
+        "response_status": response.status_code,
+        "response_size": response.headers.get("content-length"),
+        "response_headers": dict(response.headers),
+        "process_time": process_time,
+        "client_host": client_host
+    }
+    logging.info(str(log_params))
+    return response
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("MojeID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+    ),
+    prefix="/auth/mojeid",
    tags=["auth"],
 )
-app.include_router(
-    fastapi_users.get_reset_password_router(),
-    prefix="/auth",
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("BankID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+    ),
+    prefix="/auth/bankid",
    tags=["auth"],
 )
-app.include_router(
-    fastapi_users.get_verify_router(UserRead),
-    prefix="/auth",
-    tags=["auth"],
-)
-app.include_router(
-    fastapi_users.get_users_router(UserRead, UserUpdate),
-    prefix="/users",
-    tags=["users"],
-)


 # Liveness/root endpoint
-@app.get("/", include_in_schema=False)
+@fastApi.get("/", include_in_schema=False)
 async def root():
    return {"status": "ok"}


-@app.get("/authenticated-route")
+@fastApi.get("/authenticated-route")
 async def authenticated_route(user: User = Depends(current_active_verified_user)):
    return {"message": f"Hello {user.email}!"}
+
+@fastApi.get("/sentry-debug")
+async def trigger_error():
+    division_by_zero = 1 / 0
--- a/7project/backend/app/models/user.py
+++ b/7project/backend/app/models/user.py
@@ -1,13 +1,19 @@
 from sqlalchemy import Column, String
-from sqlalchemy.orm import relationship
-from fastapi_users.db import SQLAlchemyBaseUserTableUUID
+from sqlalchemy.orm import relationship, mapped_column, Mapped
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
 from app.core.base import Base


+class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
+    # BankID token is longer than default
+    access_token: Mapped[str] = mapped_column(String(length=4096), nullable=False)
+
+
 class User(SQLAlchemyBaseUserTableUUID, Base):
    first_name = Column(String(length=100), nullable=True)
    last_name = Column(String(length=100), nullable=True)
+    oauth_accounts = relationship("OAuthAccount", lazy="joined")

    # Relationship
    transactions = relationship("Transaction", back_populates="user")
-    categories = relationship("Category", back_populates="user")
+    categories = relationship("Category", back_populates="user")
--- a/7project/backend/app/oauth/init.py
+++ b/7project/backend/app/oauth/init.py
--- a/7project/backend/app/oauth/bank_id.py
+++ b/7project/backend/app/oauth/bank_id.py
@@ -0,0 +1,50 @@
+import secrets
+from typing import Optional, Literal
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class BankID(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://oidc.sandbox.bankid.cz/.well-known/openid-configuration",
+            "BankID",
+            base_scopes=["openid", "profile.email", "profile.name"],
+        )
+
+    async def get_user_info(self, token: str) -> dict:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        if extras_params is None:
+            extras_params = {}
+
+        # BankID requires random nonce parameter for security
+        # https://developer.bankid.cz/docs/security_sep
+        extras_params["nonce"] = secrets.token_urlsafe()
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )
--- a/7project/backend/app/oauth/custom_openid.py
+++ b/7project/backend/app/oauth/custom_openid.py
@@ -0,0 +1,6 @@
+from httpx_oauth.clients.openid import OpenID
+
+
+class CustomOpenID(OpenID):
+    async def get_user_info(self, token: str) -> dict:
+        raise NotImplementedError()
--- a/7project/backend/app/oauth/moje_id.py
+++ b/7project/backend/app/oauth/moje_id.py
@@ -0,0 +1,56 @@
+import json
+from typing import Optional, Literal, Any
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class MojeIDOAuth(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://mojeid.regtest.nic.cz/.well-known/openid-configuration/",
+            "MojeID",
+            base_scopes=["openid", "email", "profile"],
+        )
+
+    async def get_user_info(self, token: str) -> Optional[Any]:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        required_fields = {
+            'id_token': {
+                'name': {'essential': True},
+                'given_name': {'essential': True},
+                'family_name': {'essential': True},
+                'email': {'essential': True},
+                'mojeid_valid': {'essential': True},
+            }}
+
+        if extras_params is None:
+            extras_params = {}
+        extras_params["claims"] = json.dumps(required_fields)
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )
--- a/7project/backend/app/schemas/category.py
+++ b/7project/backend/app/schemas/category.py
@@ -0,0 +1,16 @@
+from typing import Optional
+from pydantic import BaseModel, ConfigDict
+
+
+class CategoryBase(BaseModel):
+    name: str
+    description: Optional[str] = None
+
+
+class CategoryCreate(CategoryBase):
+    pass
+
+
+class CategoryRead(CategoryBase):
+    id: int
+    model_config = ConfigDict(from_attributes=True)
--- a/7project/backend/app/schemas/transaction.py
+++ b/7project/backend/app/schemas/transaction.py
@@ -0,0 +1,21 @@
+from typing import List, Optional
+from pydantic import BaseModel, Field, ConfigDict
+
+
+class TransactionBase(BaseModel):
+    amount: float = Field(..., gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+
+class TransactionCreate(TransactionBase):
+    category_ids: Optional[List[int]] = None
+
+class TransactionUpdate(BaseModel):
+    amount: Optional[float] = Field(None, gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+    category_ids: Optional[List[int]] = None
+
+class TransactionRead(TransactionBase):
+    id: int
+    category_ids: List[int] = []
+
+    model_config = ConfigDict(from_attributes=True)
--- a/7project/backend/app/schemas/user.py
+++ b/7project/backend/app/schemas/user.py
@@ -4,13 +4,13 @@ from fastapi_users import schemas

 class UserRead(schemas.BaseUser[uuid.UUID]):
    first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None

 class UserCreate(schemas.BaseUserCreate):
    first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None

 class UserUpdate(schemas.BaseUserUpdate):
    first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None

--- a/7project/backend/app/services/db.py
+++ b/7project/backend/app/services/db.py
@@ -4,11 +4,13 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from fastapi_users.db import SQLAlchemyUserDatabase

 from ..core.db import async_session_maker
-from ..models.user import User
+from ..models.user import User, OAuthAccount
+

 async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
    async with async_session_maker() as session:
        yield session

+
 async def get_user_db(session: AsyncSession = Depends(get_async_session)):
-    yield SQLAlchemyUserDatabase(session, User)
+    yield SQLAlchemyUserDatabase(session, User, OAuthAccount)
--- a/7project/backend/app/services/user_service.py
+++ b/7project/backend/app/services/user_service.py
@@ -3,26 +3,66 @@ import uuid
 from typing import Optional

 from fastapi import Depends, Request
-from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin
+from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin, models
 from fastapi_users.authentication import (
    AuthenticationBackend,
    BearerTransport,
 )
 from fastapi_users.authentication.strategy.jwt import JWTStrategy
 from fastapi_users.db import SQLAlchemyUserDatabase
+from httpx_oauth.oauth2 import BaseOAuth2

 from app.models.user import User
+from app.oauth.bank_id import BankID
+from app.oauth.custom_openid import CustomOpenID
+from app.oauth.moje_id import MojeIDOAuth
 from app.services.db import get_user_db
 from app.core.queue import enqueue_email

 SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
+
 FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
 BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")

+providers = {
+    "MojeID": MojeIDOAuth(
+        os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+    "BankID": BankID(
+        os.getenv("BANKID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("BANKID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    )
+}
+
+
+def get_oauth_provider(name: str) -> Optional[BaseOAuth2]:
+    if name not in providers:
+        return None
+    return providers[name]
+
+
 class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
    reset_password_token_secret = SECRET
    verification_token_secret = SECRET

+    async def oauth_callback(self: "BaseUserManager[models.UOAP, models.ID]", oauth_name: str, access_token: str,
+                             account_id: str, account_email: str, expires_at: Optional[int] = None,
+                             refresh_token: Optional[str] = None, request: Optional[Request] = None, *,
+                             associate_by_email: bool = False, is_verified_by_default: bool = False) -> models.UOAP:
+
+        user = await super().oauth_callback(oauth_name, access_token, account_id, account_email, expires_at,
+                                            refresh_token, request, associate_by_email=associate_by_email,
+                                            is_verified_by_default=is_verified_by_default)
+
+        # set additional user info from the OAuth provider
+        provider = get_oauth_provider(oauth_name)
+        if provider is not None and isinstance(provider, CustomOpenID):
+            update_dict = await provider.get_user_info(access_token)
+            await self.user_db.update(user, update_dict)
+
+        return user
+
    async def on_after_register(self, user: User, request: Optional[Request] = None):
        await self.request_verify(user, request)

@@ -52,14 +92,18 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
            print("[Email Fallback] Subject:", subject)
            print("[Email Fallback] Body:\n", body)

+
 async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)):
    yield UserManager(user_db)

+
 bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")

+
 def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(secret=SECRET, lifetime_seconds=3600)

+
 auth_backend = AuthenticationBackend(
    name="jwt",
    transport=bearer_transport,
@@ -70,4 +114,3 @@ fastapi_users = FastAPIUsers[User, uuid.UUID](get_user_manager, [auth_backend])

