Merge pull request #46 from dat515-2025/merge/prometheus_custom_metrics

feat(prometheus): add custom metrics

.github/workflows/build-image.yaml

@@ -0,0 +1,105 @@
+name: Build and Push Image
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        description: "Build mode: 'prod' or 'pr'"
+        required: true
+        type: string
+      image_repo:
+        description: "Docker image repository (e.g., user/app)"
+        required: false
+        default: "lukastrkan/cc-app-demo"
+        type: string
+      context:
+        description: "Docker build context path"
+        required: false
+        default: "7project/backend"
+        type: string
+      pr_number:
+        description: "PR number (required when mode=pr)"
+        required: false
+        type: string
+    secrets:
+      DOCKER_USER:
+        required: true
+      DOCKER_PASSWORD:
+        required: true
+    outputs:
+      digest:
+        description: "Built image digest"
+        value: ${{ jobs.build.outputs.digest }}
+      image_repo:
+        description: "Image repository used"
+        value: ${{ jobs.build.outputs.image_repo }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.set.outputs.digest }}
+      image_repo: ${{ steps.set.outputs.image_repo }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Compute image repo and tags
+        id: meta
+        env:
+          MODE: ${{ inputs.mode }}
+          IMAGE_REPO: ${{ inputs.image_repo }}
+          PR: ${{ inputs.pr_number }}
+        run: |
+          set -euo pipefail
+          if [ -z "${IMAGE_REPO:-}" ]; then IMAGE_REPO="lukastrkan/cc-app-demo"; fi
+          echo "IMAGE_REPO=$IMAGE_REPO" >> $GITHUB_ENV
+          SHA_SHORT="${GITHUB_SHA::12}"
+          case "$MODE" in
+            prod)
+              TAG1="prod-$SHA_SHORT"
+              TAG2="latest"
+              ;;
+            pr)
+              if [ -z "${PR:-}" ]; then echo "pr_number input is required for mode=pr"; exit 1; fi
+              TAG1="pr-$PR"
+              TAG2="pr-$PR-$SHA_SHORT"
+              ;;
+            *)
+              echo "Unknown mode '$MODE' (expected 'prod' or 'pr')"; exit 1;
+              ;;
+          esac
+          echo "TAG1=$TAG1" >> $GITHUB_ENV
+          echo "TAG2=$TAG2" >> $GITHUB_ENV
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ inputs.context }}
+          push: true
+          tags: |
+            ${{ env.IMAGE_REPO }}:${{ env.TAG1 }}
+            ${{ env.IMAGE_REPO }}:${{ env.TAG2 }}
+          platforms: linux/amd64
+
+      - name: Set outputs
+        id: set
+        env:
+          IMAGE_REPO: ${{ env.IMAGE_REPO }}
+        run: |
+          echo "digest=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+          echo "image_repo=$IMAGE_REPO" >> $GITHUB_OUTPUT

.github/workflows/deploy-pr.yaml

@@ -0,0 +1,158 @@
+name: Deploy Preview (PR)
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, closed]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  test:
+    name: Run Python Tests
+    if: github.event.action != 'closed'
+    uses: ./.github/workflows/run-tests.yml
+
+  build:
+    if: github.event.action != 'closed'
+    name: Build and push image (reusable)
+    uses: ./.github/workflows/build-image.yaml
+    with:
+      mode: pr
+      image_repo: lukastrkan/cc-app-demo
+      context: 7project/backend
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit
+
+  get_urls:
+    if: github.event.action != 'closed'
+    name: Generate Preview URLs
+    uses: ./.github/workflows/url_generator.yml
+    with:
+      runner: vhs
+      mode: pr
+      pr_number: ${{ github.event.pull_request.number }}
+      base_domain: ${{ vars.DEV_BASE_DOMAIN }}
+    secrets: inherit
+
+  frontend:
+    if: github.event.action != 'closed'
+    name: Frontend - Build and Deploy to Cloudflare Pages (PR)
+    needs: [get_urls]
+    uses: ./.github/workflows/frontend-pages.yml
+    with:
+      mode: pr
+      pr_number: ${{ github.event.pull_request.number }}
+      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
+    secrets: inherit
+
+  deploy:
+    if: github.event.action != 'closed'
+    name: Helm upgrade/install (PR preview)
+    runs-on: vhs
+    concurrency:
+      group: pr-${{ github.event.pull_request.number }}
+      cancel-in-progress: false
+    needs: [build, frontend, get_urls]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Configure kubeconfig
+        env:
+          KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          if [ -z "$KUBE_CONFIG" ]; then
+            echo "Secret KUBE_CONFIG is required (kubeconfig content)"; exit 1; fi
+          echo "$KUBE_CONFIG" > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Helm upgrade/install PR preview
+        env:
+          DEV_BASE_DOMAIN: ${{ secrets.BASE_DOMAIN }}
+          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
+          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+          DIGEST: ${{ needs.build.outputs.digest }}
+          DOMAIN: "${{ needs.get_urls.outputs.backend_url }}"
+          DOMAIN_SCHEME: "${{ needs.get_urls.outputs.backend_url_scheme }}"
+          FRONTEND_DOMAIN: "${{ needs.get_urls.outputs.frontend_url }}"
+          FRONTEND_DOMAIN_SCHEME: "${{ needs.get_urls.outputs.frontend_url_scheme }}"
+        run: |
+          PR=${{ github.event.pull_request.number }}
+          RELEASE=myapp-pr-$PR
+          NAMESPACE=pr-$PR
+          helm upgrade --install "$RELEASE" ./7project/charts/myapp-chart \
+            -n "$NAMESPACE" --create-namespace \
+            -f 7project/charts/myapp-chart/values-dev.yaml \
+            --set prNumber="$PR" \
+            --set deployment="pr-$PR" \
+            --set domain="$DOMAIN" \
+            --set domain_scheme="$DOMAIN_SCHEME" \
+            --set frontend_domain="$FRONTEND_DOMAIN" \
+            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
+            --set image.digest="$DIGEST" \
+            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
+            --set-string database.password="$DB_PASSWORD" \
+            --set-string database.encryptionSecret="$PR" \
+            --set-string app.name="finance-tracker-pr-$PR"
+
+      - name: Post preview URLs as PR comment
+        uses: actions/github-script@v7
+        env:
+          BACKEND_URL: ${{ needs.get_urls.outputs.backend_url_scheme }}
+          FRONTEND_URL: ${{ needs.get_urls.outputs.frontend_url_scheme }}
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            if (!pr) { core.setFailed('No pull_request context'); return; }
+            const prNumber = pr.number;
+            const backendUrl = process.env.BACKEND_URL || '(not available)';
+            const frontendUrl = process.env.FRONTEND_URL || '(not available)';
+            const marker = '<!-- preview-comment-marker -->';
+            const body = `${marker}\nPreview environment is running\n- Frontend: ${frontendUrl}\n- Backend: ${backendUrl}\n`;
+            const { owner, repo } = context.repo;
+            const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number: prNumber, per_page: 100 });
+            const existing = comments.find(c => c.body && c.body.includes(marker));
+            if (existing) {
+              await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body });
+            } else {
+              await github.rest.issues.createComment({ owner, repo, issue_number: prNumber, body });
+            }
+
+  uninstall:
+    if: github.event.action == 'closed'
+    name: Helm uninstall (PR preview)
+    runs-on: vhs
+    steps:
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Configure kubeconfig
+        env:
+          KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          if [ -z "$KUBE_CONFIG" ]; then
+            echo "Secret KUBE_CONFIG is required (kubeconfig content)"; exit 1; fi
+          echo "$KUBE_CONFIG" > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Helm uninstall release and cleanup namespace
+        run: |
+          PR=${{ github.event.pull_request.number }}
+          RELEASE=myapp-pr-$PR
+          NAMESPACE=pr-$PR
+          helm uninstall "$RELEASE" -n "$NAMESPACE" || true
+          # Optionally delete the namespace if empty
+          kubectl delete namespace "$NAMESPACE" --ignore-not-found=true || true

.github/workflows/deploy-prod.yaml

@@ -0,0 +1,114 @@
+name: Deploy Prod
+
+on:
+  push:
+    branches: [ "main" ]
+    paths:
+      - 7project/backend/**
+      - 7project/frontend/**
+      - 7project/charts/myapp-chart/**
+      - .github/workflows/deploy-prod.yaml
+      - .github/workflows/build-image.yaml
+      - .github/workflows/frontend-pages.yml
+  workflow_dispatch:
+
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-prod
+  cancel-in-progress: false
+
+jobs:
+  test:
+    name: Run Python Tests
+    uses: ./.github/workflows/run-tests.yml
+
+  build:
+    name: Build and push image (reusable)
+    uses: ./.github/workflows/build-image.yaml
+    with:
+      mode: prod
+      image_repo: lukastrkan/cc-app-demo
+      context: 7project/backend
+    secrets: inherit
+
+  get_urls:
+    name: Generate Production URLs
+    uses: ./.github/workflows/url_generator.yml
+    with:
+      mode: prod
+      runner: vhs
+      base_domain: ${{ vars.PROD_DOMAIN }}
+    secrets: inherit
+
+  frontend:
+    name: Frontend - Build and Deploy to Cloudflare Pages (prod)
+    needs: [get_urls]
+    uses: ./.github/workflows/frontend-pages.yml
+    with:
+      mode: prod
+      backend_url_scheme: ${{ needs.get_urls.outputs.backend_url_scheme }}
+    secrets: inherit
+
+  deploy:
+    name: Helm upgrade/install (prod)
+    runs-on: vhs
+    needs: [build, frontend, get_urls]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Configure kubeconfig
+        env:
+          KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          if [ -z "$KUBE_CONFIG" ]; then
+            echo "Secret KUBE_CONFIG is required (kubeconfig content)"; exit 1; fi
+          echo "$KUBE_CONFIG" > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Helm upgrade/install prod
+        env:
+          DOMAIN: ${{ needs.get_urls.outputs.backend_url }}
+          DOMAIN_SCHEME: ${{ needs.get_urls.outputs.backend_url_scheme }}
+          FRONTEND_DOMAIN: ${{ needs.get_urls.outputs.frontend_url }}
+          FRONTEND_DOMAIN_SCHEME: ${{ needs.get_urls.outputs.frontend_url_scheme }}
+          RABBITMQ_PASSWORD: ${{ secrets.PROD_RABBITMQ_PASSWORD }}
+          DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+          DIGEST: ${{ needs.build.outputs.digest }}
+          BANKID_CLIENT_ID: ${{ secrets.BANKID_CLIENT_ID }}
+          BANKID_CLIENT_SECRET: ${{ secrets.BANKID_CLIENT_SECRET }}
+          MOJEID_CLIENT_ID: ${{ secrets.MOJEID_CLIENT_ID }}
+          MOJEID_CLIENT_SECRET: ${{ secrets.MOJEID_CLIENT_SECRET }}
+          CSAS_CLIENT_ID: ${{ secrets.CSAS_CLIENT_ID }}
+          CSAS_CLIENT_SECRET: ${{ secrets.CSAS_CLIENT_SECRET }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+        run: |
+          helm upgrade --install myapp ./7project/charts/myapp-chart \
+            -n prod --create-namespace \
+            -f 7project/charts/myapp-chart/values-prod.yaml \
+            --set deployment="prod" \
+            --set domain="$DOMAIN" \
+            --set domain_scheme="$DOMAIN_SCHEME" \
+            --set frontend_domain="$FRONTEND_DOMAIN" \
+            --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
+            --set image.digest="$DIGEST" \
+            --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
+            --set-string database.password="$DB_PASSWORD" \
+            --set-string oauth.bankid.clientId="$BANKID_CLIENT_ID" \
+            --set-string oauth.bankid.clientSecret="$BANKID_CLIENT_SECRET" \
+            --set-string oauth.mojeid.clientId="$MOJEID_CLIENT_ID" \
+            --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \
+            --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \
+            --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \
+            --set-string sentry_dsn="$SENTRY_DSN" \
+            --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}"

.github/workflows/frontend-pages.yml

@@ -0,0 +1,135 @@
+name: Frontend - Build and Deploy to Cloudflare Pages
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        description: "Build mode: 'prod' or 'pr'"
+        required: true
+        type: string
+      pr_number:
+        description: 'PR number (required when mode=pr)'
+        required: false
+        type: string
+      project_name:
+        description: 'Cloudflare Pages project name (overrides default)'
+        required: false
+        type: string
+      backend_url_scheme:
+        description: 'The full scheme URL for the backend (e.g., https://api.example.com)'
+        required: true
+        type: string
+    secrets:
+      CLOUDFLARE_API_TOKEN:
+        required: true
+      CLOUDFLARE_ACCOUNT_ID:
+        required: true
+    outputs:
+      deployed_url:
+        description: 'URL of deployed frontend'
+        value: ${{ jobs.deploy.outputs.deployed_url }}
+
+jobs:
+  build:
+    name: Build frontend
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: 7project/frontend
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: 7project/frontend/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Set backend URL from workflow input
+        run: |
+          echo "VITE_BACKEND_URL=${{ inputs.backend_url_scheme }}" >> $GITHUB_ENV
+
+      - name: Build
+        run: npm run build
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-dist
+          path: 7project/frontend/dist
+
+  deploy:
+    name: Deploy to Cloudflare Pages
+    needs: build
+    runs-on: ubuntu-latest
+    outputs:
+      deployed_url: ${{ steps.out.outputs.deployed_url }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: frontend-dist
+          path: dist
+
+      - name: Determine project name and branch
+        id: pname
+        env:
+          INPUT_MODE: ${{ inputs.mode }}
+          INPUT_PR: ${{ inputs.pr_number }}
+        run: |
+          set -euo pipefail
+          # Prefer manual input, then repo variable, fallback to repo-name
+          INPUT_NAME='${{ inputs.project_name }}'
+          VAR_NAME='${{ vars.CF_PAGES_PROJECT_NAME }}'
+          if [ -n "$INPUT_NAME" ]; then PNAME_RAW="$INPUT_NAME"; 
+          elif [ -n "$VAR_NAME" ]; then PNAME_RAW="$VAR_NAME"; 
+          else PNAME_RAW="${GITHUB_REPOSITORY##*/}-frontend"; fi
+          # Normalize project name to lowercase to satisfy Cloudflare Pages naming
+          PNAME="${PNAME_RAW,,}"
+          # Determine branch for Pages
+          if [ "${INPUT_MODE}" = "pr" ]; then
+            if [ -z "${INPUT_PR}" ]; then echo "pr_number is required when mode=pr"; exit 1; fi
+            PBRANCH="pr-${INPUT_PR}"
+          else
+            PBRANCH="main"
+          fi
+          echo "project_name=$PNAME" >> $GITHUB_OUTPUT
+          echo "branch=$PBRANCH" >> $GITHUB_OUTPUT
+
+      - name: Ensure Cloudflare Pages project exists
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          PNAME: ${{ steps.pname.outputs.project_name }}
+        run: |
+          set -euo pipefail
+          npx wrangler pages project create "$PNAME" --production-branch=main || true
+
+      - name: Deploy using Cloudflare Wrangler
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy dist --project-name=${{ steps.pname.outputs.project_name }} --branch=${{ steps.pname.outputs.branch }}
+
+      - name: Compute deployed URL
+        id: out
+        env:
+          PNAME: ${{ steps.pname.outputs.project_name }}
+          PBRANCH: ${{ steps.pname.outputs.branch }}
+        run: |
+          set -euo pipefail
+          if [ "$PBRANCH" = "main" ]; then
+            URL="https://${PNAME}.pages.dev"
+          else
+            URL="https://${PBRANCH}.${PNAME}.pages.dev"
+          fi
+          echo "deployed_url=$URL" >> $GITHUB_OUTPUT

.github/workflows/run-tests.yml

@@ -0,0 +1,61 @@
+name: Run Python Tests
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    services:
+      mariadb:
+        image: mariadb:11.4
+        env:
+          MARIADB_ROOT_PASSWORD: rootpw
+          MARIADB_DATABASE: group_project
+          MARIADB_USER: appuser
+          MARIADB_PASSWORD: apppass
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent"
+          --health-interval=5s
+          --health-timeout=2s
+          --health-retries=20
+
+    env:
+      MARIADB_HOST: 127.0.0.1
+      MARIADB_PORT: "3306"
+      MARIADB_DB: group_project
+      MARIADB_USER: appuser
+      MARIADB_PASSWORD: apppass
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Add test dependencies to requirements
+        run: |
+          echo "pytest==8.4.2" >> ./7project/backend/requirements.txt
+          echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r ./7project/backend/requirements.txt
+
+      - name: Run Alembic migrations
+        run: |
+          alembic upgrade head
+        working-directory: ./7project/backend
+
+      - name: Run tests with pytest
+        run: pytest
+        working-directory: ./7project/backend

.github/workflows/url_generator.yml

@@ -0,0 +1,74 @@
+name: Generate Preview or Production URLs
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        description: "Build mode: 'prod' or 'pr'"
+        required: true
+        type: string
+      pr_number:
+        description: 'PR number (required when mode=pr)'
+        required: false
+        type: string
+      runner:
+        description: 'The runner to use for this job'
+        required: false
+        type: string
+        default: 'ubuntu-latest'
+      base_domain:
+        description: 'The base domain for production URLs (e.g., example.com)'
+        required: true
+        type: string
+
+    outputs:
+      backend_url:
+        description: "The backend URL without scheme (e.g., api.example.com)"
+        value: ${{ jobs.generate-urls.outputs.backend_url }}
+      frontend_url:
+        description: "The frontend URL without scheme (e.g., app.example.com)"
+        value: ${{ jobs.generate-urls.outputs.frontend_url }}
+      backend_url_scheme:
+        description: "The backend URL with scheme (e.g., https://api.example.com)"
+        value: ${{ jobs.generate-urls.outputs.backend_url_scheme }}
+      frontend_url_scheme:
+        description: "The frontend URL with scheme (e.g., https://app.example.com)"
+        value: ${{ jobs.generate-urls.outputs.frontend_url_scheme }}
+
+jobs:
+  generate-urls:
+    permissions:
+      contents: none
+    runs-on: ${{ inputs.runner }}
+
+    outputs:
+      backend_url: ${{ steps.set_urls.outputs.backend_url }}
+      frontend_url: ${{ steps.set_urls.outputs.frontend_url }}
+      backend_url_scheme: ${{ steps.set_urls.outputs.backend_url_scheme }}
+      frontend_url_scheme: ${{ steps.set_urls.outputs.frontend_url_scheme }}
+
+    steps:
+      - name: Generate URLs
+        id: set_urls
+        env:
+          BASE_DOMAIN: ${{ inputs.base_domain }}
+        run: |
+          set -euo pipefail
+          
+          if [ "${{ inputs.mode }}" = "prod" ]; then
+            BACKEND_URL="api.${BASE_DOMAIN}"
+            FRONTEND_URL="finance.${BASE_DOMAIN}"
+          else
+            # This is your current logic
+            FRONTEND_URL="pr-${{ inputs.pr_number }}.group-8-frontend.pages.dev"
+            BACKEND_URL="api-pr-${{ inputs.pr_number }}.${BASE_DOMAIN}"
+          fi
+
+          FRONTEND_URL_SCHEME="https://$FRONTEND_URL"
+          BACKEND_URL_SCHEME="https://$BACKEND_URL"
+          
+          # This part correctly writes to GITHUB_OUTPUT for the step
+          echo "backend_url_scheme=$BACKEND_URL_SCHEME" >> $GITHUB_OUTPUT
+          echo "frontend_url_scheme=$FRONTEND_URL_SCHEME" >> $GITHUB_OUTPUT
+          echo "backend_url=$BACKEND_URL" >> $GITHUB_OUTPUT
+          echo "frontend_url=$FRONTEND_URL" >> $GITHUB_OUTPUT

.github/workflows/workflow.yml

@@ -1,54 +0,0 @@
-name: Build, Push and Update Image in Manifest
-
-on:
-  push:
-    branches: [ "main" ]
-    paths:
-      - 'backend/**'
-  workflow_dispatch:
-
-jobs:
-  build-and-update:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      packages: write
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Build and push Docker image
-        id: build
-        uses: docker/build-push-action@v5
-        with:
-          context: ./backend
-          push: true
-          tags: ${{ secrets.DOCKER_USER }}/cc-app-demo:latest
-
-      - name: Get image digest
-        run: echo "IMAGE_DIGEST=${{ steps.build.outputs.digest }}" >> $GITHUB_ENV
-
-      - name: Update manifests with new image digest
-        uses: OpsVerseIO/image-updater-action@0.1.0
-        with:
-          branch: main
-          targetBranch: main
-          createPR: 'false'
-          message: "${{ github.event.head_commit.message }}"
-          token: ${{ secrets.GITHUB_TOKEN }}
-          changes: |
-            {
-              "deployment/app-demo-deployment.yaml": {
-                "spec.template.spec.containers[0].image": "${{ secrets.DOCKER_USER }}/cc-app-demo@${{ env.IMAGE_DIGEST }}"
-              },
-              "deployment/app-demo-worker-deployment.yaml": {
-                "spec.template.spec.containers[0].image": "${{ secrets.DOCKER_USER }}/cc-app-demo@${{ env.IMAGE_DIGEST }}"
-              }
-            }

6design/design.md

@@ -45,11 +45,11 @@ flowchart LR
     proc_cron[Task planner] --> proc_queue
     proc_queue_worker --> ext_bank[(Bank API)]
     proc_queue_worker --> db
-    client[Client/UI] --> api[API Gateway / Web Server]
-    api --> svc[Web API]
+    client[Client/UI] <--> api[API Gateway / Web Server]
+    api <--> svc[Web API]
     svc --> proc_queue
-    svc --> db[(Database)]
-    svc --> cache[(Cache)]
+    svc <--> db[(Database)]
+    svc <--> cache[(Cache)]
 ```
 
 - Components and responsibilities: What does each box do?
@@ -169,6 +169,7 @@ flowchart TB
     planner --> queue
     
     worker --> db
+
 ```
 
 - Configuration & secrets: Env vars, secret manager, .env files (never commit secrets).