 current_active_user = fastapi_users.current_user(active=True)
 current_active_verified_user = fastapi_users.current_user(active=True, verified=True)
-
--- a/7project/backend/requirements.txt
+++ b/7project/backend/requirements.txt
@@ -11,6 +11,7 @@ asyncmy==0.2.9
 bcrypt==4.3.0
 billiard==4.2.2
 celery==5.5.3
+certifi==2025.10.5
 cffi==2.0.0
 click==8.1.8
 click-didyoumean==0.3.1
@@ -25,7 +26,10 @@ fastapi-users==14.0.1
 fastapi-users-db-sqlalchemy==7.0.0
 greenlet==3.2.4
 h11==0.16.0
+httpcore==1.0.9
 httptools==0.6.4
+httpx==0.28.1
+httpx-oauth==0.16.1
 idna==3.10
 kombu==5.5.4
 makefun==1.16.0
@@ -46,6 +50,7 @@ python-dateutil==2.9.0.post0
 python-dotenv==1.1.1
 python-multipart==0.0.20
 PyYAML==6.0.2
+sentry-sdk==2.42.0
 six==1.17.0
 sniffio==1.3.1
 SQLAlchemy==2.0.43
@@ -54,6 +59,7 @@ tomli==2.2.1
 typing-inspection==0.4.1
 typing_extensions==4.15.0
 tzdata==2025.2
+urllib3==2.5.0
 uvicorn==0.37.0
 uvloop==0.21.0
 vine==5.1.0
--- a/7project/charts/myapp-chart/templates/NOTES.txt
+++ b/7project/charts/myapp-chart/templates/NOTES.txt
@@ -1,54 +0,0 @@
-Thank you for installing myapp-chart.
-
-This chart packages all Kubernetes manifests from the original deployment directory and parameterizes environment, database name (with optional PR suffix), image, and domain for external access.
-
-Namespaces per developer (important):
- Install each developer's environment into their own namespace using Helm's -n/--namespace flag.
- No hardcoded namespace is used in templates; resources are created in .Release.Namespace.
- Example namespaces: dev-alice, dev-bob, pr-123, etc.
-
-Key values:
- deployment -> used as Database CR name and DB username (MARIADB_DB and MARIADB_USER)
- image.repository/tag or image.digest -> container image
- domain -> public FQDN used by TunnelBinding (required to expose app)
- app/worker names, replicas, ports
-
-Examples:
- Dev install (Alice):
-  helm upgrade --install myapp ./7project/charts/myapp-chart \
-    -n dev-alice --create-namespace \
-    -f values-dev.yaml \
-    --set domain=alice.demo.example.com \
-    --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
-    --set-string database.password="$DB_PASSWORD"
-
- Dev install (Bob):
-  helm upgrade --install myapp ./7project/charts/myapp-chart \
-    -n dev-bob --create-namespace \
-    -f values-dev.yaml \
-    --set domain=bob.demo.example.com
-
- Prod install (different cleanupPolicy):
-  helm upgrade --install myapp ./7project/charts/myapp-chart \
-    -n prod --create-namespace \
-    -f values-prod.yaml \
-    --set domain=app.example.com
-
- PR (preview) install with DB name containing PR number (also its own namespace):
-  PR=123
-  helm upgrade --install myapp-pr-$PR ./7project/charts/myapp-chart \
-    -n pr-$PR --create-namespace \
-    -f values-dev.yaml \
-    --set prNumber=$PR \
-    --set deployment=preview-$PR \
-    --set domain=pr-$PR.example.com
-
- Use a custom deployment identifier to suffix DB name, DB username and Secret name:
-  helm upgrade --install myapp ./7project/charts/myapp-chart \
-    -n dev-alice --create-namespace \
-    -f values-dev.yaml \
-    --set deployment=alice \
-    --set domain=alice.demo.example.com
-
-Render locally (dry run):
-  helm template ./7project/charts/myapp-chart -f values-dev.yaml --set prNumber=456 --set deployment=test --set domain=demo.example.com --namespace dev-test | sed -n '/kind: Database/,$p' | head -n 30
--- a/7project/charts/myapp-chart/templates/app-deployment.yaml
+++ b/7project/charts/myapp-chart/templates/app-deployment.yaml
@@ -20,7 +20,7 @@ spec:
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
-              drop: ["ALL"]
+              drop: [ "ALL" ]
          ports:
            - containerPort: {{ .Values.app.port }}
          env:
@@ -29,21 +29,27 @@ spec:
            - name: MARIADB_PORT
              value: '3306'
            - name: MARIADB_DB
-              value: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_DB
            - name: MARIADB_USER
-              value: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_USER
            - name: MARIADB_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ required "Set .Values.database.secretName" .Values.database.secretName }}
-                  key: password
+                  name: prod
+                  key: MARIADB_PASSWORD
            - name: RABBITMQ_USERNAME
              value: {{ .Values.rabbitmq.username | quote }}
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}
-                  key: password
+                  name: prod
+                  key: RABBITMQ_PASSWORD
            - name: RABBITMQ_HOST
              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
            - name: RABBITMQ_PORT
@@ -52,6 +58,39 @@ spec:
              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
            - name: MAIL_QUEUE
              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
+            - name: MOJEID_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MOJEID_CLIENT_ID
+            - name: MOJEID_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MOJEID_CLIENT_SECRET
+            - name: BANKID_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: BANKID_CLIENT_ID
+            - name: BANKID_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: BANKID_CLIENT_SECRET
+            - name: DOMAIN
+              value: {{ required "Set .Values.domain" .Values.domain | quote }}
+            - name: DOMAIN_SCHEME
+              value: {{ required "Set .Values.domain_scheme" .Values.domain_scheme | quote }}
+            - name: FRONTEND_DOMAIN
+              value: {{ required "Set .Values.frontend_domain" .Values.frontend_domain | quote }}
+            - name: FRONTEND_DOMAIN_SCHEME
+              value: {{ required "Set .Values.frontend_domain_scheme" .Values.frontend_domain_scheme | quote }}
+            - name: SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: SENTRY_DSN
          livenessProbe:
            httpGet:
              path: /
--- a/7project/charts/myapp-chart/templates/prod.yaml
+++ b/7project/charts/myapp-chart/templates/prod.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod
+type: Opaque
+stringData:
+  MOJEID_CLIENT_ID: {{ .Values.oauth.mojeid.clientId | quote }}
+  MOJEID_CLIENT_SECRET: {{ .Values.oauth.mojeid.clientSecret | quote }}
+  BANKID_CLIENT_ID: {{ .Values.oauth.bankid.clientId | quote }}
+  BANKID_CLIENT_SECRET: {{ .Values.oauth.bankid.clientSecret | quote }}
+  # Database credentials
+  MARIADB_DB: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  MARIADB_USER: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  MARIADB_PASSWORD: {{ .Values.database.password | default "" | quote }}
+  # RabbitMQ credentials
+  RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }}
+  RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }}
+  SENTRY_DSN: {{ .Values.sentry_dsn | quote }}
--- a/7project/charts/myapp-chart/templates/worker-deployment.yaml
+++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml
@@ -31,13 +31,32 @@ spec:
            - --loglevel
            - INFO
          env:
+            - name: MARIADB_HOST
+              value: "mariadb-repl-maxscale-internal.mariadb-operator.svc.cluster.local"
+            - name: MARIADB_PORT
+              value: '3306'
+            - name: MARIADB_DB
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_DB
+            - name: MARIADB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_USER
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_PASSWORD
            - name: RABBITMQ_USERNAME
              value: {{ .Values.rabbitmq.username | quote }}
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}
-                  key: password
+                  name: prod
+                  key: RABBITMQ_PASSWORD
            - name: RABBITMQ_HOST
              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
            - name: RABBITMQ_PORT
@@ -46,3 +65,8 @@ spec:
              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
            - name: MAIL_QUEUE
              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
+            - name: SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: SENTRY_DSN
--- a/7project/charts/myapp-chart/values.yaml
+++ b/7project/charts/myapp-chart/values.yaml
@@ -11,6 +11,12 @@ deployment: ""
 # Public domain to expose the app under (used by TunnelBinding fqdn)
 # Set at install time: --set domain=example.com
 domain: ""
+domain_scheme: ""
+
+frontend_domain: ""
+frontend_domain_scheme: ""
+
+sentry_dsn: ""

 image:
  repository: lukastrkan/cc-app-demo
@@ -33,6 +39,14 @@ worker:
 service:
  port: 80

+oauth:
+  bankid:
+    clientId: ""
+    clientSecret: ""
+  mojeid:
+    clientId: ""
+    clientSecret: ""
+
 rabbitmq:
  create: true
  replicas: 1
--- a/7project/deployment/app-demo-database-grant.yaml
+++ b/7project/deployment/app-demo-database-grant.yaml
@@ -1,20 +0,0 @@
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: grant
-spec:
-  mariaDbRef:
-    name: mariadb-repl
-    namespace: mariadb-operator
-  privileges:
-    - "ALL PRIVILEGES"
-  database: "app-demo-database"
-  table: "*"
-  username: "app-demo-user"
-  grantOption: true
-  host: "%"
-  # Delete the resource in the database whenever the CR gets deleted.
-  # Alternatively, you can specify Skip in order to omit deletion.
-  cleanupPolicy: Skip
-  requeueInterval: 10h
-  retryInterval: 30s
--- a/7project/deployment/app-demo-database-secret.yaml
+++ b/7project/deployment/app-demo-database-secret.yaml
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: app-demo-database-secret
-type: kubernetes.io/basic-auth
-stringData:
-  password: "strongpassword"
--- a/7project/deployment/app-demo-database-user.yaml
+++ b/7project/deployment/app-demo-database-user.yaml
@@ -1,20 +0,0 @@
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: User
-metadata:
-  name: app-demo-user
-spec:
-  # If you want the user to be created with a different name than the resource name
-  # name: user-custom
-  mariaDbRef:
-    name: mariadb-repl
-    namespace: mariadb-operator
-  passwordSecretKeyRef:
-    name: app-demo-database-secret
-    key: password
-  maxUserConnections: 20
-  host: "%"
-  # Delete the resource in the database whenever the CR gets deleted.
-  # Alternatively, you can specify Skip in order to omit deletion.
-  cleanupPolicy: Skip
-  requeueInterval: 10h
-  retryInterval: 30s
--- a/7project/deployment/app-demo-database.yaml
+++ b/7project/deployment/app-demo-database.yaml
@@ -1,15 +0,0 @@
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Database
-metadata:
-  name: app-demo-database
-spec:
-  mariaDbRef:
-    name: mariadb-repl
-    namespace: mariadb-operator
-  characterSet: utf8
-  collate: utf8_general_ci
-  # Delete the resource in the database whenever the CR gets deleted.
-  # Alternatively, you can specify Skip in order to omit deletion.
-  cleanupPolicy: Skip
-  requeueInterval: 10h
-  retryInterval: 30s
--- a/7project/deployment/app-demo-deployment.yaml
+++ b/7project/deployment/app-demo-deployment.yaml
@@ -1,48 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app-demo
-spec:
-  replicas: 3
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      app: app-demo
-  template:
-    metadata:
-      labels:
-        app: app-demo
-    spec:
-      containers:
-        - image: lukastrkan/cc-app-demo@sha256:75634b4d97282b6b8424fe17767c81adf44af5f7359c1d25883073b5629b3e05
-          name: app-demo
-          ports:
-            - containerPort: 8000
-          env:
-            - name: MARIADB_HOST
-              value: mariadb-repl.mariadb-operator.svc.cluster.local
-            - name: MARIADB_PORT
-              value: '3306'
-            - name: MARIADB_DB
-              value: app-demo-database
-            - name: MARIADB_USER
-              value: app-demo-user
-            - name: MARIADB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: app-demo-database-secret
-                  key: password
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 8000
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 8000
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            failureThreshold: 3
--- a/7project/deployment/app-demo-svc.yaml
+++ b/7project/deployment/app-demo-svc.yaml
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: app-demo
-spec:
-  ports:
-  - port: 80
-    targetPort: 8000
-  selector:
-    app: app-demo
--- a/7project/deployment/app-demo-worker-deployment.yaml
+++ b/7project/deployment/app-demo-worker-deployment.yaml
@@ -1,41 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app-demo-worker
-spec:
-  replicas: 3
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      app: app-demo-worker
-  template:
-    metadata:
-      labels:
-        app: app-demo-worker
-    spec:
-      containers:
-        - image: lukastrkan/cc-app-demo@sha256:75634b4d97282b6b8424fe17767c81adf44af5f7359c1d25883073b5629b3e05
-          name: app-demo-worker
-          command:
-            - celery
-            - -A
-            - app.celery_app
-            - worker
-            - -Q
-            - $(MAIL_QUEUE)
-            - --loglevel
-            - INFO
-          env:
-            - name: RABBITMQ_USERNAME
-              value: demo-app
-            - name: RABBITMQ_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: demo-app-user-credentials
-                  key: password
-            - name: RABBITMQ_HOST
-              value: rabbitmq.rabbitmq.svc.cluster.local
-            - name: RABBITMQ_PORT
-              value: '5672'
-            - name: RABBITMQ_VHOST
-              value: "/"
--- a/7project/deployment/tunnel.yaml
+++ b/7project/deployment/tunnel.yaml
@@ -1,14 +0,0 @@
-apiVersion: networking.cfargotunnel.com/v1alpha1
-kind: TunnelBinding
-metadata:
-  name: guestbook-tunnel-binding
-  namespace: group-project
-subjects:
-  - name: app-server
-    spec:
-      target: http://app-demo.group-project.svc.cluster.local
-      fqdn: demo.ltrk.cz
-      noTlsVerify: true
-tunnelRef:
-  kind: ClusterTunnel
-  name: cluster-tunnel
--- a/7project/frontend/src/App.css
+++ b/7project/frontend/src/App.css
@@ -1,42 +1 @@
-#root {
-  max-width: 1280px;
-  margin: 0 auto;
-  padding: 2rem;
-  text-align: center;
-}
-
-.logo {
-  height: 6em;
-  padding: 1.5em;
-  will-change: filter;
-  transition: filter 300ms;
-}
-.logo:hover {
-  filter: drop-shadow(0 0 2em #646cffaa);
-}
-.logo.react:hover {
-  filter: drop-shadow(0 0 2em #61dafbaa);
-}
-
-@keyframes logo-spin {
-  from {
-    transform: rotate(0deg);
-  }
-  to {
-    transform: rotate(360deg);
-  }
-}
-
-@media (prefers-reduced-motion: no-preference) {
-  a:nth-of-type(2) .logo {
-    animation: logo-spin infinite 20s linear;
-  }
-}
-
-.card {
-  padding: 2em;
-}
-
-.read-the-docs {
-  color: #888;
-}
+/* App-level styles moved to ui.css for a cleaner layout. */
--- a/7project/frontend/src/App.tsx
+++ b/7project/frontend/src/App.tsx
@@ -1,39 +1,39 @@
-import { useState } from 'react'
-import reactLogo from './assets/react.svg'
-import viteLogo from '/vite.svg'
-import './App.css'
-import { BACKEND_URL } from './config'
+import { useEffect, useState } from 'react';
+import './App.css';
+import LoginRegisterPage from './pages/LoginRegisterPage';
+import Dashboard from './pages/Dashboard';
+import { logout } from './api';

 function App() {
-  const [count, setCount] = useState(0)
+  const [hasToken, setHasToken] = useState<boolean>(!!localStorage.getItem('token'));
+
+  useEffect(() => {
+    // Handle OAuth callback: /oauth-callback?access_token=...&token_type=...
+    if (window.location.pathname === '/oauth-callback') {
+      const params = new URLSearchParams(window.location.search);
+      const token = params.get('access_token');
+      if (token) {
+        localStorage.setItem('token', token);
+        setHasToken(true);
+      }
+      // Clean URL and redirect to home
+      window.history.replaceState({}, '', '/');
+    }
+
+    const onStorage = (e: StorageEvent) => {
+      if (e.key === 'token') setHasToken(!!e.newValue);
+    };
+    window.addEventListener('storage', onStorage);
+    return () => window.removeEventListener('storage', onStorage);
+  }, []);
+
+  if (!hasToken) {
+    return <LoginRegisterPage onLoggedIn={() => setHasToken(true)} />;
+  }

  return (
-    <>
-      <div>
-        <a href="https://vite.dev" target="_blank">
-          <img src={viteLogo} className="logo" alt="Vite logo" />
-        </a>
-        <a href="https://react.dev" target="_blank">
-          <img src={reactLogo} className="logo react" alt="React logo" />
-        </a>
-      </div>
-      <h1>Vite + React</h1>
-      <div className="card">
-        <button onClick={() => setCount((count) => count + 1)}>
-          count is {count}
-        </button>
-        <p>
-          Edit <code>src/App.tsx</code> and save to test HMR
-        </p>
-        <p style={{ fontSize: 12, color: '#888' }}>
-          Backend URL: <code>{BACKEND_URL || '(not configured)'}</code>
-        </p>
-      </div>
-      <p className="read-the-docs">
-        Click on the Vite and React logos to learn more
-      </p>
-    </>
-  )
+    <Dashboard onLogout={() => { logout(); setHasToken(false); }} />
+  );
 }

-export default App
+export default App;
--- a/7project/frontend/src/api.ts
+++ b/7project/frontend/src/api.ts
@@ -0,0 +1,155 @@
+import { BACKEND_URL } from './config';
+
+export type LoginResponse = {
+  access_token: string;
+  token_type: string;
+};
+
+export type Category = {
+  id: number;
+  name: string;
+  description?: string | null;
+};
+
+export type Transaction = {
+  id: number;
+  amount: number;
+  description?: string | null;
+  category_ids: number[];
+};
+
+function getBaseUrl() {
+  const base = BACKEND_URL?.replace(/\/$/, '') || '';
+  return base || '';
+}
+
+function getHeaders(contentType: 'json' | 'form' | 'none' = 'json'): Record<string, string> {
+  const token = localStorage.getItem('token');
+  const headers: Record<string, string> = {};
+
+  if (contentType === 'json') {
+    headers['Content-Type'] = 'application/json';
+  } else if (contentType === 'form') {
+    headers['Content-Type'] = 'application/x-www-form-urlencoded';
+  }
+
+  if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  return headers;
+}
+
+export async function login(email: string, password: string): Promise<void> {
+  const body = new URLSearchParams();
+  body.set('username', email);
+  body.set('password', password);
+
+  const res = await fetch(`${getBaseUrl()}/auth/jwt/login`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: body.toString(),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Login failed');
+  }
+  const data: LoginResponse = await res.json();
+  localStorage.setItem('token', data.access_token);
+}
+
+export async function register(email: string, password: string, first_name?: string, last_name?: string): Promise<void> {
+  const res = await fetch(`${getBaseUrl()}/auth/register`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password, first_name, last_name }),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Registration failed');
+  }
+}
+
+export async function getCategories(): Promise<Category[]> {
+  const res = await fetch(`${getBaseUrl()}/categories/`, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load categories');
+  return res.json();
+}
+
+export type CreateTransactionInput = {
+  amount: number;
+  description?: string;
+  category_ids?: number[];
+};
+
+export async function createTransaction(input: CreateTransactionInput): Promise<Transaction> {
+  const res = await fetch(`${getBaseUrl()}/transactions/create`, {
+    method: 'POST',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to create transaction');
+  }
+  return res.json();
+}
+
+export async function getTransactions(): Promise<Transaction[]> {
+    const res = await fetch(`${getBaseUrl()}/transactions/`, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load transactions');
+  return res.json();
+}
+
+export type User = {
+  id: string;
+  email: string;
+  first_name?: string | null;
+  last_name?: string | null;
+  is_active: boolean;
+  is_superuser: boolean;
+  is_verified: boolean;
+};
+
+export async function getMe(): Promise<User> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load user');
+  return res.json();
+}
+
+export type UpdateMeInput = Partial<Pick<User, 'first_name' | 'last_name'>> & { password?: string };
+export async function updateMe(input: UpdateMeInput): Promise<User> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    method: 'PATCH',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to update user');
+  }
+  return res.json();
+}
+
+export async function deleteMe(): Promise<void> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    method: 'DELETE',
+    headers: getHeaders(),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to delete account');
+  }
+}
+
+export function logout() {
+  localStorage.removeItem('token');
+}
--- a/7project/frontend/src/appearance.ts
+++ b/7project/frontend/src/appearance.ts
@@ -0,0 +1,38 @@
+export type Theme = 'system' | 'light' | 'dark';
+export type FontSize = 'small' | 'medium' | 'large';
+
+const THEME_KEY = 'app_theme';
+const FONT_KEY = 'app_font_size';
+
+export function applyTheme(theme: Theme) {
+  const body = document.body;
+  const effective = theme === 'system' ? (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light') : theme;
+  body.setAttribute('data-theme', effective);
+}
+
+export function applyFontSize(size: FontSize) {
+  const root = document.documentElement;
+  const map: Record<FontSize, string> = {
+    small: '14px',
+    medium: '16px',
+    large: '18px',
+  };
+  root.style.fontSize = map[size];
+}
+
+export function saveAppearance(theme: Theme, size: FontSize) {
+  localStorage.setItem(THEME_KEY, theme);
+  localStorage.setItem(FONT_KEY, size);
+}
+
+export function loadAppearance(): { theme: Theme; size: FontSize } {
+  const theme = (localStorage.getItem(THEME_KEY) as Theme) || 'light';
+  const size = (localStorage.getItem(FONT_KEY) as FontSize) || 'medium';
+  return { theme, size };
+}
+
+export function applyAppearanceFromStorage() {
+  const { theme, size } = loadAppearance();
+  applyTheme(theme);
+  applyFontSize(size);
+}
--- a/7project/frontend/src/main.tsx
+++ b/7project/frontend/src/main.tsx
@@ -1,7 +1,11 @@
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import './index.css'
+import './ui.css'
 import App from './App.tsx'
+import { applyAppearanceFromStorage } from './appearance'
+
+applyAppearanceFromStorage()