7project/backend/Dockerfile

@@ -1,7 +1,8 @@
 FROM python:3.11-slim
+
 WORKDIR /app
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 COPY . .
 EXPOSE 8000
-CMD alembic upgrade head && uvicorn app.app:app --host 0.0.0.0 --port 8000
+CMD alembic upgrade head && uvicorn app.app:fastApi --host 0.0.0.0 --port 8000

7project/backend/alembic.ini

@@ -11,7 +11,7 @@ script_location = %(here)s/alembic
 # Uncomment the line below if you want the files to be prepended with date and time
 # see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
 # for all available tokens
-# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
 
 # sys.path path, will be prepended to sys.path if present.
 # defaults to the current working directory.  for multiple paths, the path separator

7project/backend/alembic/env.py

@@ -23,9 +23,11 @@ if not DATABASE_URL:
     mariadb_password = os.getenv("MARIADB_PASSWORD", "strongpassword")
     DATABASE_URL = f"mysql+pymysql://{mariadb_user}:{mariadb_password}@{mariadb_host}:{mariadb_port}/{mariadb_db}"
 
-# Use synchronous driver for Alembic migrations
 SYNC_DATABASE_URL = DATABASE_URL.replace("+asyncmy", "+pymysql")
 
+host_env = os.getenv("MARIADB_HOST", "localhost")
+ssl_enabled = host_env not in {"localhost", "127.0.0.1"}
+connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {}
 
 def run_migrations_offline() -> None:
     context.configure(
@@ -39,7 +41,7 @@ def run_migrations_offline() -> None:
 
 
 def run_migrations_online() -> None:
-    connectable = create_engine(SYNC_DATABASE_URL, poolclass=pool.NullPool)
+    connectable = create_engine(SYNC_DATABASE_URL, poolclass=pool.NullPool, connect_args=connect_args)
     with connectable.connect() as connection:
         context.configure(
             connection=connection,

7project/backend/alembic/versions/2025_10_09_1456-63e072f09836_add_categories.py

@@ -1,8 +1,8 @@
-"""Init migration
+"""add categories
 
-Revision ID: 81f275275556
+Revision ID: 63e072f09836
 Revises: 
-Create Date: 2025-09-24 17:39:25.346690
+Create Date: 2025-10-09 14:56:14.653249
 
 """
 from typing import Sequence, Union
@@ -13,7 +13,7 @@ import sqlalchemy as sa
 
 
 # revision identifiers, used by Alembic.
-revision: str = '81f275275556'
+revision: str = '63e072f09836'
 down_revision: Union[str, Sequence[str], None] = None
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
@@ -22,12 +22,6 @@ depends_on: Union[str, Sequence[str], None] = None
 def upgrade() -> None:
     """Upgrade schema."""
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('transaction',
-    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
-    sa.Column('amount', sa.Float(), nullable=False),
-    sa.Column('description', sa.String(length=255), nullable=True),
-    sa.PrimaryKeyConstraint('id')
-    )
     op.create_table('user',
     sa.Column('first_name', sa.String(length=100), nullable=True),
     sa.Column('last_name', sa.String(length=100), nullable=True),
@@ -40,13 +34,38 @@ def upgrade() -> None:
     sa.PrimaryKeyConstraint('id')
     )
     op.create_index(op.f('ix_user_email'), 'user', ['email'], unique=True)
+    op.create_table('categories',
+    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('name', sa.String(length=100), nullable=False),
+    sa.Column('description', sa.String(length=255), nullable=True),
+    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('name')
+    )
+    op.create_table('transaction',
+    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('amount', sa.Float(), nullable=False),
+    sa.Column('description', sa.String(length=255), nullable=True),
+    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_table('category_transaction',
+    sa.Column('id_category', sa.Integer(), nullable=True),
+    sa.Column('id_transaction', sa.Integer(), nullable=True),
+    sa.ForeignKeyConstraint(['id_category'], ['categories.id'], ),
+    sa.ForeignKeyConstraint(['id_transaction'], ['transaction.id'], )
+    )
     # ### end Alembic commands ###
 
 
 def downgrade() -> None:
     """Downgrade schema."""
     # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('category_transaction')
+    op.drop_table('transaction')
+    op.drop_table('categories')
     op.drop_index(op.f('ix_user_email'), table_name='user')
     op.drop_table('user')
-    op.drop_table('transaction')
     # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_09_1514-390041bd839e_update_categories_unique.py

@@ -0,0 +1,34 @@
+"""update categories unique
+
+Revision ID: 390041bd839e
+Revises: 63e072f09836
+Create Date: 2025-10-09 15:14:31.557686
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '390041bd839e'
+down_revision: Union[str, Sequence[str], None] = '63e072f09836'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('name'), table_name='categories')
+    op.create_unique_constraint('uix_name_user_id', 'categories', ['name', 'user_id'])
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint('uix_name_user_id', 'categories', type_='unique')
+    op.create_index(op.f('name'), 'categories', ['name'], unique=True)
+    # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_10_1405-7af8f296d089_add_user_oauth.py

@@ -0,0 +1,48 @@
+"""add user oauth
+
+Revision ID: 7af8f296d089
+Revises: 390041bd839e
+Create Date: 2025-10-10 14:05:00.153376
+
+"""
+from typing import Sequence, Union
+
+import fastapi_users_db_sqlalchemy
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '7af8f296d089'
+down_revision: Union[str, Sequence[str], None] = '390041bd839e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('oauth_account',
+    sa.Column('id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('oauth_name', sa.String(length=100), nullable=False),
+    sa.Column('access_token', sa.String(length=1024), nullable=False),
+    sa.Column('expires_at', sa.Integer(), nullable=True),
+    sa.Column('refresh_token', sa.String(length=1024), nullable=True),
+    sa.Column('account_id', sa.String(length=320), nullable=False),
+    sa.Column('account_email', sa.String(length=320), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='cascade'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_oauth_account_account_id'), 'oauth_account', ['account_id'], unique=False)
+    op.create_index(op.f('ix_oauth_account_oauth_name'), 'oauth_account', ['oauth_name'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_oauth_account_oauth_name'), table_name='oauth_account')
+    op.drop_index(op.f('ix_oauth_account_account_id'), table_name='oauth_account')
+    op.drop_table('oauth_account')
+    # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_11_2107-5ab2e654c96e_change_token_lenght.py

@@ -0,0 +1,38 @@
+"""change token length
+
+Revision ID: 5ab2e654c96e
+Revises: 7af8f296d089
+Create Date: 2025-10-11 21:07:41.930470
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = '5ab2e654c96e'
+down_revision: Union[str, Sequence[str], None] = '7af8f296d089'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('oauth_account', 'access_token',
+               existing_type=mysql.VARCHAR(length=1024),
+               type_=sa.String(length=4096),
+               existing_nullable=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('oauth_account', 'access_token',
+               existing_type=sa.String(length=4096),
+               type_=mysql.VARCHAR(length=1024),
+               existing_nullable=False)
+    # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_21_1856-eabec90a94fe_add_config_to_user.py

@@ -0,0 +1,32 @@
+"""add config to user
+
+Revision ID: eabec90a94fe
+Revises: 5ab2e654c96e
+Create Date: 2025-10-21 18:56:42.085973
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'eabec90a94fe'
+down_revision: Union[str, Sequence[str], None] = '5ab2e654c96e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('user', sa.Column('config', sa.JSON(), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('user', 'config')
+    # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_22_1618-1f2a3c4d5e6f_add_date_to_transaction.py

@@ -0,0 +1,32 @@
+"""add date to transaction
+
+Revision ID: 1f2a3c4d5e6f
+Revises: eabec90a94fe
+Create Date: 2025-10-22 16:18:00
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.sql import func
+
+# revision identifiers, used by Alembic.
+revision: str = '1f2a3c4d5e6f'
+down_revision: Union[str, Sequence[str], None] = 'eabec90a94fe'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema by adding date column with server default current_date."""
+    op.add_column(
+        'transaction',
+        sa.Column('date', sa.Date(), nullable=False, server_default=sa.text('CURRENT_DATE'))
+    )
+
+
+
+def downgrade() -> None:
+    """Downgrade schema by removing date column."""
+    op.drop_column('transaction', 'date')

7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py

@@ -0,0 +1,47 @@
+"""Add encrypted type
+
+Revision ID: 46b9e702e83f
+Revises: 1f2a3c4d5e6f
+Create Date: 2025-10-29 13:26:24.568523
+
+"""
+from typing import Sequence, Union
+
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = '46b9e702e83f'
+down_revision: Union[str, Sequence[str], None] = '1f2a3c4d5e6f'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('transaction', 'amount',
+               existing_type=mysql.FLOAT(),
+               type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               existing_nullable=False)
+    op.alter_column('transaction', 'description',
+               existing_type=mysql.VARCHAR(length=255),
+               type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               existing_nullable=True)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('transaction', 'description',
+               existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               type_=mysql.VARCHAR(length=255),
+               existing_nullable=True)
+    op.alter_column('transaction', 'amount',
+               existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               type_=mysql.FLOAT(),
+               existing_nullable=False)
+    # ### end Alembic commands ###

7project/backend/alembic/versions/2025_10_30_1342-59cebf320c4a_cascade_categories.py

@@ -0,0 +1,46 @@
+"""Cascade categories
+
+Revision ID: 59cebf320c4a
+Revises: 46b9e702e83f
+Create Date: 2025-10-30 13:42:44.555284
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = '59cebf320c4a'
+down_revision: Union[str, Sequence[str], None] = '46b9e702e83f'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('category_transaction', sa.Column('category_id', sa.Integer(), nullable=False))
+    op.add_column('category_transaction', sa.Column('transaction_id', sa.Integer(), nullable=False))
+    op.drop_constraint(op.f('category_transaction_ibfk_2'), 'category_transaction', type_='foreignkey')
+    op.drop_constraint(op.f('category_transaction_ibfk_1'), 'category_transaction', type_='foreignkey')
+    op.create_foreign_key(None, 'category_transaction', 'transaction', ['transaction_id'], ['id'], ondelete='CASCADE')
+    op.create_foreign_key(None, 'category_transaction', 'categories', ['category_id'], ['id'], ondelete='CASCADE')
+    op.drop_column('category_transaction', 'id_category')
+    op.drop_column('category_transaction', 'id_transaction')
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('category_transaction', sa.Column('id_transaction', mysql.INTEGER(display_width=11), autoincrement=False, nullable=True))
+    op.add_column('category_transaction', sa.Column('id_category', mysql.INTEGER(display_width=11), autoincrement=False, nullable=True))
+    op.drop_constraint(None, 'category_transaction', type_='foreignkey')
+    op.drop_constraint(None, 'category_transaction', type_='foreignkey')
+    op.create_foreign_key(op.f('category_transaction_ibfk_1'), 'category_transaction', 'categories', ['id_category'], ['id'])
+    op.create_foreign_key(op.f('category_transaction_ibfk_2'), 'category_transaction', 'transaction', ['id_transaction'], ['id'])
+    op.drop_column('category_transaction', 'transaction_id')
+    op.drop_column('category_transaction', 'category_id')
+    # ### end Alembic commands ###