 createRoot(document.getElementById('root')!).render(
  <StrictMode>
--- a/7project/frontend/src/pages/AccountPage.tsx
+++ b/7project/frontend/src/pages/AccountPage.tsx
@@ -0,0 +1,87 @@
+import { useEffect, useState } from 'react';
+import { deleteMe, getMe, type UpdateMeInput, type User, updateMe } from '../api';
+
+export default function AccountPage({ onDeleted }: { onDeleted: () => void }) {
+  const [user, setUser] = useState<User | null>(null);
+  const [firstName, setFirstName] = useState('');
+  const [lastName, setLastName] = useState('');
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    (async () => {
+      try {
+        const u = await getMe();
+        setUser(u);
+        setFirstName(u.first_name || '');
+        setLastName(u.last_name || '');
+      } catch (e: any) {
+        setError(e?.message || 'Failed to load account');
+      } finally {
+        setLoading(false);
+      }
+    })();
+  }, []);
+
+  async function handleSave(e: React.FormEvent) {
+    e.preventDefault();
+    setSaving(true);
+    setError(null);
+    try {
+      const payload: UpdateMeInput = { first_name: firstName || null as any, last_name: lastName || null as any };
+      const updated = await updateMe(payload);
+      setUser(updated);
+    } catch (e: any) {
+      setError(e?.message || 'Failed to update');
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  async function handleDelete() {
+    if (!confirm('Are you sure you want to delete your account? This cannot be undone.')) return;
+    try {
+      await deleteMe();
+      onDeleted();
+    } catch (e: any) {
+      alert(e?.message || 'Failed to delete account');
+    }
+  }
+
+  return (
+    <section className="card">
+      <h3>Account</h3>
+      {loading ? (
+        <div>Loading…</div>
+      ) : error ? (
+        <div style={{ color: 'crimson' }}>{error}</div>
+      ) : !user ? (
+        <div>Not signed in</div>
+      ) : (
+        <div className="space-y">
+          <div className="muted">Email: <strong>{user.email}</strong></div>
+          <form onSubmit={handleSave} className="space-y">
+            <div className="form-row">
+              <div>
+                <label className="muted">First name</label>
+                <input className="input" value={firstName} onChange={(e) => setFirstName(e.target.value)} />
+              </div>
+              <div>
+                <label className="muted">Last name</label>
+                <input className="input" value={lastName} onChange={(e) => setLastName(e.target.value)} />
+              </div>
+            </div>
+            <div className="actions" style={{ justifyContent: 'flex-end' }}>
+              <button className="btn primary" type="submit" disabled={saving}>{saving ? 'Saving…' : 'Save changes'}</button>
+            </div>
+          </form>
+          <div className="actions" style={{ justifyContent: 'space-between' }}>
+            <div className="muted"></div>
+            <button className="btn" style={{ borderColor: 'crimson', color: 'crimson' }} onClick={handleDelete}>Delete account</button>
+          </div>
+        </div>
+      )}
+    </section>
+  );
+}
--- a/7project/frontend/src/pages/AppearancePage.tsx
+++ b/7project/frontend/src/pages/AppearancePage.tsx
@@ -0,0 +1,49 @@
+import { useEffect, useState } from 'react';
+import { applyFontSize, applyTheme, loadAppearance, saveAppearance, type FontSize, type Theme } from '../appearance';
+
+export default function AppearancePage() {
+  const [theme, setTheme] = useState<Theme>('light');
+  const [size, setSize] = useState<FontSize>('medium');
+
+  useEffect(() => {
+    const { theme, size } = loadAppearance();
+    setTheme(theme);
+    setSize(size);
+  }, []);
+
+  function onThemeChange(next: Theme) {
+    setTheme(next);
+    applyTheme(next);
+    saveAppearance(next, size);
+  }
+
+  function onSizeChange(next: FontSize) {
+    setSize(next);
+    applyFontSize(next);
+    saveAppearance(theme, next);
+  }
+
+  return (
+    <section className="card">
+      <h3>Appearance</h3>
+      <div className="space-y">
+        <div>
+          <div className="muted" style={{ marginBottom: 6 }}>Theme</div>
+          <div className="segmented">
+            <button className={theme === 'light' ? 'active' : ''} onClick={() => onThemeChange('light')}>Light</button>
+            <button className={theme === 'dark' ? 'active' : ''} onClick={() => onThemeChange('dark')}>Dark</button>
+            <button className={theme === 'system' ? 'active' : ''} onClick={() => onThemeChange('system')}>System</button>
+          </div>
+        </div>
+        <div>
+          <div className="muted" style={{ marginBottom: 6 }}>Font size</div>
+          <div className="segmented">
+            <button className={size === 'small' ? 'active' : ''} onClick={() => onSizeChange('small')}>Small</button>
+            <button className={size === 'medium' ? 'active' : ''} onClick={() => onSizeChange('medium')}>Medium</button>
+            <button className={size === 'large' ? 'active' : ''} onClick={() => onSizeChange('large')}>Large</button>
+          </div>
+        </div>
+      </div>
+    </section>
+  );
+}
--- a/7project/frontend/src/pages/Dashboard.tsx
+++ b/7project/frontend/src/pages/Dashboard.tsx
@@ -0,0 +1,172 @@
+import { useEffect, useMemo, useState } from 'react';
+import { type Category, type Transaction, createTransaction, getCategories, getTransactions } from '../api';
+import AccountPage from './AccountPage';
+import AppearancePage from './AppearancePage';
+
+function formatAmount(n: number) {
+  return new Intl.NumberFormat(undefined, { minimumFractionDigits: 2, maximumFractionDigits: 2 }).format(n);
+}
+
+export default function Dashboard({ onLogout }: { onLogout: () => void }) {
+  const [current, setCurrent] = useState<'home' | 'account' | 'appearance'>('home');
+  const [transactions, setTransactions] = useState<Transaction[]>([]);
+  const [categories, setCategories] = useState<Category[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  // New transaction form state
+  const [amount, setAmount] = useState<string>('');
+  const [description, setDescription] = useState('');
+  const [selectedCategoryId, setSelectedCategoryId] = useState<number | ''>('');
+
+  // Filters
+  const [minAmount, setMinAmount] = useState<string>('');
+  const [maxAmount, setMaxAmount] = useState<string>('');
+  const [filterCategoryId, setFilterCategoryId] = useState<number | ''>('');
+  const [searchText, setSearchText] = useState('');
+
+  async function loadAll() {
+    setLoading(true);
+    setError(null);
+    try {
+      const [txs, cats] = await Promise.all([getTransactions(), getCategories()]);
+      setTransactions(txs);
+      setCategories(cats);
+    } catch (err: any) {
+      setError(err?.message || 'Failed to load data');
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  useEffect(() => { loadAll(); }, []);
+
+  const last10 = useMemo(() => {
+    const sorted = [...transactions].sort((a, b) => b.id - a.id);
+    return sorted.slice(0, 10);
+  }, [transactions]);
+
+  const filtered = useMemo(() => {
+    let arr = last10;
+    const min = minAmount !== '' ? Number(minAmount) : undefined;
+    const max = maxAmount !== '' ? Number(maxAmount) : undefined;
+    if (min !== undefined) arr = arr.filter(t => t.amount >= min);
+    if (max !== undefined) arr = arr.filter(t => t.amount <= max);
+    if (filterCategoryId !== '') arr = arr.filter(t => t.category_ids.includes(filterCategoryId as number));
+    if (searchText.trim()) arr = arr.filter(t => (t.description || '').toLowerCase().includes(searchText.toLowerCase()));
+    return arr;
+  }, [last10, minAmount, maxAmount, filterCategoryId, searchText]);
+
+  function categoryNameById(id: number) { return categories.find(c => c.id === id)?.name || `#${id}`; }
+
+  async function handleCreate(e: React.FormEvent) {
+    e.preventDefault();
+    if (!amount) return;
+    const payload = {
+      amount: Number(amount),
+      description: description || undefined,
+      category_ids: selectedCategoryId !== '' ? [Number(selectedCategoryId)] : undefined,
+    };
+    try {
+      const created = await createTransaction(payload);
+      setTransactions(prev => [created, ...prev]);
+      setAmount(''); setDescription(''); setSelectedCategoryId('');
+    } catch (err: any) {
+      alert(err?.message || 'Failed to create transaction');
+    }
+  }
+
+  return (
+    <div className="app-layout">
+      <aside className="sidebar">
+        <div className="logo">7Project</div>
+        <nav className="nav">
+          <button className={current === 'home' ? 'active' : ''} onClick={() => setCurrent('home')}>Home</button>
+          <button className={current === 'account' ? 'active' : ''} onClick={() => setCurrent('account')}>Account</button>
+          <button className={current === 'appearance' ? 'active' : ''} onClick={() => setCurrent('appearance')}>Appearance</button>
+        </nav>
+      </aside>
+      <div className="content">
+        <div className="topbar">
+          <h2 style={{ margin: 0 }}>{current === 'home' ? 'Dashboard' : current === 'account' ? 'Account' : 'Appearance'}</h2>
+          <div className="actions">
+            <span className="user muted">Signed in</span>
+            <button className="btn" onClick={onLogout}>Logout</button>
+          </div>
+        </div>
+        <main className="page space-y">
+          {current === 'home' && (
+            <>
+              <section className="card">
+                <h3>Add Transaction</h3>
+                <form onSubmit={handleCreate} className="form-row">
+                  <input className="input" type="number" step="0.01" placeholder="Amount" value={amount} onChange={(e) => setAmount(e.target.value)} required />
+                  <input className="input" type="text" placeholder="Description (optional)" value={description} onChange={(e) => setDescription(e.target.value)} />
+                  <select className="input" value={selectedCategoryId} onChange={(e) => setSelectedCategoryId(e.target.value ? Number(e.target.value) : '')}>
+                    <option value="">No category</option>
+                    {categories.map(c => (<option key={c.id} value={c.id}>{c.name}</option>))}
+                  </select>
+                  <button className="btn primary" type="submit">Add</button>
+                </form>
+              </section>
+
+              <section className="card">
+                <h3>Filters</h3>
+                <div className="form-row">
+                  <input className="input" type="number" step="0.01" placeholder="Min amount" value={minAmount} onChange={(e) => setMinAmount(e.target.value)} />
+                  <input className="input" type="number" step="0.01" placeholder="Max amount" value={maxAmount} onChange={(e) => setMaxAmount(e.target.value)} />
+                  <select className="input" value={filterCategoryId} onChange={(e) => setFilterCategoryId(e.target.value ? Number(e.target.value) : '')}>
+                    <option value="">All categories</option>
+                    {categories.map(c => (<option key={c.id} value={c.id}>{c.name}</option>))}
+                  </select>
+                  <input className="input" type="text" placeholder="Search in description" value={searchText} onChange={(e) => setSearchText(e.target.value)} />
+                </div>
+              </section>
+
+              <section className="card">
+                <h3>Latest Transactions (last 10)</h3>
+                {loading ? (
+                  <div>Loading…</div>
+                ) : error ? (
+                  <div style={{ color: 'crimson' }}>{error}</div>
+                ) : filtered.length === 0 ? (
+                  <div>No transactions</div>
+                ) : (
+                  <table className="table">
+                    <thead>
+                      <tr>
+                        <th>ID</th>
+                        <th style={{ textAlign: 'right' }}>Amount</th>
+                        <th>Description</th>
+                        <th>Categories</th>
+                      </tr>
+                    </thead>
+                    <tbody>
+                      {filtered.map(t => (
+                        <tr key={t.id}>
+                          <td>{t.id}</td>
+                          <td className="amount">{formatAmount(t.amount)}</td>
+                          <td>{t.description || ''}</td>
+                          <td>{t.category_ids.map(id => categoryNameById(id)).join(', ')}</td>
+                        </tr>
+                      ))}
+                    </tbody>
+                  </table>
+                )}
+              </section>
+            </>
+          )}
+
+          {current === 'account' && (
+            // lazy import avoided for simplicity
+            <AccountPage onDeleted={onLogout} />
+          )}
+
+          {current === 'appearance' && (
+            <AppearancePage />
+          )}
+        </main>
+      </div>
+    </div>
+  );
+}
--- a/7project/frontend/src/pages/LoginRegisterPage.tsx
+++ b/7project/frontend/src/pages/LoginRegisterPage.tsx
@@ -0,0 +1,96 @@
+import { useState, useEffect } from 'react';
+import { login, register } from '../api';
+import { BACKEND_URL } from '../config';
+
+function oauthUrl(provider: 'mojeid' | 'bankid') {
+  const base = BACKEND_URL.replace(/\/$/, '');
+  const redirect = encodeURIComponent(window.location.origin + '/oauth-callback');
+  return `${base}/auth/${provider}/authorize?redirect_url=${redirect}`;
+}
+
+export default function LoginRegisterPage({ onLoggedIn }: { onLoggedIn: () => void }) {
+  const [mode, setMode] = useState<'login' | 'register'>('login');
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [firstName, setFirstName] = useState('');
+  const [lastName, setLastName] = useState('');
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+    setError(null);
+    try {
+      if (mode === 'login') {
+        await login(email, password);
+        onLoggedIn();
+      } else {
+        await register(email, password, firstName || undefined, lastName || undefined);
+        // After register, prompt login automatically
+        await login(email, password);
+        onLoggedIn();
+      }
+    } catch (err: any) {
+      setError(err?.message || 'Operation failed');
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  // Add this useEffect hook
+  useEffect(() => {
+    // When the component mounts, add a class to the body
+    document.body.classList.add('auth-page');
+
+    // When the component unmounts, remove the class
+    return () => {
+      document.body.classList.remove('auth-page');
+    };
+  }, []); // The empty array ensures this runs only once
+
+  // The JSX no longer needs the wrapper div
+  return (
+    <div className="card" style={{ width: 420 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', marginBottom: 12 }}>
+        <h2 style={{ margin: 0 }}>{mode === 'login' ? 'Welcome back' : 'Create your account'}</h2>
+        <div className="segmented">
+          <button className={mode === 'login' ? 'active' : ''} type="button" onClick={() => setMode('login')}>Login</button>
+          <button className={mode === 'register' ? 'active' : ''} type="button" onClick={() => setMode('register')}>Register</button>
+        </div>
+      </div>
+      <form onSubmit={handleSubmit} className="space-y">
+        <div>
+            <label className="muted">Email</label>
+            <input className="input" type="email" required value={email} onChange={(e) => setEmail(e.target.value)} />
+          </div>
+          <div>
+            <label className="muted">Password</label>
+            <input className="input" type="password" required value={password} onChange={(e) => setPassword(e.target.value)} />
+          </div>
+          {mode === 'register' && (
+            <div className="form-row">
+              <div>
+                <label className="muted">First name (optional)</label>
+                <input className="input" type="text" value={firstName} onChange={(e) => setFirstName(e.target.value)} />
+              </div>
+              <div>
+                <label className="muted">Last name (optional)</label>
+                <input className="input" type="text" value={lastName} onChange={(e) => setLastName(e.target.value)} />
+              </div>
+            </div>
+          )}
+          {error && <div style={{ color: 'crimson' }}>{error}</div>}
+          <div className="actions" style={{ justifyContent: 'space-between' }}>
+            <div className="muted">Or continue with</div>
+            <div className="actions">
+              <a className="btn" href={oauthUrl('mojeid')}>MojeID</a>
+              <a className="btn" href={oauthUrl('bankid')}>BankID</a>
+              <button className="btn primary" type="submit" disabled={loading}>{loading ? 'Please wait…' : (mode === 'login' ? 'Login' : 'Register')}</button>
+            </div>
+          </div>
+      </form>
+    </div>
+  );
+}
+
--- a/7project/frontend/src/ui.css
+++ b/7project/frontend/src/ui.css
@@ -0,0 +1,85 @@
+:root {
+  --bg: #f7f7fb;
+  --panel: #ffffff;
+  --text: #9aa3b2;
+  --muted: #6b7280;
+  --primary: #6f49fe;
+  --primary-600: #5a37fb;
+  --border: #e5e7eb;
+  --radius: 12px;
+  --shadow: 0 1px 2px rgba(0,0,0,0.04), 0 8px 24px rgba(0,0,0,0.08);
+
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, "Apple Color Emoji", "Segoe UI Emoji";
+  color: var(--text);
+}
+
+* { box-sizing: border-box; }
+
+html, body, #root { height: 100%; }
+
+body { background: var(--bg); margin: 0; display: block; }
+
+/* Dark theme variables */
+body[data-theme="dark"] {
+  --bg: #161a2b;
+  --panel: #283046;
+  --text: #283046;
+  --muted: #cbd5e1;
+  --primary: #8b7bff;
+  --primary-600: #7b69ff;
+  --border: #283046;
+}
+
+/* Layout */
+.app-layout { display: grid; grid-template-columns: 260px 1fr; height: 100%; }
+.sidebar { background: #15172a; color: #e5e7eb; display: flex; flex-direction: column; padding: 20px 12px; }
+.sidebar .logo { color: #fff; font-weight: 700; font-size: 18px; padding: 12px 14px; display: flex; align-items: center; gap: 10px; }
+.nav { margin-top: 12px; display: grid; gap: 4px; }
+.nav a, .nav button { color: #cbd5e1; text-align: left; background: transparent; border: 0; padding: 10px 12px; border-radius: 8px; cursor: pointer; }
+.nav a.active, .nav a:hover, .nav button:hover { background: rgba(255,255,255,0.08); color: #fff; }
+
+.content { display: flex; flex-direction: column; height: 100%; }
+.topbar { height: 64px; display: flex; align-items: center; justify-content: space-between; padding: 0 24px; background: var(--panel); border-bottom: 1px solid var(--border); }
+.topbar .user { color: var(--muted); }
+.page { padding: 24px; max-width: 1100px; margin: auto; }
+
+/* Cards */
+.card { background: var(--panel); border: 1px solid var(--border); border-radius: var(--radius); box-shadow: var(--shadow); padding: 16px; }
+.card h3 { margin: 0 0 12px; }
+
+/* Forms */
+.input, select, textarea { width: 100%; padding: 10px 12px; border-radius: 10px; border: 1px solid var(--border); background: #fff; color: var(--text); }
+.input:focus, select:focus, textarea:focus { outline: 2px solid var(--primary); border-color: var(--primary); }
+.form-row { display: grid; gap: 8px; grid-template-columns: repeat(4, minmax(0,1fr)); }
+.form-row > * { min-width: 140px; }
+.actions { display: flex; align-items: center; gap: 8px; }
+
+/* Buttons */
+.btn { border: 1px solid var(--border); background: #fff; color: var(--text); padding: 10px 14px; border-radius: 10px; cursor: pointer; }
+.btn.primary { background: var(--primary); border-color: var(--primary); color: #fff; }
+.btn.primary:hover { background: var(--primary-600); }
+.btn.ghost { background: transparent; color: var(--muted); }
+
+/* Tables */
+.table { width: 100%; border-collapse: collapse; }
+.table th, .table td { padding: 10px; border-bottom: 1px solid var(--border); }
+.table th { text-align: left; color: var(--muted); font-weight: 600; }
+.table td.amount { text-align: right; font-variant-numeric: tabular-nums; }
+
+/* Segmented control */
+.segmented { display: inline-flex; background: #f1f5f9; border-radius: 10px; padding: 4px; border: 1px solid var(--border); }
+.segmented button { border: 0; background: transparent; padding: 8px 12px; border-radius: 8px; color: var(--muted); cursor: pointer; }
+.segmented button.active { background: #fff; color: var(--text); box-shadow: var(--shadow); }
+
+/* Auth layout */
+body.auth-page #root {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  width: 100%;
+}
+
+/* Utility */
+.muted { color: var(--muted); }
+.space-y > * + * { margin-top: 12px; }
--- a/7project/meetings/2025-10-16-meeting.md
+++ b/7project/meetings/2025-10-16-meeting.md
@@ -0,0 +1,53 @@
+# Weekly Meeting Notes
+
+- Group 8 - Personal finance tracker
+- Mentor: Jaychander
+
+Keep all meeting notes in the `meetings.md` file in your project folder.
+Just copy the template below for each weekly meeting and fill in the details.
+
+## Administrative Info
+
+- Date: 2025-10-08
+- Attendees: Dejan Ribarovski, Lukas Trkan
+- Notetaker: Dejan Ribarovski
+
+## Progress Update (Before Meeting)
+
+Summary of what has been accomplished since the last meeting in the following categories.
+
+## Action Items from Last Week (During Meeting)
+
+- [x] start coding the app logic
+- [x] start writing the report so it matches the actual progress
+- [x] redo the system diagram so it includes a response flow
+
+### Coding
+Implemented initial functioning version of the app, added OAuth with BankId and MojeID,
+added database snapshots.
+
+### Documentation
+report.md is up to date
+
+## Questions and Topics for Discussion (Before Meeting)
+
+Prepare 3-5 questions and topics you want to discuss with your mentor.
+
+1. What other functionality should be added to the app
+2. Priority for the next week (Testing maybe?)
+3. Question 3
+
+## Discussion Notes (During Meeting)
+
+## Action Items for Next Week (During Meeting)
+
+Last 3 minutes of the meeting, summarize action items.
+
+- [ ] OAuth
+- [ ] CI/CD fix
+- [ ] Database local (multiple bank accounts)
+- [ ] Add tests and set up github pipeline
+- [ ] Frontend imporvment - user experience
+- [ ] make the report more clear
+
+---
--- a/7project/meetings/2025-10-9-meeting.md
+++ b/7project/meetings/2025-10-9-meeting.md
--- a/7project/report.md
+++ b/7project/report.md
@@ -1,4 +1,4 @@
-# Project Report
+# Personal finance tracker