7project/backend/app/api/auth.py

@@ -0,0 +1,66 @@
+from fastapi import APIRouter, Depends, status
+from fastapi_users import models
+from fastapi_users.manager import BaseUserManager
+
+from app.schemas.user import UserCreate, UserRead, UserUpdate
+from app.services.user_service import auth_backend, fastapi_users
+
+router = APIRouter()
+
+@router.delete(
+    "/users/me",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["users"],
+    summary="Delete current user",
+    response_description="The user has been successfully deleted.",
+)
+async def delete_me(
+    user: models.UserProtocol = Depends(fastapi_users.current_user(active=True)),
+    user_manager: BaseUserManager = Depends(fastapi_users.get_user_manager),
+):
+    """
+    Delete the currently authenticated user.
+    """
+    await user_manager.delete(user)
+
+# Keep existing paths as-is under /auth/* and /users/*
+from fastapi import Request, Response
+from app.core.security import revoke_token, extract_bearer_token
+
+
+@router.post(
+    "/auth/jwt/logout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["auth"],
+    summary="Log out and revoke current token",
+)
+async def custom_logout(request: Request) -> Response:
+    """Revoke the current bearer token so it cannot be used anymore."""
+    token = extract_bearer_token(request)
+    if token:
+        revoke_token(token)
+    return Response(status_code=status.HTTP_204_NO_CONTENT)
+
+router.include_router(
+    fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
+)
+router.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_reset_password_router(),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_verify_router(UserRead),
+    prefix="/auth",
+    tags=["auth"],
+)
+router.include_router(
+    fastapi_users.get_users_router(UserRead, UserUpdate),
+    prefix="/users",
+    tags=["users"],
+)

7project/backend/app/api/categories.py

@@ -0,0 +1,108 @@
+from typing import List
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, delete
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.categories import Category
+from app.schemas.category import CategoryCreate, CategoryRead, CategoryUpdate
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/categories", tags=["categories"])
+
+
+@router.post("/create", response_model=CategoryRead, status_code=status.HTTP_201_CREATED)
+async def create_category(
+    payload: CategoryCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Enforce per-user unique name via query to provide 409 feedback
+    res = await session.execute(
+        select(Category).where(Category.user_id == user.id, Category.name == payload.name)
+    )
+    existing = res.scalar_one_or_none()
+    if existing:
+        raise HTTPException(status_code=409, detail="Category with this name already exists")
+
+    category = Category(name=payload.name, description=payload.description, user_id=user.id)
+    session.add(category)
+    await session.commit()
+    await session.refresh(category)
+    return category
+
+
+@router.get("/", response_model=List[CategoryRead])
+async def list_categories(
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(select(Category).where(Category.user_id == user.id))
+    return list(res.scalars())
+
+
+@router.patch("/{category_id}", response_model=CategoryRead)
+async def update_category(
+    category_id: int,
+    payload: CategoryUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    category = res.scalar_one_or_none()
+    if not category:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    # If name changed, check uniqueness per user
+    if payload.name is not None and payload.name != category.name:
+        dup = await session.execute(
+            select(Category.id).where(Category.user_id == user.id, Category.name == payload.name)
+        )
+        if dup.scalar_one_or_none() is not None:
+            raise HTTPException(status_code=409, detail="Category with this name already exists")
+        category.name = payload.name
+
+    if payload.description is not None:
+        category.description = payload.description
+
+    await session.commit()
+    await session.refresh(category)
+    return category
+
+
+@router.get("/{category_id}", response_model=CategoryRead)
+async def get_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    category = res.scalar_one_or_none()
+    if not category:
+        raise HTTPException(status_code=404, detail="Category not found")
+    return category
+
+
+@router.delete("/{category_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_category(
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Category.id).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    if res.scalar_one_or_none() is None:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.execute(
+        delete(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    await session.commit()
+    return None

7project/backend/app/api/csas.py

@@ -0,0 +1,40 @@
+import json
+import os
+
+from fastapi import APIRouter
+from fastapi.params import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.user import User
+from app.oauth.csas import CSASOAuth
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+
+router = APIRouter(prefix="/auth/csas", tags=["csas"])
+
+CLIENT_ID = os.getenv("CSAS_CLIENT_ID")
+CLIENT_SECRET = os.getenv("CSAS_CLIENT_SECRET")
+CSAS_OAUTH = CSASOAuth(CLIENT_ID, CLIENT_SECRET)
+
+
+@router.get("/authorize")
+async def csas_authorize():
+    return {"authorization_url":
+                await CSAS_OAUTH.get_authorization_url(os.getenv("FRONTEND_DOMAIN_SCHEME") + "/auth/csas/callback")}
+
+
+@router.get("/callback")
+async def csas_callback(code: str, session: AsyncSession = Depends(get_async_session),
+                        user: User = Depends(current_active_user)):
+    response = await CSAS_OAUTH.get_access_token(code, os.getenv("FRONTEND_DOMAIN_SCHEME") + "/auth/csas/callback")
+
+    if not user.config:
+        user.config = {}
+
+    new_dict = user.config.copy()
+    new_dict["csas"] = json.dumps(response)
+
+    user.config = new_dict
+    await session.commit()
+
+    return "OK"

7project/backend/app/api/transactions.py

@@ -0,0 +1,280 @@
+from typing import List, Optional
+from datetime import date
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, and_, func
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.transaction import Transaction
+from app.models.categories import Category
+from app.schemas.transaction import (
+    TransactionCreate,
+    TransactionRead,
+    TransactionUpdate,
+)
+from app.services.db import get_async_session
+from app.services.user_service import current_active_user
+from app.models.user import User
+
+router = APIRouter(prefix="/transactions", tags=["transactions"])
+
+
+def _to_read_model(tx: Transaction) -> TransactionRead:
+    return TransactionRead(
+        id=tx.id,
+        amount=tx.amount,
+        description=tx.description,
+        date=tx.date,
+        category_ids=[c.id for c in (tx.categories or [])],
+    )
+
+
+@router.post("/create", response_model=TransactionRead, status_code=status.HTTP_201_CREATED)
+async def create_transaction(
+    payload: TransactionCreate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Build transaction; set `date` only if provided to let DB default apply otherwise
+    tx_kwargs = dict(
+        amount=payload.amount,
+        description=payload.description,
+        user_id=user.id,
+    )
+    if payload.date is not None:
+        parsed_date = payload.date
+        if isinstance(parsed_date, str):
+            try:
+                parsed_date = date.fromisoformat(parsed_date)
+            except ValueError:
+                raise HTTPException(status_code=400, detail="Invalid date format, expected YYYY-MM-DD")
+        tx_kwargs["date"] = parsed_date
+    tx = Transaction(**tx_kwargs)
+
+    # Attach categories if provided (and owned by user)
+    if payload.category_ids:
+        res = await session.execute(
+            select(Category).where(
+                Category.user_id == user.id, Category.id.in_(payload.category_ids)
+            )
+        )
+        categories = list(res.scalars())
+        if len(categories) != len(set(payload.category_ids)):
+            raise HTTPException(
+                status_code=400,
+                detail="Duplicate category IDs provided or one or more categories not found"
+            )
+        tx.categories = categories
+
+    session.add(tx)
+    await session.commit()
+    await session.refresh(tx)
+    # Ensure categories are loaded
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.get("/", response_model=List[TransactionRead])
+async def list_transactions(
+    start_date: Optional[date] = None,
+    end_date: Optional[date] = None,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    cond = [Transaction.user_id == user.id]
+    if start_date is not None:
+        cond.append(Transaction.date >= start_date)
+    if end_date is not None:
+        cond.append(Transaction.date <= end_date)
+    res = await session.execute(
+        select(Transaction).where(and_(*cond)).order_by(Transaction.date, Transaction.id)
+    )
+    txs = list(res.scalars())
+    # Eagerly load categories for each transaction
+    for tx in txs:
+        await session.refresh(tx, attribute_names=["categories"])
+    return [_to_read_model(tx) for tx in txs]
+
+
+@router.get("/balance_series")
+async def get_balance_series(
+    start_date: Optional[date] = None,
+    end_date: Optional[date] = None,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    cond = [Transaction.user_id == user.id]
+    if start_date is not None:
+        cond.append(Transaction.date >= start_date)
+    if end_date is not None:
+        cond.append(Transaction.date <= end_date)
+    res = await session.execute(
+        select(Transaction).where(and_(*cond)).order_by(Transaction.date, Transaction.id)
+    )
+    txs = list(res.scalars())
+    # Group by date and accumulate
+    daily = {}
+    for tx in txs:
+        key = tx.date.isoformat() if hasattr(tx.date, 'isoformat') else str(tx.date)
+        daily[key] = daily.get(key, 0.0) + float(tx.amount)
+    # Build cumulative series sorted by date
+    series = []
+    running = 0.0
+    for d in sorted(daily.keys()):
+        running += daily[d]
+        series.append({"date": d, "balance": running})
+    return series
+
+
+@router.get("/{transaction_id}", response_model=TransactionRead)
+async def get_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.patch("/{transaction_id}/edit", response_model=TransactionRead)
+async def update_transaction(
+    transaction_id: int,
+    payload: TransactionUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    if payload.amount is not None:
+        tx.amount = payload.amount
+    if payload.description is not None:
+        tx.description = payload.description
+    if payload.date is not None:
+        new_date = payload.date
+        if isinstance(new_date, str):
+            try:
+                new_date = date.fromisoformat(new_date)
+            except ValueError:
+                raise HTTPException(status_code=400, detail="Invalid date format, expected YYYY-MM-DD")
+        tx.date = new_date
+
+    if payload.category_ids is not None:
+        # Preload categories to avoid async lazy-load during assignment
+        await session.refresh(tx, attribute_names=["categories"])
+        if payload.category_ids:
+            # Check for duplicate category IDs in the payload
+            if len(payload.category_ids) != len(set(payload.category_ids)):
+                raise HTTPException(status_code=400, detail="Duplicate category IDs in payload")
+            res = await session.execute(
+                select(Category).where(
+                    Category.user_id == user.id, Category.id.in_(payload.category_ids)
+                )
+            )
+            categories = list(res.scalars())
+            if len(categories) != len(payload.category_ids):
+                raise HTTPException(status_code=400, detail="One or more categories not found")
+            tx.categories = categories
+        else:
+            tx.categories = []
+
+    await session.commit()
+    await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/delete", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_transaction(
+    transaction_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx = res.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    await session.delete(tx)
+    await session.commit()
+    return None
+
+
+@router.post("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def assign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    # Load transaction and category ensuring ownership
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat not in tx.categories:
+        tx.categories.append(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)
+
+
+@router.delete("/{transaction_id}/categories/{category_id}", response_model=TransactionRead)
+async def unassign_category(
+    transaction_id: int,
+    category_id: int,
+    session: AsyncSession = Depends(get_async_session),
+    user: User = Depends(current_active_user),
+):
+    res_tx = await session.execute(
+        select(Transaction).where(
+            Transaction.id == transaction_id, Transaction.user_id == user.id
+        )
+    )
+    tx: Optional[Transaction] = res_tx.scalar_one_or_none()
+    if not tx:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+
+    res_cat = await session.execute(
+        select(Category).where(Category.id == category_id, Category.user_id == user.id)
+    )
+    cat: Optional[Category] = res_cat.scalar_one_or_none()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+
+    await session.refresh(tx, attribute_names=["categories"])
+    if cat in tx.categories:
+        tx.categories.remove(cat)
+        await session.commit()
+        await session.refresh(tx, attribute_names=["categories"])
+    return _to_read_model(tx)