 > **Instructions**:
 > This template provides the structure for your project report.
@@ -7,126 +7,211 @@

 ## Project Overview

-**Project Name**: [Your project name]
+**Project Name**: Personal Finance Tracker

 **Group Members**:

- Student number, Name, GitHub username
- Student number, Name, GitHub username
- Student number, Name, GitHub username
+- 289229, Lukáš Trkan, lukastrkan
+- 289258, Dejan Ribarovski, derib2613, ribardej

 **Brief Description**:
-[2-3 sentences describing what your application does and its main purpose]
+Our application is a finance tracker, so a person can easily track his cash flow
+through multiple bank accounts. Person can label transactions with custom categories
+and later filter by them.

 ## Architecture Overview
+Our system is a full‑stack web application composed of a React frontend, a FastAPI backend, a PostgreSQL database, and asynchronous background workers powered by Celery with RabbitMQ. Redis is available for caching/kv and may be used by Celery as a result backend. The backend exposes REST endpoints for authentication (email/password and OAuth), users, categories, and transactions. A thin controller layer (FastAPI routers) lives under app/api. Infrastructure for Kubernetes is provided via OpenTofu (Terraform‑compatible) modules and the application is packaged via a Helm chart.

 ### High-Level Architecture

-[Describe the overall system architecture. Consider including a diagram using mermaid or linking to an image]
-
 ```mermaid
-graph TD
-    A[Component A] --> B[Component B]
-    B --> C[Component C]
+flowchart LR
+    proc_queue[Message Queue] --> proc_queue_worker[Worker Service]
+    proc_queue_worker --> ext_mail[(Email Service)]
+    proc_cron[Task planner] --> proc_queue
+    proc_queue_worker --> ext_bank[(Bank API)]
+    proc_queue_worker --> db
+    client[Client/Frontend] <--> svc[Backend API]
+    svc --> proc_queue
+    svc <--> db[(Database)]
+    svc <--> cache[(Cache)]
 ```

 ### Components

- **Component 1**: [Description of what this component does]
- **Component 2**: [Description of what this component does]
- **Component 3**: [Description of what this component does]
+- Frontend (frontend/): React + TypeScript app built with Vite. Talks to the backend via REST, handles login/registration, shows latest transactions, filtering, and allows adding transactions.
+- Backend API (backend/app): FastAPI app with routers under app/api for auth, categories, and transactions. Uses FastAPI Users for auth (JWT + OAuth), SQLAlchemy ORM, and Pydantic v2 schemas.
+- Worker service (backend/app/workers): Celery worker handling asynchronous tasks (e.g., sending verification emails, future background processing).
+- Database (PostgreSQL): Persists users, categories, transactions; schema managed by Alembic migrations.
+- Message Queue (RabbitMQ): Transports background jobs from the API to the worker.
+- Cache/Result Store (Redis): Available for caching or Celery result backend.
+- Infrastructure as Code (tofu/): OpenTofu modules provisioning cluster services (RabbitMQ, Redis, Argo CD, cert-manager, Cloudflare tunnel, etc.).
+- Deployment Chart (charts/myapp-chart/): Helm chart to deploy the application to Kubernetes.