7project/backend/app/app.py

@@ -0,0 +1,176 @@
+import logging
+import os
+import sys
+from datetime import datetime
+from pythonjsonlogger import jsonlogger
+
+from fastapi import Depends, FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from prometheus_fastapi_instrumentator import Instrumentator, metrics
+from starlette.requests import Request
+
+from app.services.prometheus import number_of_users, number_of_transactions
+
+from app.services import bank_scraper
+from app.workers.celery_tasks import load_transactions, load_all_transactions
+from app.models.user import User, OAuthAccount
+
+from app.services.user_service import current_active_verified_user
+from app.api.auth import router as auth_router
+from app.api.csas import router as csas_router
+from app.api.categories import router as categories_router
+from app.api.transactions import router as transactions_router
+from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, \
+    UserManager, get_jwt_strategy
+from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt
+from app.services.user_service import SECRET
+
+from fastapi import FastAPI
+import sentry_sdk
+from fastapi_users.db import SQLAlchemyUserDatabase
+from app.core.db import async_session_maker
+
+sentry_sdk.init(
+    dsn=os.getenv("SENTRY_DSN"),
+    send_default_pii=True,
+)
+
+fastApi = FastAPI()
+
+# CORS for frontend dev server
+fastApi.add_middleware(
+    CORSMiddleware,
+    allow_origins=[
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+        os.getenv("FRONTEND_DOMAIN_SCHEME", "")
+    ],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+prometheus = Instrumentator().instrument(fastApi)
+
+# Register custom metrics
+prometheus.add(number_of_users()).add(number_of_transactions())
+
+prometheus.expose(
+    fastApi,
+    endpoint="/metrics",
+    include_in_schema=True,
+)
+
+fastApi.include_router(auth_router)
+fastApi.include_router(categories_router)
+fastApi.include_router(transactions_router)
+
+
+for h in list(logging.root.handlers):
+    logging.root.removeHandler(h)
+
+_log_handler = logging.StreamHandler(sys.stdout)
+_formatter = jsonlogger.JsonFormatter(
+    fmt='%(asctime)s %(levelname)s %(name)s %(message)s %(pathname)s %(lineno)d %(process)d %(thread)d'
+)
+_log_handler.setFormatter(_formatter)
+
+logging.root.setLevel(logging.INFO)
+logging.root.addHandler(_log_handler)
+
+
+for _name in ("uvicorn", "uvicorn.error", "uvicorn.access"):
+    _logger = logging.getLogger(_name)
+    _logger.handlers = [_log_handler]
+    _logger.propagate = True
+
+
+@fastApi.middleware("http")
+async def auth_guard(request: Request, call_next):
+    # Enforce revoked/expired JWTs are rejected globally
+    token = extract_bearer_token(request)
+    if token:
+        from fastapi import Response, status as _status
+        # Deny if token is revoked
+        if is_token_revoked(token):
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+        # Deny if token is expired or invalid
+        try:
+            decode_and_verify_jwt(token, SECRET)
+        except Exception:
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+    return await call_next(request)
+
+
+@fastApi.middleware("http")
+async def log_traffic(request: Request, call_next):
+    start_time = datetime.now()
+    response = await call_next(request)
+    process_time = (datetime.now() - start_time).total_seconds()
+    client_host = request.client.host
+    log_params = {
+        "request_method": request.method,
+        "request_url": str(request.url),
+        "request_size": request.headers.get("content-length"),
+        "request_headers": dict(request.headers),
+        "response_status": response.status_code,
+        "response_size": response.headers.get("content-length"),
+        "response_headers": dict(response.headers),
+        "process_time": process_time,
+        "client_host": client_host
+    }
+    logging.getLogger(__name__).info("http_request", extra=log_params)
+    return response
+
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("MojeID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+        redirect_url=os.getenv("FRONTEND_DOMAIN_SCHEME", "http://localhost:3000") + "/auth/mojeid/callback",
+    ),
+    prefix="/auth/mojeid",
+    tags=["auth"],
+)
+
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        get_oauth_provider("BankID"),
+        auth_backend,
+        "SECRET",
+        associate_by_email=True,
+        redirect_url=os.getenv("FRONTEND_DOMAIN_SCHEME", "http://localhost:3000") + "/auth/bankid/callback",
+    ),
+    prefix="/auth/bankid",
+    tags=["auth"],
+)
+
+fastApi.include_router(csas_router)
+
+
+# Liveness/root endpoint
+@fastApi.get("/", include_in_schema=False)
+async def root():
+    return {"status": "ok"}
+
+
+@fastApi.get("/authenticated-route")
+async def authenticated_route(user: User = Depends(current_active_verified_user)):
+    return {"message": f"Hello {user.email}!"}
+
+
+@fastApi.get("/debug/scrape/csas/all", tags=["debug"])
+async def debug_scrape_csas_all():
+    logging.info("[Debug] Queueing CSAS scrape for all users via HTTP endpoint (Celery)")
+    task = load_all_transactions.delay()
+    return {"status": "queued", "action": "csas_scrape_all", "task_id": getattr(task, 'id', None)}
+
+
+@fastApi.post("/debug/scrape/csas/{user_id}", tags=["debug"])
+async def debug_scrape_csas_user(user_id: str, user: User = Depends(current_active_verified_user)):
+    logging.info("[Debug] Queueing CSAS scrape for single user via HTTP endpoint (Celery) | user_id=%s", user_id)
+    task = load_transactions.delay(user_id)
+    return {"status": "queued", "action": "csas_scrape_single", "user_id": user_id,
+            "task_id": getattr(task, 'id', None)}

7project/backend/app/celery_app.py

@@ -0,0 +1,50 @@
+import os
+from celery import Celery
+
+if os.getenv("RABBITMQ_URL"):
+    RABBITMQ_URL = os.getenv("RABBITMQ_URL")  # type: ignore
+else:
+    from urllib.parse import quote
+
+    username = os.getenv("RABBITMQ_USERNAME", "user")
+    password = os.getenv("RABBITMQ_PASSWORD", "bitnami123")
+    host = os.getenv("RABBITMQ_HOST", "localhost")
+    port = os.getenv("RABBITMQ_PORT", "5672")
+    vhost = os.getenv("RABBITMQ_VHOST", "/")
+    use_ssl = os.getenv("RABBITMQ_USE_SSL", "0").lower() in {"1", "true", "yes"}
+    scheme = "amqps" if use_ssl else "amqp"
+
+    # Kombu uses '//' to denote the default '/' vhost. For custom vhosts, URL-encode them.
+    if vhost in ("/", ""):
+        vhost_path = "/"  # will become '//' after concatenation below
+    else:
+        vhost_path = f"/{quote(vhost, safe='')}"
+
+    # Ensure we end up with e.g. amqp://user:pass@host:5672// (for '/')
+    RABBITMQ_URL = f"{scheme}://{username}:{password}@{host}:{port}{vhost_path}"
+    if vhost in ("/", "") and not RABBITMQ_URL.endswith("//"):
+        RABBITMQ_URL += "/"
+
+DEFAULT_QUEUE = os.getenv("MAIL_QUEUE", "mail_queue")
+
+CELERY_BACKEND = os.getenv("CELERY_BACKEND", "rpc://")
+
+celery_app = Celery(
+    "app",
+    broker=RABBITMQ_URL,
+    # backend=CELERY_BACKEND,
+)
+celery_app.autodiscover_tasks(["app.workers"], related_name="celery_tasks")  # discover app.workers.celery_tasks
+
+celery_app.set_default()
+
+celery_app.conf.update(
+    task_default_queue=DEFAULT_QUEUE,
+    task_acks_late=True,
+    worker_prefetch_multiplier=int(os.getenv("CELERY_PREFETCH", "1")),
+    task_serializer="json",
+    result_serializer="json",
+    accept_content=["json"],
+)
+
+__all__ = ["celery_app"]

7project/backend/app/core/db.py

@@ -17,8 +17,10 @@ if not DATABASE_URL:
 # Load all models to register them
 from app.models.user import User
 from app.models.transaction import Transaction
+from app.models.categories import Category
 
-ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost"
+host_env = os.getenv("MARIADB_HOST", "localhost")
+ssl_enabled = host_env not in {"localhost", "127.0.0.1"}
 connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {}
 
 engine = create_async_engine(

7project/backend/app/core/queue.py

@@ -0,0 +1,6 @@
+import app.celery_app  # noqa: F401
+from app.workers.celery_tasks import send_email
+
+
+def enqueue_email(to: str, subject: str, body: str) -> None:
+    send_email.delay(to, subject, body)

7project/backend/app/core/security.py

@@ -0,0 +1,52 @@
+from typing import Optional
+import re
+import jwt
+from fastapi import Request
+
+# Simple in-memory revocation store for revoked JWT tokens.
+# 
+# Limitations:
+# - All revoked tokens will be lost if the process restarts (data loss on restart).
+# - Not suitable for multi-instance deployments: the revocation list is not shared between instances.
+#   A token revoked in one instance will not be recognized as revoked in others.
+# 
+# For production, use a persistent and shared store (e.g., Redis or a database).
+_REVOKED_TOKENS: set[str] = set()
+
+# Bearer token regex
+_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$")
+
+
+def extract_bearer_token(request: Request) -> Optional[str]:
+    auth = request.headers.get("authorization")
+    if not auth:
+        return None
+    m = _BEARER_RE.match(auth)
+    if not m:
+        return None
+    return m.group(1).strip()
+
+
+def revoke_token(token: str) -> None:
+    if token:
+        _REVOKED_TOKENS.add(token)
+
+
+def is_token_revoked(token: str) -> bool:
+    return token in _REVOKED_TOKENS
+
+
+def decode_and_verify_jwt(token: str, secret: str) -> dict:
+    """
+    Decode the JWT using the shared secret, verifying expiration and signature.
+    Audience is not verified here to be compatible with fastapi-users default tokens.
+    Raises jwt.ExpiredSignatureError if expired.
+    Raises jwt.InvalidTokenError for other issues.
+    Returns the decoded payload dict on success.
+    """
+    return jwt.decode(
+        token,
+        secret,
+        algorithms=["HS256"],
+        options={"verify_aud": False},
+    )  # verify_exp is True by default

7project/backend/app/models/categories.py

@@ -0,0 +1,25 @@
+from fastapi_users_db_sqlalchemy import GUID
+from sqlalchemy import Column, Integer, String, ForeignKey, Table, UniqueConstraint
+from sqlalchemy.orm import relationship
+
+from app.core.base import Base
+
+association_table = Table(
+    "category_transaction",
+    Base.metadata,
+    Column("category_id", Integer, ForeignKey("categories.id", ondelete="CASCADE"), primary_key=True),
+    Column("transaction_id", Integer, ForeignKey("transaction.id", ondelete="CASCADE"), primary_key=True)
+)
+
+
+class Category(Base):
+    __tablename__ = "categories"
+    __table_args__ = (
+        UniqueConstraint("name", "user_id", name="uix_name_user_id"),
+    )
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(length=100), nullable=False)
+    description = Column(String(length=255), nullable=True)
+    user_id = Column(GUID, ForeignKey("user.id"), nullable=False)
+    user = relationship("User", back_populates="categories")
+    transactions = relationship("Transaction", secondary=association_table, back_populates="categories")

7project/backend/app/models/transaction.py

@@ -0,0 +1,24 @@
+import os
+from fastapi_users_db_sqlalchemy import GUID
+from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func
+from sqlalchemy.orm import relationship
+from sqlalchemy_utils import EncryptedType
+from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine
+
+from app.core.base import Base
+from app.models.categories import association_table
+
+SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev")
+
+
+class Transaction(Base):
+    __tablename__ = "transaction"
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False)
+    description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True)
+    date = Column(Date, nullable=False, server_default=func.current_date())
+    user_id = Column(GUID, ForeignKey("user.id"), nullable=False)
+
+    # Relationship
+    user = relationship("User", back_populates="transactions")
+    categories = relationship("Category", secondary=association_table, back_populates="transactions", passive_deletes=True)

7project/backend/app/models/user.py

@@ -0,0 +1,22 @@
+from sqlalchemy import Column, String
+from sqlalchemy.orm import relationship, mapped_column, Mapped
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
+from sqlalchemy.sql.sqltypes import JSON
+
+from app.core.base import Base
+
+
+class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
+    # BankID token is longer than default
+    access_token: Mapped[str] = mapped_column(String(length=4096), nullable=False)
+
+
+class User(SQLAlchemyBaseUserTableUUID, Base):
+    first_name = Column(String(length=100), nullable=True)
+    last_name = Column(String(length=100), nullable=True)
+    oauth_accounts = relationship("OAuthAccount", lazy="joined")
+    config = Column(JSON, default={})
+
+    # Relationship
+    transactions = relationship("Transaction", back_populates="user")
+    categories = relationship("Category", back_populates="user")

7project/backend/app/oauth/bank_id.py

@@ -0,0 +1,50 @@
+import secrets
+from typing import Optional, Literal
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class BankID(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://oidc.sandbox.bankid.cz/.well-known/openid-configuration",
+            "BankID",
+            base_scopes=["openid", "profile.email", "profile.name"],
+        )
+
+    async def get_user_info(self, token: str) -> dict:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        if extras_params is None:
+            extras_params = {}
+
+        # BankID requires random nonce parameter for security
+        # https://developer.bankid.cz/docs/security_sep
+        extras_params["nonce"] = secrets.token_urlsafe()
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )

7project/backend/app/oauth/csas.py

@@ -0,0 +1,33 @@
+import os
+from os.path import dirname, join
+from typing import Optional, Any
+
+import httpx
+from httpx_oauth.exceptions import GetProfileError
+from httpx_oauth.oauth2 import BaseOAuth2
+
+import app.services.db
+
+BASE_DIR = dirname(__file__)
+certs = (
+    join(BASE_DIR, "public_key.pem"),
+    join(BASE_DIR, "private_key.key")
+)
+
+class CSASOAuth(BaseOAuth2):
+
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            base_scopes=["aisp"],
+            authorize_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/auth",
+            access_token_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/token",
+            refresh_token_endpoint="https://webapi.developers.erstegroup.com/api/csas/sandbox/v1/sandbox-idp/token"
+        )
+
+
+
+
+
+

7project/backend/app/oauth/custom_openid.py

@@ -0,0 +1,6 @@
+from httpx_oauth.clients.openid import OpenID
+
+
+class CustomOpenID(OpenID):
+    async def get_user_info(self, token: str) -> dict:
+        raise NotImplementedError()

7project/backend/app/oauth/moje_id.py

@@ -0,0 +1,56 @@
+import json
+from typing import Optional, Literal, Any
+
+from httpx_oauth.oauth2 import T
+
+from app.oauth.custom_openid import CustomOpenID
+
+
+class MojeIDOAuth(CustomOpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://mojeid.cz/.well-known/openid-configuration/",
+            "MojeID",
+            base_scopes=["openid", "email", "profile"],
+        )
+
+    async def get_user_info(self, token: str) -> Optional[Any]:
+        info = await self.get_profile(token)
+
+        return {
+            "first_name": info.get("given_name"),
+            "last_name": info.get("family_name"),
+        }
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        required_fields = {
+            'id_token': {
+                'name': {'essential': True},
+                'given_name': {'essential': True},
+                'family_name': {'essential': True},
+                'email': {'essential': True},
+                'mojeid_valid': {'essential': True},
+            }}
+
+        if extras_params is None:
+            extras_params = {}
+        extras_params["claims"] = json.dumps(required_fields)
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )

7project/backend/app/oauth/private_key.key

@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDcr/oxgV074ETd
+DkP/0l8LFnRofru+m2wNNG/ttVCioTqwnvR4oYxwq3U9qIBsT0D+Rx/Ef7qcpzqf
+/w9xt6Hosdv6I5jMHGaVQqLiPuV26/a7WvcmU+PpYuEBmbBHjGVJRBwgPtlUW1VL
+M8Pht9YiaagEKvFa6SUidZLfPv+ECohqgH4mgMrEcG/BTnry0/5xQdadRC9o25cl
+NtZIesS5GPeelhggFTkbh/FaxvMXhIAaRXT61cnxgxtfM71h5ObX5Lwle9z5a+Tw
+xgQhSQq1jbHALYvTwsc4Q/NQGXpGNWy599sb7dg5AkPFSSF4ceXBo/2jOaZCqWrt
+FVONZ+blAgMBAAECggEBAJwQbrRXsaFIRiq1jez5znC+3m+PQCHZM55a+NR3pqB7
+uE9y+ZvdUr3S4sRJxxfRLDsl/Rcu5L8nm9PNwhQ/MmamcNQCHGoro3fmed3ZcNia
+og94ktMt/DztygUhtIHEjVQ0sFc1WufG9xiJcPrM0MfhRAo+fBQ4UCSAVO8/U98B
+a4yukrPNeEA03hyjLB9W41pNQfyOtAHqzwDg9Q5XVaGMCLZT1bjCIquUcht5iMva
+tiw3cwdiYIklLTzTCsPPK9A/AlWZyUXL8KxtN0mU0kkwlXqASoXZ2nqdkhjRye/V
+3JXOmlDtDaJCqWDpH2gHLxMCl7OjfPvuD66bAT3H63kCgYEA5zxW/l6oI3gwYW7+
+j6rEjA2n8LikVnyW2e/PZ7pxBH3iBFe2DHx/imeqd/0IzixcM1zZT/V+PTFPQizG
+lOU7stN6Zg/LuRdxneHPyLWCimJP7BBJCWyJkuxKy9psokyBhGSLR/phL3fP7UkB
+o2I3vGmTFu5A0FzXcNH/cXPMdy8CgYEA9FJw3kyzXlInhJ6Cd63mckLPLYDArUsm
+THBoeH2CVTBS5g0bCbl7N1ZxUoYwZPD4lg5V0nWhZALGf+85ULSjX03PMf1cc6WW
+EIbZIo9hX+mGRa/FudDd+TlbtBnn0jucwABuLQi9mIepE55Hu9tw5/FT3cHeZVQc
+cC0T6ulVvisCgYBCzFeFG+sOdAXl356B+h7VJozBKVWv9kXNp00O9fj4BzVnc78P
+VFezr8a66snEZWQtIkFUq+JP4xK2VyD2mlHoktbk7OM5EOCtbzILFQQk3cmgtAOl
+SUlkvAXPZcXEDL3NdQ4XOOkiQUY7kb97Z0AamZT4JtNqXaeO29si9wS12QKBgHYg
+Hd3864Qg6GZgVOgUNiTsVErFw2KFwQCYIIqQ9CDH+myrzXTILuC0dJnXszI6p5W1
+XJ0irmMyTFKykN2KWKrNbe3Xd4mad5GKARWKiSPcPkUXFNwgNhI3PzU2iTTGCaVz
+D9HKNhC3FnIbxsb29AHQViITh7kqD43U3ZpoMkJ9AoGAZ+sg+CPfuo3ZMpbcdb3B
+ZX2UhAvNKxgHvNnHOjO+pvaM7HiH+BT0650brfBWQ0nTG1dt18mCevVk1UM/5hO9
+AtZw06vCLOJ3p3qpgkSlRZ1H7VokG9M8Od0zXqtJrmeLeBq7dfuDisYOuA+NUEbJ
+UM/UHByieS6ywetruz0LpM0=
+-----END RSA PRIVATE KEY-----

7project/backend/app/oauth/public_key.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSTCCAzGgAwIBAgIEAQIDBDANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMC
+Q1oxDjAMBgNVBAcTBUN6ZWNoMRMwEQYDVQQKEwpFcnN0ZUdyb3VwMRUwEwYDVQQL
+EwxFcnN0ZUh1YlRlYW0xETAPBgNVBAMTCEVyc3RlSHViMSIwIAYJKoZIhvcNAQkB
+FhNpbmZvQGVyc3RlZ3JvdXAuY29tMB4XDTIyMTIxNDA4MDc1N1oXDTI2MDMxNDA4
+MDc1N1owUjEaMBgGA1UEYRMRUFNEQ1otQ05CLTEyMzQ1NjcxCzAJBgNVBAYTAkNa
+MRYwFAYDVQQDEw1UUFAgVGVzdCBRV0FDMQ8wDQYDVQQKEwZNeSBUUFAwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcr/oxgV074ETdDkP/0l8LFnRofru+
+m2wNNG/ttVCioTqwnvR4oYxwq3U9qIBsT0D+Rx/Ef7qcpzqf/w9xt6Hosdv6I5jM
+HGaVQqLiPuV26/a7WvcmU+PpYuEBmbBHjGVJRBwgPtlUW1VLM8Pht9YiaagEKvFa
+6SUidZLfPv+ECohqgH4mgMrEcG/BTnry0/5xQdadRC9o25clNtZIesS5GPeelhgg
+FTkbh/FaxvMXhIAaRXT61cnxgxtfM71h5ObX5Lwle9z5a+TwxgQhSQq1jbHALYvT
+wsc4Q/NQGXpGNWy599sb7dg5AkPFSSF4ceXBo/2jOaZCqWrtFVONZ+blAgMBAAGj
+gfcwgfQwCwYDVR0PBAQDAgHGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
+AjCBrwYIKwYBBQUHAQMEgaIwgZ8wCAYGBACORgEBMAsGBgQAjkYBAwIBFDAIBgYE
+AI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgMwZwYGBACBmCcCMF0wTDARBgcEAIGY
+JwEBDAZQU1BfQVMwEQYHBACBmCcBAgwGUFNQX1BJMBEGBwQAgZgnAQMMBlBTUF9B
+STARBgcEAIGYJwEEDAZQU1BfSUMMBUVyc3RlDAZBVC1FUlMwFAYDVR0RBA0wC4IJ
+bXl0cHAuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBlTMPSwz46GMRBEPcy+25gV7xE
+5aFS5N6sf3YQyFelRJgPxxPxTHo55WelcK4XmXRQKeQ4VoKf4FgP0Cj74+p0N0gw
+wFJDWPGXH3SdjAXPRtG+FOiHwUSoyrmvbL4kk6Vbrd4cF+qe0BlzHzJ2Q6vFLwsk
+NYvWzkY9YjoItB38nAnQhyYgl1yHUK/uDWyrwHVfZn1AeTws/hr/KufORuiQfaTU
+kvAH1nzi7WSJ6AIQCd2exUEPx/O14Y+oCoJhTVd+RpA/9lkcqebceBijj47b2bvv
+QbjymvyTXqHd3L224Y7zVmh95g+CaJ8PRpApdrImfjfDDRy8PaFWx2pd/v0UQgrQ
+lgbO6jE7ah/tS0T5q5JtwnLAiOOqHPaKRvo5WB65jcZ2fvOH/0/oZ89noxp1Ihus
+vvsjqc9k2h9Rvt2pEjVU40HtQZ6XCmWqgFwK3n9CHrKNV/GqgANIZRNcvXKMCUoB
+VoJORVwi2DF4caKSFmyEWuK+5FyCEILtQ60SY/NHVGsUeOuN7OTjZjECARO6p4hz
+Uw+GCIXrzmIjS6ydh/LRef+NK28+xTbjmLHu/wnHg9rrHEnTPd39is+byfS7eeLV
+Dld/0Xrv88C0wxz63dcwAceiahjyz2mbQm765tOf9rK7EqsvT5M8EXFJ3dP4zwqS
+6mNFoIa0XGbAUT3E1w==
+-----END CERTIFICATE-----