 ### Technologies Used

- **Backend**: [e.g., Go, Node.js, Python]
- **Database**: [e.g., PostgreSQL, MongoDB, Redis]
- **Cloud Services**: [e.g., AWS EC2, Google Cloud Run, Azure Functions]
- **Container Orchestration**: [e.g., Docker, Kubernetes]
- **Other**: [List other significant technologies]
+- Backend: Python, FastAPI, FastAPI Users, SQLAlchemy, Pydantic, Alembic, Celery
+- Frontend: React, TypeScript, Vite
+- Database: PostgreSQL
+- Messaging: RabbitMQ 
+- Cache: Redis
+- Containerization/Orchestration: Docker, Docker Compose (dev), Kubernetes, Helm
+- IaC/Platform: OpenTofu (Terraform), Argo CD, cert-manager, MetalLB, Cloudflare Tunnel, Prometheus

 ## Prerequisites

 ### System Requirements

- Operating System: [e.g., Linux, macOS, Windows]
- Minimum RAM: [e.g., 8GB]
- Storage: [e.g., 10GB free space]
+- Operating System: Linux, macOS, or Windows
+- Minimum RAM: 4 GB (8 GB recommended for running backend, frontend, and database together)
+- Storage: 2 GB free (Docker images may require additional space)

 ### Required Software

- [Software 1] (version X.X or higher)
- [Software 2] (version X.X or higher)
- [etc.]
+- Docker Desktop or Docker Engine 24+
+- Docker Compose v2+
+- Node.js 20+ and npm 10+ (for local frontend dev/build)
+- Python 3.12+ (for local backend dev outside Docker)
+- PostgreSQL 15+ (optional if running DB outside Docker)
+- Helm 3.12+ and kubectl 1.29+ (for Kubernetes deployment)
+- OpenTofu 1.7+ (for infrastructure provisioning)

-### Dependencies
+### Environment Variables (common)

-```bash
-# List key dependencies that need to be installed
-# For example:
-# Docker Engine 20.10+
-# Node.js 18+
-# Go 1.25+
-```
+- Backend: SECRET, FRONTEND_URL, BACKEND_URL, DATABASE_URL, RABBITMQ_URL, REDIS_URL 
+- OAuth vars (Backend): MOJEID_CLIENT_ID/SECRET, BANKID_CLIENT_ID/SECRET (optional)
+- Frontend: VITE_BACKEND_URL
+
+### Dependencies (key libraries)
+I am not sure what is meant by "key libraries"
+
+Backend: FastAPI, fastapi-users, SQLAlchemy, pydantic v2, Alembic, Celery  
+Frontend: React, TypeScript, Vite  
+Services: PostgreSQL, RabbitMQ, Redis

 ## Build Instructions

-### 1. Clone the Repository
+You can run the project with Docker Compose (recommended for local development) or run services manually.
+
+### 1) Clone the Repository

 ```bash
-git clone [your-repository-url]
-cd [repository-name]
+git clone https://github.com/dat515-2025/Group-8.git
+cd 7project
 ```

-### 2. Install Dependencies
-
+### 2) Install dependencies
+Backend
 ```bash
-# Provide step-by-step commands
-# For example:
-# npm install
-# go mod download
+# In 7project/backend
+python3.12 -m venv .venv
+source .venv/bin/activate  # Windows: .venv\Scripts\activate
+pip install -r requirements.txt
 ```
-
-### 3. Build the Application
-
+Frontend
 ```bash
-# Provide exact build commands
-# For example:
-# make build
-# docker build -t myapp .
+# In 7project/frontend
+npm install
 ```

-### 4. Configuration
+### 3) Manual Local Run

+Backend
 ```bash
-# Any configuration steps needed
-# Environment variables to set
-# Configuration files to create
+# From the 7project/ directory
+docker compose up --build
+# This starts: PostgreSQL, RabbitMQ/Redis (if defined)
+
+# Set environment variables (or create .env file)
+export SECRET=CHANGE_ME_SECRET
+export BACKEND_URL=http://127.0.0.1:8000
+export FRONTEND_URL=http://localhost:5173
+export DATABASE_URL=postgresql+asyncpg://user:password@127.0.0.1:5432/app
+export RABBITMQ_URL=amqp://guest:guest@127.0.0.1:5672/
+export REDIS_URL=redis://127.0.0.1:6379/0
+
+# Apply DB migrations (Alembic)
+# From 7project/backend
+alembic upgrade head
+
+# Run API
+uvicorn app.app:fastApi --reload --host 0.0.0.0 --port 8000
+
+# Run Celery worker (optional, for emails/background tasks)
+celery -A app.celery_app.celery_app worker -l info
 ```

+Frontend
+```bash
+# Configure backend URL for dev
+echo 'VITE_BACKEND_URL=http://127.0.0.1:8000' > .env
+npm run dev
+# Open http://localhost:5173
+```
+
+- Backend default: http://127.0.0.1:8000 (OpenAPI at /docs)
+- Frontend default: http://localhost:5173
+
+If needed, adjust compose services/ports in compose.yml.
+
+
 ## Deployment Instructions

-### Local Deployment
+### Local (Docker Compose)

+Described in the previous section (Manual Local Run)
+
+### Kubernetes (via OpenTofu + Helm)
+
+1) Provision platform services (RabbitMQ/Redis/ingress/tunnel/etc.) with OpenTofu
 ```bash
-# Step-by-step commands for local deployment
-# For example:
-# docker-compose up -d
-# kubectl apply -f manifests/
+cd tofu
+# copy and edit variables
+cp terraform.tfvars.example terraform.tfvars
+# authenticate to your cluster/cloud as needed, then:
+tofu init
+tofu plan
+tofu apply
 ```

-### Cloud Deployment
-
+2) Deploy the app using Helm
 ```bash
-# Commands for cloud deployment
-# Include any cloud-specific setup
+# Set the namespace
+kubectl create namespace myapp || true
+
+# Install/upgrade the chart with required values
+helm upgrade --install myapp charts/myapp-chart \
+  -n myapp \
+  -f charts/myapp-chart/values.yaml \
+  --set image.backend.repository=myorg/myapp-backend \
+  --set image.backend.tag=latest \
+  --set env.BACKEND_URL="https://myapp.example.com" \
+  --set env.FRONTEND_URL="https://myapp.example.com" \
+  --set env.SECRET="CHANGE_ME_SECRET"
+```
+Adjust values to your registry and domain. The chart’s NOTES.txt includes additional examples.
+
+3) Expose and access
+- If using Cloudflare Tunnel or an ingress, configure DNS accordingly (see tofu/modules/cloudflare and deployment/tunnel.yaml).
+- For quick testing without ingress:
+```bash
+kubectl -n myapp port-forward deploy/myapp-backend 8000:8000
+kubectl -n myapp port-forward deploy/myapp-frontend 5173:80
 ```

 ### Verification

 ```bash
-# Commands to verify deployment worked
-# How to check if services are running
-# Example health check endpoints
+# Check pods
+kubectl -n myapp get pods
+
+# Backend health
+curl -i http://127.0.0.1:8000/
+# OpenAPI
+open http://127.0.0.1:8000/docs
+
+# Frontend (if port-forwarded)
+open http://localhost:5173
 ```

 ## Testing Instructions
@@ -156,19 +241,38 @@ cd [repository-name]

 ## Usage Examples

-### Basic Usage
+All endpoints are documented at OpenAPI: http://127.0.0.1:8000/docs
+
+### Auth: Register and Login (JWT)

 ```bash
-# Examples of how to use the application
-# Common commands or API calls
-# Sample data or test scenarios
+# Register
+curl -X POST http://127.0.0.1:8000/auth/register \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "email": "user@example.com",
+    "password": "StrongPassw0rd",
+    "first_name": "Jane",
+    "last_name": "Doe"
+  }'
+
+# Login (JWT)
+TOKEN=$(curl -s -X POST http://127.0.0.1:8000/auth/jwt/login \
+  -H 'Content-Type: application/x-www-form-urlencoded' \
+  -d 'username=user@example.com&password=StrongPassw0rd' | jq -r .access_token)
+
+echo $TOKEN
+
+# Call a protected route
+curl -H "Authorization: Bearer $TOKEN" http://127.0.0.1:8000/authenticated-route
 ```

-### Advanced Features
+### Frontend

-```bash
-# Examples showcasing advanced functionality
-```
+- Start with: npm run dev in 7project/frontend
+- Ensure VITE_BACKEND_URL is set to the backend URL (e.g., http://127.0.0.1:8000)
+- Open http://localhost:5173
+- Login, view latest transactions, filter, and add new transactions from the UI.

 ---

@@ -215,18 +319,18 @@ cd [repository-name]
 > This information is used for individual grading.
 > Link to the specific commit on GitHub for each contribution.

-| Task/Component                                                      | Assigned To | Status        | Time Spent | Difficulty | Notes       |
-| ------------------------------------------------------------------- | ----------- | ------------- | ---------- | ---------- | ----------- |
-| Project Setup & Repository                                          | [Name]      | ✅ Complete    | [X hours]  | Medium     | [Any notes] |
-| [Design Document](https://github.com/dat515-2025/group-name)         | [Name]      | ✅ Complete    | [X hours]  | Easy       | [Any notes] |
-| [Backend API Development](https://github.com/dat515-2025/group-name) | [Name]      | ✅ Complete    | [X hours]  | Hard       | [Any notes] |
-| [Database Setup & Models](https://github.com/dat515-2025/group-name) | [Name]      | ✅ Complete    | [X hours]  | Medium     | [Any notes] |
-| [Frontend Development](https://github.com/dat515-2025/group-name)    | [Name]      | 🔄 In Progress | [X hours]  | Medium     | [Any notes] |
-| [Docker Configuration](https://github.com/dat515-2025/group-name)    | [Name]      | ✅ Complete    | [X hours]  | Easy       | [Any notes] |
-| [Cloud Deployment](https://github.com/dat515-2025/group-name)        | [Name]      | ✅ Complete    | [X hours]  | Hard       | [Any notes] |
-| [Testing Implementation](https://github.com/dat515-2025/group-name)  | [Name]      | ⏳ Pending     | [X hours]  | Medium     | [Any notes] |
-| [Documentation](https://github.com/dat515-2025/group-name)           | [Name]      | ✅ Complete    | [X hours]  | Easy       | [Any notes] |
-| [Presentation Video](https://github.com/dat515-2025/group-name)      | [Name]      | ✅ Complete    | [X hours]  | Medium     | [Any notes] |
+| Task/Component                                                        | Assigned To | Status        | Time Spent     | Difficulty | Notes       |
+|-----------------------------------------------------------------------|-------------| ------------- |----------------|------------| ----------- |
+| [Project Setup & Repository](https://github.com/dat515-2025/Group-8#) | Lukas       | ✅ Complete    | [X hours]      | Medium     | [Any notes] |
+| [Design Document](https://github.com/dat515-2025/Group-8/blob/main/6design/design.md)          | Both        | ✅ Complete    | 2 Hours        | Easy       | [Any notes] |
+| [Backend API Development](https://github.com/dat515-2025/Group-8/tree/main/7project/backend/app/api)  | Dejan       | ✅ Complete    | 10 hours       | Medium     | [Any notes] |
+| [Database Setup & Models](https://github.com/dat515-2025/Group-8/tree/main/7project/backend/app/models)  | Lukas       | ✅ Complete    | [X hours]      | Medium     | [Any notes] |
+| [Frontend Development](https://github.com/dat515-2025/Group-8/tree/main/7project/frontend)     | Dejan       | 🔄 In Progress | 7 hours so far | Medium     | [Any notes] |
+| [Docker Configuration](https://github.com/dat515-2025/Group-8/blob/main/7project/compose.yml)     | Lukas       | ✅ Complete    | [X hours]      | Easy       | [Any notes] |
+| [Cloud Deployment](https://github.com/dat515-2025/Group-8/blob/main/7project/deployment/app-demo-deployment.yaml)         | Lukas       | ✅ Complete    | [X hours]      | Hard       | [Any notes] |
+| [Testing Implementation](https://github.com/dat515-2025/group-name)   | Dejan       | ❌ Not Started     | [X hours]      | Medium     | [Any notes] |
+| [Documentation](https://github.com/dat515-2025/group-name)            | Both        | ❌ Not Started   | [X hours]      | Easy       | [Any notes] |
+| [Presentation Video](https://github.com/dat515-2025/group-name)       | Both        | ❌ Not Started     | [X hours]      | Medium     | [Any notes] |