7project/backend/app/schemas/category.py

@@ -0,0 +1,21 @@
+from typing import Optional
+from pydantic import BaseModel, ConfigDict
+
+
+class CategoryBase(BaseModel):
+    name: str
+    description: Optional[str] = None
+
+
+class CategoryCreate(CategoryBase):
+    pass
+
+
+class CategoryUpdate(BaseModel):
+    name: Optional[str] = None
+    description: Optional[str] = None
+
+
+class CategoryRead(CategoryBase):
+    id: int
+    model_config = ConfigDict(from_attributes=True)

7project/backend/app/schemas/transaction.py

@@ -0,0 +1,26 @@
+from typing import List, Optional, Union
+from datetime import date
+from pydantic import BaseModel, Field, ConfigDict
+
+
+class TransactionBase(BaseModel):
+    amount: float = Field(..., gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+    # accept either ISO date string or date object
+    date: Optional[Union[date, str]] = None
+
+class TransactionCreate(TransactionBase):
+    category_ids: Optional[List[int]] = None
+
+class TransactionUpdate(BaseModel):
+    amount: Optional[float] = Field(None, gt=-1e18, lt=1e18)
+    description: Optional[str] = None
+    # accept either ISO date string or date object
+    date: Optional[Union[date, str]] = None
+    category_ids: Optional[List[int]] = None
+
+class TransactionRead(TransactionBase):
+    id: int
+    category_ids: List[int] = []
+    date: Optional[Union[date, str]]
+    model_config = ConfigDict(from_attributes=True)

7project/backend/app/schemas/user.py

@@ -4,13 +4,13 @@ from fastapi_users import schemas
 
 class UserRead(schemas.BaseUser[uuid.UUID]):
     first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None
 
 class UserCreate(schemas.BaseUserCreate):
     first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None
 
 class UserUpdate(schemas.BaseUserUpdate):
     first_name: Optional[str] = None
-    surname: Optional[str] = None
+    last_name: Optional[str] = None
 

7project/backend/app/services/bank_scraper.py

@@ -0,0 +1,124 @@
+import json
+import logging
+from os.path import dirname, join
+from time import strptime
+from uuid import UUID
+
+import httpx
+from sqlalchemy import select
+
+from app.core.db import async_session_maker
+from app.models.transaction import Transaction
+from app.models.user import User
+
+logger = logging.getLogger(__name__)
+
+OAUTH_DIR = join(dirname(__file__), "..", "oauth")
+CERTS = (
+    join(OAUTH_DIR, "public_key.pem"),
+    join(OAUTH_DIR, "private_key.key"),
+)
+
+
+async def aload_ceska_sporitelna_transactions(user_id: str) -> None:
+    try:
+        uid = UUID(str(user_id))
+    except Exception:
+        logger.error("Invalid user_id provided to bank_scraper (async): %r", user_id)
+        return
+
+    await _aload_ceska_sporitelna_transactions(uid)
+
+
+async def aload_all_ceska_sporitelna_transactions() -> None:
+    async with async_session_maker() as session:
+        result = await session.execute(select(User))
+        users = result.unique().scalars().all()
+        logger.info("[BankScraper] Starting CSAS scrape for all users | count=%d", len(users))
+
+    processed = 0
+    for user in users:
+        try:
+            await _aload_ceska_sporitelna_transactions(user.id)
+            processed += 1
+        except Exception:
+            logger.exception("[BankScraper] Error scraping for user id=%s email=%s", user.id,
+                             getattr(user, 'email', None))
+    logger.info("[BankScraper] Finished CSAS scrape for all users | processed=%d", processed)
+
+
+async def _aload_ceska_sporitelna_transactions(user_id: UUID) -> None:
+    async with (async_session_maker() as session):
+        result = await session.execute(select(User).where(User.id == user_id))
+        user: User = result.unique().scalar_one_or_none()
+        if user is None:
+            logger.warning("User not found for id=%s", user_id)
+            return
+
+        cfg = user.config or {}
+        if "csas" not in cfg:
+            return
+
+        cfg = json.loads(cfg["csas"])
+        if "access_token" not in cfg:
+            return
+
+        accounts = []
+        try:
+            async with httpx.AsyncClient(cert=CERTS, timeout=httpx.Timeout(20.0)) as client:
+                response = await client.get(
+                    "https://webapi.developers.erstegroup.com/api/csas/sandbox/v4/account-information/my/accounts?size=10&page=0&sort=iban&order=desc",
+                    headers={
+                        "Authorization": f"Bearer {cfg['access_token']}",
+                        "WEB-API-key": "09fdc637-3c57-4242-95f2-c2205a2438f3",
+                        "user-involved": "false",
+                    },
+                )
+                if response.status_code != httpx.codes.OK:
+                    return
+
+                for account in response.json()["accounts"]:
+                    accounts.append(account)
+
+        except (httpx.HTTPError,) as e:
+            logger.exception("[BankScraper] HTTP error during CSAS request | user_id=%s", user_id)
+            return
+
+        for account in accounts:
+            id = account["id"]
+
+            url = f"https://webapi.developers.erstegroup.com/api/csas/sandbox/v4/account-information/my/accounts/{id}/transactions?size=100&page=0&sort=bookingdate&order=desc"
+            async with httpx.AsyncClient(cert=CERTS) as client:
+                response = await client.get(
+                    url,
+                    headers={
+                        "Authorization": f"Bearer {cfg['access_token']}",
+                        "WEB-API-key": "09fdc637-3c57-4242-95f2-c2205a2438f3",
+                        "user-involved": "false",
+                    },
+                )
+                if response.status_code != httpx.codes.OK:
+                    continue
+
+                transactions = response.json()["transactions"]
+
+            for transaction in transactions:
+                description = transaction.get("entryDetails", {}).get("transactionDetails", {}).get(
+                    "additionalRemittanceInformation")
+                date_str = transaction.get("bookingDate", {}).get("date")
+                date = strptime(date_str, "%Y-%m-%d") if date_str else None
+                amount = transaction.get("amount", {}).get("value")
+                if transaction.get("creditDebitIndicator") == "DBIT":
+                    amount = -abs(amount)
+
+                obj = Transaction(
+                    amount=amount,
+                    description=description,
+                    date=date,
+                    user_id=user_id,
+                )
+                session.add(obj)
+                await session.commit()
+
+                pass
+            pass

7project/backend/app/services/db.py

@@ -4,11 +4,13 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from ..core.db import async_session_maker
-from ..models.user import User
+from ..models.user import User, OAuthAccount
+
 
 async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
     async with async_session_maker() as session:
         yield session
 
+
 async def get_user_db(session: AsyncSession = Depends(get_async_session)):
-    yield SQLAlchemyUserDatabase(session, User)
+    yield SQLAlchemyUserDatabase(session, User, OAuthAccount)

7project/backend/app/services/prometheus.py

@@ -0,0 +1,48 @@
+from typing import Callable
+from prometheus_fastapi_instrumentator.metrics import Info
+from prometheus_client import Gauge
+from sqlalchemy import select, func
+
+from app.core.db import async_session_maker
+from app.models.transaction import Transaction
+from app.models.user import User
+
+
+def number_of_users() -> Callable[[Info], None]:
+    METRIC = Gauge(
+        "number_of_users_total",
+        "Number of registered users.",
+        labelnames=("users",)
+    )
+
+    async def instrumentation(info: Info) -> None:
+        try:
+            async with async_session_maker() as session:
+                result = await session.execute(select(func.count(User.id)))
+                user_count = result.scalar_one() or 0
+        except Exception:
+            # In case of DB errors, avoid crashing metrics endpoint
+            user_count = 0
+        METRIC.labels(users="total").set(user_count)
+
+    return instrumentation
+
+
+def number_of_transactions() -> Callable[[Info], None]:
+    METRIC = Gauge(
+        "number_of_transactions_total",
+        "Number of transactions stored.",
+        labelnames=("transactions",)
+    )
+
+    async def instrumentation(info: Info) -> None:
+        try:
+            async with async_session_maker() as session:
+                result = await session.execute(select(func.count()).select_from(Transaction))
+                transaction_count = result.scalar_one() or 0
+        except Exception:
+            # In case of DB errors, avoid crashing metrics endpoint
+            transaction_count = 0
+        METRIC.labels(transactions="total").set(transaction_count)
+
+    return instrumentation

7project/backend/app/services/user_service.py

@@ -3,26 +3,67 @@ import uuid
 from typing import Optional
 
 from fastapi import Depends, Request
-from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin
+from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin, models
 from fastapi_users.authentication import (
     AuthenticationBackend,
     BearerTransport,
-    JWTStrategy,
 )
+from fastapi_users.authentication.strategy.jwt import JWTStrategy
 from fastapi_users.db import SQLAlchemyUserDatabase
+from httpx_oauth.oauth2 import BaseOAuth2
 
 from app.models.user import User
+from app.oauth.bank_id import BankID
+from app.oauth.csas import CSASOAuth
+from app.oauth.custom_openid import CustomOpenID
+from app.oauth.moje_id import MojeIDOAuth
 from app.services.db import get_user_db
 from app.core.queue import enqueue_email
 
 SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
+
 FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
 BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")
 
+providers = {
+    "MojeID": MojeIDOAuth(
+        os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+    "BankID": BankID(
+        os.getenv("BANKID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+        os.getenv("BANKID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+    ),
+}
+
+
+def get_oauth_provider(name: str) -> Optional[BaseOAuth2]:
+    if name not in providers:
+        return None
+    return providers[name]
+
+
 class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
     reset_password_token_secret = SECRET
     verification_token_secret = SECRET
 