 **Legend**: ✅ Complete | 🔄 In Progress | ⏳ Pending | ❌ Not Started

@@ -244,25 +348,16 @@ cd [repository-name]
 | [Date]    | Documentation       | [X.X]      | Updated README and design doc       |
 | **Total** |                     | **[XX.X]** |                                     |

-### [Team Member 2 Name]
+### Dejan

-| Date      | Activity             | Hours      | Description                               |
-| --------- | -------------------- | ---------- | ----------------------------------------- |
-| [Date]    | Frontend Development | [X.X]      | Created user interface mockups            |
-| [Date]    | Integration          | [X.X]      | Connected frontend to backend API         |
-| [Date]    | Deployment           | [X.X]      | Docker configuration and cloud deployment |
-| [Date]    | Testing              | [X.X]      | End-to-end testing                        |
-| **Total** |                      | **[XX.X]** |                                           |
+| Date        | Activity             | Hours  | Description                    |
+|-------------|----------------------|--------|--------------------------------|
+| 25.9.       | Design               | 1.5    | 6design                        |
+| 9-11.10.    | Backend APIs         | 10     | Implemented Backend APIs       |
+| 13-15.10.   | Frontend Development | 6.5    | Created user interface mockups |
+| Continually | Documantation        | 3      | Documenting the dev process    |
+| **Total**   |                      | **21** |                                |

-### [Team Member 3 Name] (if applicable)
-
-| Date      | Activity                 | Hours      | Description                      |
-| --------- | ------------------------ | ---------- | -------------------------------- |
-| [Date]    | Database Design          | [X.X]      | Schema design and implementation |
-| [Date]    | Cloud Configuration      | [X.X]      | AWS/GCP setup and configuration  |
-| [Date]    | Performance Optimization | [X.X]      | Caching and query optimization   |
-| [Date]    | Monitoring               | [X.X]      | Logging and monitoring setup     |
-| **Total** |                          | **[XX.X]** |                                  |

 ### Group Total: [XXX.X] hours

@@ -292,11 +387,8 @@ cd [repository-name]

 [Personal reflection on growth, challenges, and learning]

-#### [Team Member 3 Name] (if applicable)
-
-[Personal reflection on growth, challenges, and learning]

 ---

 **Report Completion Date**: [Date]
-**Last Updated**: [Date]
+**Last Updated**: 15.10.2025
--- a/7project/tofu/main.tf
+++ b/7project/tofu/main.tf
@@ -96,6 +96,13 @@ module "database" {

  phpmyadmin_enabled = var.phpmyadmin_enabled
  cloudflare_domain  = var.cloudflare_domain
+
+  s3_enabled = var.s3_enabled
+  s3_bucket = var.s3_bucket
+  s3_region = var.s3_region
+  s3_endpoint = var.s3_endpoint
+  s3_key_id = var.s3_key_id
+  s3_key_secret = var.s3_key_secret
 }

 #module "argocd" {
--- a/7project/tofu/modules/maxscale/charts/maxscale-helm/Chart.yaml
+++ b/7project/tofu/modules/maxscale/charts/maxscale-helm/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: maxscale-helm
-version: 1.0.8
+version: 1.0.14
 description: Helm chart for MaxScale related Kubernetes manifests
--- a/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/backup.yaml
+++ b/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/backup.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.s3.enabled }}
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Backup
+metadata:
+  name: backup
+  namespace: mariadb-operator
+spec:
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  schedule:
+    cron: "0 */3 * * *"
+    suspend: false
+  timeZone: "Europe/Prague"
+  maxRetention: 720h # 30 days
+  compression: bzip2
+  storage:
+    s3:
+      bucket: {{ .Values.s3.bucket | quote }}
+      endpoint: {{ .Values.s3.endpoint | quote }}
+      accessKeyIdSecretKeyRef:
+        name: s3-credentials
+        key: key_id
+      secretAccessKeySecretKeyRef:
+        name: s3-credentials
+        key: secret_key
+      region: {{ .Values.s3.region | quote }}
+      tls:
+        enabled: true
+  # Define a PVC to use as staging area for keeping the backups while they are being processed.
+  stagingStorage:
+    persistentVolumeClaim:
+      resources:
+        requests:
+          storage: 10Gi
+      accessModes:
+        - ReadWriteOnce
+  args:
+    - --single-transaction
+    - --all-databases
+  logLevel: info
+{{- end }}
--- a/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/config.yaml
+++ b/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/config.yaml
@@ -60,6 +60,8 @@ spec:
        scrapeTimeout: 10s
        prometheusRelease: kube-prometheus-stack
        jobLabel: mariadb-monitoring
+    auth:
+      generate: true

    tls:
      enabled: true
--- a/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/garage.yaml
+++ b/7project/tofu/modules/maxscale/charts/maxscale-helm/templates/garage.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.s3.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-credentials
+  namespace: mariadb-operator
+type: Opaque
+stringData:
+  key_id: "{{ .Values.s3.key_id }}"
+  secret_key: "{{ .Values.s3.key_secret }}"
+{{- end }}
--- a/7project/tofu/modules/maxscale/charts/maxscale-helm/values.yaml
+++ b/7project/tofu/modules/maxscale/charts/maxscale-helm/values.yaml
@@ -14,4 +14,12 @@ metallb:
 phpmyadmin:
  enabled: true

+s3:
+  enabled: false
+  endpoint: ""
+  region: ""
+  bucket: ""
+  key_id: ""
+  key_secret: ""
+
 base_domain: example.com
--- a/7project/tofu/modules/maxscale/main.tf
+++ b/7project/tofu/modules/maxscale/main.tf
@@ -9,16 +9,16 @@ terraform {
      version = "3.0.2"
    }
    kubernetes = {
-      source = "hashicorp/kubernetes"
+      source  = "hashicorp/kubernetes"
      version = "2.38.0"
    }
  }
 }

 resource "kubernetes_namespace" "mariadb-operator" {
-    metadata {
-      name = "mariadb-operator"
-    }
+  metadata {
+    name = "mariadb-operator"
+  }
 }

 locals {
@@ -30,46 +30,53 @@ locals {
 }

 resource "kubectl_manifest" "secrets" {
-   yaml_body  = local.mariadb_secret_yaml
-   depends_on = [ kubernetes_namespace.mariadb-operator ]
+  yaml_body  = local.mariadb_secret_yaml
+  depends_on = [kubernetes_namespace.mariadb-operator]
 }


 resource "helm_release" "mariadb-operator-crds" {
-    name             = "mariadb-operator-crds"
-    repository       = "https://helm.mariadb.com/mariadb-operator"
-    chart            = "mariadb-operator-crds"
-    namespace        = "mariadb-operator"
-    version          = "25.8.4"
-    depends_on       = [ kubectl_manifest.secrets ]
-    timeout          = 3600
+  name       = "mariadb-operator-crds"
+  repository = "https://helm.mariadb.com/mariadb-operator"
+  chart      = "mariadb-operator-crds"
+  namespace  = "mariadb-operator"
+  version    = "25.8.4"
+  depends_on = [kubectl_manifest.secrets]
+  timeout    = 3600
 }


 resource "helm_release" "mariadb-operator" {
-    name             = "mariadb-operator"
-    repository       = "https://helm.mariadb.com/mariadb-operator"
-    chart            = "mariadb-operator"
-    depends_on       = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
-    namespace        = "mariadb-operator"
-    timeout          = 3600
+  name       = "mariadb-operator"
+  repository = "https://helm.mariadb.com/mariadb-operator"
+  chart      = "mariadb-operator"
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
+  namespace  = "mariadb-operator"
+  version    = "25.8.3"
+  timeout    = 3600
 }

 resource "helm_release" "maxscale_helm" {
  name       = "maxscale-helm"
  chart      = "${path.module}/charts/maxscale-helm"
-  version    = "1.0.8"
-  depends_on = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
+  version    = "1.0.14"
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
  timeout    = 3600

  set = [
-    { name = "user.name",             value = var.mariadb_user_name },
-    { name = "user.host",             value = var.mariadb_user_host },
-    { name = "metallb.maxscale_ip",   value = var.maxscale_ip },
-    { name = "metallb.service_ip",    value = var.service_ip },
-    { name = "metallb.primary_ip",    value = var.primary_ip },
-    { name = "metallb.secondary_ip",  value = var.secondary_ip },
-    { name = "phpmyadmin.enabled",    value = tostring(var.phpmyadmin_enabled) },
-    { name = "base_domain", value = var.cloudflare_domain }
+    { name = "user.name", value = var.mariadb_user_name },
+    { name = "user.host", value = var.mariadb_user_host },
+    { name = "metallb.maxscale_ip", value = var.maxscale_ip },
+    { name = "metallb.service_ip", value = var.service_ip },
+    { name = "metallb.primary_ip", value = var.primary_ip },
+    { name = "metallb.secondary_ip", value = var.secondary_ip },
+    { name = "phpmyadmin.enabled", value = tostring(var.phpmyadmin_enabled) },
+    { name = "base_domain", value = var.cloudflare_domain },
+    { name = "s3.key_id", value = var.s3_key_id },
+    { name = "s3.key_secret", value = var.s3_key_secret },
+    { name = "s3.enabled", value = var.s3_enabled },
+    { name = "s3.endpoint", value = var.s3_endpoint },
+    { name = "s3.region", value = var.s3_region },
+    { name = "s3.bucket", value = var.s3_bucket },
  ]
 }
--- a/7project/tofu/modules/maxscale/variables.tf
+++ b/7project/tofu/modules/maxscale/variables.tf
@@ -52,7 +52,39 @@ variable "mariadb_user_password" {
 }

 variable "cloudflare_domain" {
-  type = string
-  default = "Base cloudflare domain, e.g. example.com"
+  type     = string
+  default  = "Base cloudflare domain, e.g. example.com"
  nullable = false
-}
+}
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}
--- a/7project/tofu/modules/metrics-server/values.yaml
+++ b/7project/tofu/modules/metrics-server/values.yaml
@@ -0,0 +1,15 @@
+# Values overriding defaults for metrics-server Helm chart
+# Fix TLS and address selection issues when scraping kubelets (common on Talos)
+args:
+  - --kubelet-insecure-tls
+  - --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
+  - --kubelet-use-node-status-port=true
+
+# Using hostNetwork often helps in restricted CNI/DNS environments
+#hostNetwork: true
+# Required when hostNetwork is true so DNS works as expected
+#dnsPolicy: ClusterFirstWithHostNet
+
+# Enable metrics API service monitor if Prometheus Operator is present (optional)
+# serviceMonitor:
+#   enabled: true
--- a/7project/tofu/modules/rabbitmq/main.tf
+++ b/7project/tofu/modules/rabbitmq/main.tf
@@ -16,6 +16,12 @@ terraform {
  }
 }

+resource "kubernetes_namespace" "rabbitmq_namespace" {
+  metadata {
+    name = "rabbitmq-system"
+  }
+}
+

 resource "helm_release" "rabbitmq_operator" {
  name       = "rabbitmq-cluster-operator"
@@ -24,8 +30,7 @@ resource "helm_release" "rabbitmq_operator" {

  version = "4.4.34"

-  namespace        = "rabbitmq-system"
-  create_namespace = true
+  namespace = "rabbitmq-system"

  # Zde můžete přepsat výchozí hodnoty chartu, pokud by bylo potřeba
  # Například sledovat jen určité namespace, nastavit tolerations atd.
@@ -59,6 +64,7 @@ resource "helm_release" "rabbitmq_operator" {
      value = "true"
    }
  ]
+  depends_on = [kubernetes_namespace.rabbitmq_namespace]
 }


--- a/7project/tofu/modules/rabbitmq/rabbit-cluster.yaml
+++ b/7project/tofu/modules/rabbitmq/rabbit-cluster.yaml
@@ -2,4 +2,4 @@ apiVersion: rabbitmq.com/v1beta1
 kind: RabbitmqCluster
 metadata:
  name: 'rabbitmq-cluster'
-  namespace: "rabbitmq"
+  namespace: "rabbitmq-system"
--- a/7project/tofu/modules/rabbitmq/rabbit-ui.yaml
+++ b/7project/tofu/modules/rabbitmq/rabbit-ui.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.cfargotunnel.com/v1alpha1
 kind: TunnelBinding
 metadata:
  name: rabbit-tunnel-binding
-  namespace: rabbitmq
+  namespace: rabbitmq-system
 subjects:
  - name: rabbit-gui
    spec:
--- a/7project/tofu/variables.tf
+++ b/7project/tofu/variables.tf
@@ -108,3 +108,40 @@ variable "rabbitmq-password" {
  sensitive   = true
  description = "Admin password for RabbitMQ user"
 }
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}
+
+
+
Author	SHA1	Message	Date
Lukáš Trkan	8c72091658	Merge branch 'main' into merge/frontend_basics	2025-10-21 13:31:50 +02:00
Lukáš Trkan	607c5eadd7	feat(infrastructure): remove old deployment	2025-10-20 19:20:56 +02:00
Lukáš Trkan	2617c640a8	fix(app): add missing env variables Some checks failed Deploy Prod / Build and push image (reusable) (push) Has been cancelled Details Deploy Prod / Generate Production URLs (push) Has been cancelled Details Deploy Prod / Frontend - Build and Deploy to Cloudflare Pages (prod) (push) Has been cancelled Details Deploy Prod / Helm upgrade/install (prod) (push) Has been cancelled Details	2025-10-17 16:04:52 +02:00
Lukáš Trkan	cb9ef5e461	feat(app): add sentry loging	2025-10-17 15:59:18 +02:00
Lukáš Trkan	b0cabe027f	add debug logging	2025-10-17 15:42:58 +02:00
Lukáš Trkan	8974561308	add debug logging	2025-10-17 15:14:10 +02:00
Lukáš Trkan	2f275ef605	fix(infrastructure): add frontend URL to CORS	2025-10-17 12:58:11 +02:00
Lukáš Trkan	d593f7a994	feat(infrastructure): move to secrets Some checks are pending Deploy Prod / Build and push image (reusable) (push) Waiting to run Details Deploy Prod / Generate Production URLs (push) Waiting to run Details Deploy Prod / Frontend - Build and Deploy to Cloudflare Pages (prod) (push) Blocked by required conditions Details Deploy Prod / Helm upgrade/install (prod) (push) Blocked by required conditions Details	2025-10-16 18:30:13 +02:00
Lukáš Trkan	ef5b3f2d30	feat(infrastructure): move to secrets	2025-10-16 18:25:06 +02:00
Lukáš Trkan	60109c4a35	fix(infrastructure): add oauth keys as secret	2025-10-16 18:18:19 +02:00
Lukáš Trkan	b6f9ee8fc7	fix(infrastructure): add missing slash	2025-10-16 18:11:19 +02:00
Lukáš Trkan	52333b24d5	Merge pull request #29 from dat515-2025/merge/deployment_envs fix(infrastructure): add env variables to deployment	2025-10-16 18:05:59 +02:00
Lukáš Trkan	8929920072	Potential fix for code scanning alert no. 9: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>	2025-10-16 18:04:04 +02:00
Lukáš Trkan	cdb6cf5e20	Update .github/workflows/deploy-pr.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-16 18:02:09 +02:00
Lukáš Trkan	5190e9c48e	fix(infrastructure): use correct runner	2025-10-16 18:00:07 +02:00
Lukáš Trkan	815bf7f065	fix(infrastructure): use correct runner	2025-10-16 17:50:39 +02:00
Lukáš Trkan	85a390565a	fix(infrastructure): use correct runner	2025-10-16 17:43:55 +02:00
Lukáš Trkan	20d26b7edc	fix(infrastructure): use correct runner	2025-10-16 17:42:16 +02:00
Lukáš Trkan	579dda50b9	fix(infrastructure): use correct runner	2025-10-16 17:42:02 +02:00
Lukáš Trkan	4f7d30daf6	fix(infrastructure): use correct runner	2025-10-16 17:32:00 +02:00
Lukáš Trkan	49c96187c9	fix(infrastructure): use correct runner	2025-10-16 17:17:41 +02:00
Lukáš Trkan	d1feafd4ef	fix(infrastructure): use correct runner	2025-10-16 17:12:01 +02:00
Lukáš Trkan	efb454ba99	fix(infrastructure): use correct runner	2025-10-16 17:06:06 +02:00
Lukáš Trkan	810f1ccb32	fix(infrastructure): use correct runner	2025-10-16 17:01:38 +02:00
Lukáš Trkan	c4afdf5ad2	fix(infrastructure): use correct runner	2025-10-16 15:10:33 +02:00
Lukáš Trkan	c290a109b6	fix(infrastructure): use variables, not secrets	2025-10-16 15:01:53 +02:00
Lukáš Trkan	7c161f6f37	fix(infrastructure): add env variables to deployment	2025-10-16 14:49:26 +02:00
Lukáš Trkan	c4991ea3c4	fix(infrastructure): add env variables to deployment	2025-10-16 14:47:16 +02:00
Lukáš Trkan	3b6b64d472	update report.md	2025-10-16 13:51:52 +02:00
ribardej	9bc543a5fa	feat(docs): weekly meeting	2025-10-16 13:27:53 +02:00
ribardej	14516a808b	feat(docs): this week meeting.md	2025-10-16 11:15:54 +02:00
ribardej	922ebf46ae	feat(docs): Catch up on report.md	2025-10-15 16:25:28 +02:00
ribardej	1f5d6f127f	feat(backend): fixed build errors regarding token in headers	2025-10-15 15:21:10 +02:00
ribardej	3a7580c315	feat(backend): added missing untracked files	2025-10-15 15:08:18 +02:00
ribardej	c21af2732e	feat(backend): implemented self delete for users	2025-10-15 11:11:04 +02:00
ribardej	f208e73986	feat(frontend): added account and appearance tabs	2025-10-15 11:00:47 +02:00
ribardej	eb087e457c	feat(frontend): improved and centered UI	2025-10-15 10:06:22 +02:00
ribardej	89d032dd69	feat(frontend): introduced a working frontend prototype	2025-10-14 11:34:25 +02:00
Lukáš Trkan	e200c73b47	fix(backend): use correct variable to register routers Some checks failed Deploy Prod / Build and push image (reusable) (push) Has been cancelled Details Deploy Prod / Frontend - Build and Deploy to Cloudflare Pages (prod) (push) Has been cancelled Details Deploy Prod / Helm upgrade/install (prod) (push) Has been cancelled Details	2025-10-13 17:11:31 +02:00
Dejan Ribarovski	ac10ab381e	Merge pull request #26 from dat515-2025/20-create-a-controller-layer-on-backend-side 20 create a controller layer on backend side	2025-10-13 14:05:05 +02:00
Dejan Ribarovski	879109144c	Merge branch 'main' into 20-create-a-controller-layer-on-backend-side	2025-10-13 14:03:24 +02:00
ribardej	7061e57442	Merge remote-tracking branch 'origin/20-create-a-controller-layer-on-backend-side' into 20-create-a-controller-layer-on-backend-side	2025-10-13 13:57:04 +02:00
ribardej	30068079c6	feat(backend): renamed endpoints for consistency	2025-10-13 13:56:44 +02:00
Dejan Ribarovski	9580bea630	Update 7project/backend/app/api/transactions.py Better error message Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-13 13:52:36 +02:00
Dejan Ribarovski	975f5e5bec	Update 7project/backend/app/api/transactions.py Better error message Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-13 13:52:24 +02:00
ribardej	f1065bc274	feat(backend): update consistent Pydantic v2 use everywhere	2025-10-13 13:50:59 +02:00
Dejan Ribarovski	12152238c6	Merge pull request #23 from dat515-2025/merge/oauth Some checks are pending Deploy Prod / Build and push image (reusable) (push) Waiting to run Details Deploy Prod / Frontend - Build and Deploy to Cloudflare Pages (prod) (push) Waiting to run Details Deploy Prod / Helm upgrade/install (prod) (push) Blocked by required conditions Details feat(auth): add support for OAuth and MojeID	2025-10-13 12:46:17 +02:00
Dejan Ribarovski	21ef5a3961	Merge pull request #25 from dat515-2025/merge/database_backups feat(infrastructure): add backups	2025-10-13 12:41:27 +02:00
ribardej	2f20fb12e4	feat(backend): implemented basic controller layer	2025-10-13 12:07:47 +02:00
Lukáš Trkan	bf213234b1	feat(infrastructure): add backups	2025-10-12 20:14:48 +02:00
Lukáš Trkan	95c8bf1e92	Update 7project/backend/app/app.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-11 22:25:04 +02:00
Lukáš Trkan	b213f22a15	feat(auth): refactor	2025-10-11 22:22:36 +02:00
Lukáš Trkan	0cf06b7bd9	feat(auth): add CustomOpenID class to force get_user_info implementation	2025-10-11 21:37:49 +02:00
Lukáš Trkan	7a67b12533	Update 7project/backend/alembic/versions/2025_10_11_2107-5ab2e654c96e_change_token_lenght.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-11 21:32:03 +02:00
Lukáš Trkan	a91aea805f	feat(auth): add BankID OAuth provider	2025-10-11 21:16:53 +02:00
Lukáš Trkan	32764ab1b0	feat(auth): allow updating custom fields from oauth, update MojeID	2025-10-11 20:34:36 +02:00
ribardej	6c248039ac	feat(backend): fixed DB user schema	2025-10-10 16:16:43 +02:00
Lukáš Trkan	df0f2584ae	feat(auth): add support for OAuth and MojeID	2025-10-10 15:58:40 +02:00
Lukáš Trkan	b7570e334f	feat(auth): add support for OAuth and MojeID	2025-10-10 15:51:18 +02:00
Lukáš Trkan	4ea6876b74	feat(infrastructure): add forgotten values.yaml	2025-10-10 13:57:43 +02:00
Lukáš Trkan	6d5dd1a222	feat(infrastructure): update deployment Some checks failed Deploy Prod / Build and push image (reusable) (push) Has been cancelled Details Deploy Prod / Frontend - Build and Deploy to Cloudflare Pages (prod) (push) Has been cancelled Details Deploy Prod / Helm upgrade/install (prod) (push) Has been cancelled Details	2025-10-09 18:51:17 +02:00
ribardej	f09f9eaa82	feat(infrastructure): redone the system diagram	2025-10-09 15:55:23 +02:00
Lukáš Trkan	ae10c4daff	Merge pull request #19 from dat515-2025/merge/basic_database_structure feat(models): add basic database structure	2025-10-09 15:24:11 +02:00