+    async def oauth_callback(self: "BaseUserManager[models.UOAP, models.ID]", oauth_name: str, access_token: str,
+                             account_id: str, account_email: str, expires_at: Optional[int] = None,
+                             refresh_token: Optional[str] = None, request: Optional[Request] = None, *,
+                             associate_by_email: bool = False, is_verified_by_default: bool = False) -> models.UOAP:
+
+        user = await super().oauth_callback(oauth_name, access_token, account_id, account_email, expires_at,
+                                            refresh_token, request, associate_by_email=associate_by_email,
+                                            is_verified_by_default=is_verified_by_default)
+
+        # set additional user info from the OAuth provider
+        provider = get_oauth_provider(oauth_name)
+        if provider is not None and isinstance(provider, CustomOpenID):
+            update_dict = await provider.get_user_info(access_token)
+            await self.user_db.update(user, update_dict)
+
+        return user
+
     async def on_after_register(self, user: User, request: Optional[Request] = None):
         await self.request_verify(user, request)
 
@@ -47,18 +88,22 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
         )
         try:
             enqueue_email(to=user.email, subject=subject, body=body)
-        except Exception:
+        except Exception as e:
             print("[Email Fallback] To:", user.email)
             print("[Email Fallback] Subject:", subject)
             print("[Email Fallback] Body:\n", body)
 
+
 async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)):
     yield UserManager(user_db)
 
+
 bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")
 
+
 def get_jwt_strategy() -> JWTStrategy:
-    return JWTStrategy(secret=SECRET, lifetime_seconds=3600)
+    return JWTStrategy(secret=SECRET, lifetime_seconds=604800)
+
 
 auth_backend = AuthenticationBackend(
     name="jwt",
@@ -70,4 +115,3 @@ fastapi_users = FastAPIUsers[User, uuid.UUID](get_user_manager, [auth_backend])
 
 current_active_user = fastapi_users.current_user(active=True)
 current_active_verified_user = fastapi_users.current_user(active=True, verified=True)
-

7project/backend/app/workers/celery_tasks.py

@@ -0,0 +1,107 @@
+import logging
+import asyncio
+
+from celery import shared_task
+
+import app.services.bank_scraper
+
+logger = logging.getLogger("celery_tasks")
+if not logger.handlers:
+    _h = logging.StreamHandler()
+    logger.addHandler(_h)
+logger.setLevel(logging.INFO)
+
+
+def run_coro(coro) -> None:
+    """Run an async coroutine in a fresh event loop without using run_until_complete.
+    Primary strategy runs in a new loop in the current thread. If that fails due to
+    debugger patches (e.g., Bad file descriptor from pydevd_nest_asyncio), fall back
+    to running in a dedicated thread with its own event loop.
+    """
+    import threading
+
+    def _cleanup_loop(loop):
+        try:
+            pending = [t for t in asyncio.all_tasks(loop) if not t.done()]
+            for t in pending:
+                t.cancel()
+            if pending:
+                loop.run_until_complete(asyncio.gather(*pending, return_exceptions=True))
+        except Exception:
+            pass
+        finally:
+            try:
+                loop.close()
+            finally:
+                asyncio.set_event_loop(None)
+
+    # First attempt: Run in current thread with a fresh event loop
+    try:
+        loop = asyncio.get_event_loop_policy().new_event_loop()
+        try:
+            asyncio.set_event_loop(loop)
+            task = loop.create_task(coro)
+            task.add_done_callback(lambda _t: loop.stop())
+            loop.run_forever()
+            exc = task.exception()
+            if exc:
+                raise exc
+            return
+        finally:
+            _cleanup_loop(loop)
+    except OSError as e:
+        logger.warning("run_coro primary strategy failed (%s). Falling back to thread runner.", e)
+    except Exception:
+        # For any other unexpected errors, try thread fallback as well
+        logger.exception("run_coro primary strategy raised; attempting thread fallback")
+
+    # Fallback: Run in a dedicated thread with its own event loop
+    error = {"exc": None}
+
+    def _thread_target():
+        loop = asyncio.new_event_loop()
+        try:
+            asyncio.set_event_loop(loop)
+            task = loop.create_task(coro)
+            task.add_done_callback(lambda _t: loop.stop())
+            loop.run_forever()
+            exc = task.exception()
+            if exc:
+                error["exc"] = exc
+        finally:
+            _cleanup_loop(loop)
+
+    th = threading.Thread(target=_thread_target, name="celery-async-runner", daemon=True)
+    th.start()
+    th.join()
+    if error["exc"] is not None:
+        raise error["exc"]
+
+
+@shared_task(name="workers.send_email")
+def send_email(to: str, subject: str, body: str) -> None:
+    if not (to and subject and body):
+        logger.error("Email task missing fields. to=%r subject=%r body_len=%r", to, subject, len(body) if body else 0)
+        return
+
+    # Placeholder for real email sending logic
+    logger.info("[Celery] Email sent | to=%s | subject=%s | body_len=%d", to, subject, len(body))
+
+
+@shared_task(name="workers.load_transactions")
+def load_transactions(user_id: str) -> None:
+    if not user_id:
+        logger.error("Load transactions task missing user_id.")
+        return
+
+    run_coro(app.services.bank_scraper.aload_ceska_sporitelna_transactions(user_id))
+
+    # Placeholder for real transaction loading logic
+    logger.info("[Celery] Transactions loaded for user_id=%s", user_id)
+
+
+@shared_task(name="workers.load_all_transactions")
+def load_all_transactions() -> None:
+    logger.info("[Celery] Starting load_all_transactions")
+    run_coro(app.services.bank_scraper.aload_all_ceska_sporitelna_transactions())
+    logger.info("[Celery] Finished load_all_transactions")

7project/backend/pyproject.toml

@@ -0,0 +1,5 @@
+[tool.pytest.ini_options]
+pythonpath = "."
+asyncio_mode = "auto"
+asyncio_default_fixture_loop_scope = "session"
+asyncio_default_test_loop_scope = "session"

7project/backend/requirements.txt

@@ -2,14 +2,21 @@ aio-pika==9.5.6
 aiormq==6.8.1
 aiosqlite==0.21.0
 alembic==1.16.5
+amqp==5.3.1
 annotated-types==0.7.0
 anyio==4.11.0
 argon2-cffi==23.1.0
 argon2-cffi-bindings==25.1.0
 asyncmy==0.2.9
 bcrypt==4.3.0
+billiard==4.2.2
+celery==5.5.3
+certifi==2025.10.5
 cffi==2.0.0
 click==8.1.8
+click-didyoumean==0.3.1
+click-plugins==1.1.1.2
+click-repl==0.3.0
 cryptography==46.0.1
 dnspython==2.7.0
 email_validator==2.2.0
@@ -19,13 +26,21 @@ fastapi-users==14.0.1
 fastapi-users-db-sqlalchemy==7.0.0
 greenlet==3.2.4
 h11==0.16.0
+httpcore==1.0.9
 httptools==0.6.4
+httpx==0.28.1
+httpx-oauth==0.16.1
 idna==3.10
+kombu==5.5.4
 makefun==1.16.0
 Mako==1.3.10
 MarkupSafe==3.0.2
 multidict==6.6.4
+packaging==25.0
 pamqp==3.3.0
+prometheus-fastapi-instrumentator==7.1.0
+prometheus_client==0.23.1
+prompt_toolkit==3.0.52
 propcache==0.3.2
 pwdlib==0.2.1
 pycparser==2.23
@@ -33,17 +48,26 @@ pydantic==2.11.9
 pydantic_core==2.33.2
 PyJWT==2.10.1
 PyMySQL==1.1.2
+python-dateutil==2.9.0.post0
 python-dotenv==1.1.1
 python-multipart==0.0.20
 PyYAML==6.0.2
+sentry-sdk==2.42.0
+six==1.17.0
 sniffio==1.3.1
 SQLAlchemy==2.0.43
+SQLAlchemy-Utils==0.42.0
 starlette==0.48.0
 tomli==2.2.1
 typing-inspection==0.4.1
 typing_extensions==4.15.0
+tzdata==2025.2
+urllib3==2.5.0
 uvicorn==0.37.0
 uvloop==0.21.0
+vine==5.1.0
 watchfiles==1.1.0
+wcwidth==0.2.14
 websockets==15.0.1
 yarl==1.20.1
+python-json-logger==2.0.7

7project/backend/tests/conftest.py

@@ -0,0 +1,44 @@
+import sys
+import uuid
+import types
+import pytest
+from fastapi.testclient import TestClient
+from httpx import AsyncClient, ASGITransport
+
+# Stub sentry_sdk to avoid optional dependency issues during import of app
+stub = types.ModuleType("sentry_sdk")
+stub.init = lambda *args, **kwargs: None
+sys.modules.setdefault("sentry_sdk", stub)
+
+# Import the FastAPI application
+from app.app import fastApi as app  # noqa: E402
+
+
+@pytest.fixture(scope="session")
+def fastapi_app():
+    return app
+
+
+@pytest.fixture(scope="session")
+def client(fastapi_app):
+    return TestClient(fastapi_app, raise_server_exceptions=True)
+
+
+@pytest.fixture(scope="function")
+async def test_user(fastapi_app):
+    """
+    Creates a new user asynchronously and returns their credentials.
+    Does NOT log them in.
+    Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections.
+    """
+    unique_email = f"testuser_{uuid.uuid4()}@example.com"
+    password = "a_strong_password"
+    user_payload = {"email": unique_email, "password": password}
+
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        response = await ac.post("/auth/register", json=user_payload)
+        assert response.status_code == 201
+
+    return {"username": unique_email, "password": password}
+

7project/backend/tests/test_e2e.py

@@ -0,0 +1,210 @@
+import pytest
+import uuid
+from httpx import AsyncClient, ASGITransport
+from fastapi import status
+
+
+def test_e2e(client):
+    # 1) Service is alive
+    alive = client.get("/")
+    assert alive.status_code == status.HTTP_200_OK
+
+    # 2) Attempt to login without payload should fail fast (validation error)
+    login = client.post("/auth/jwt/login")
+    assert login.status_code in (status.HTTP_400_BAD_REQUEST, status.HTTP_422_UNPROCESSABLE_CONTENT)
+
+    # 3) Protected endpoint should not be accessible without token
+    me = client.get("/users/me")
+    assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_e2e_full_user_lifecycle(fastapi_app, test_user):
+    # Use an AsyncClient with ASGITransport for async tests
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        login_payload = test_user
+
+        # 1. Log in with the new credentials
+        login_resp = await ac.post("/auth/jwt/login", data=login_payload)
+        assert login_resp.status_code == status.HTTP_200_OK
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Access a protected endpoint
+        me_resp = await ac.get("/users/me", headers=headers)
+        assert me_resp.status_code == status.HTTP_200_OK
+        assert me_resp.json()["email"] == test_user["username"]
+
+        # 3. Update the user's profile
+        update_payload = {"first_name": "Test"}
+        patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers)
+        assert patch_resp.status_code == status.HTTP_200_OK
+        assert patch_resp.json()["first_name"] == "Test"
+
+        # 4. Log out
+        logout_resp = await ac.post("/auth/jwt/logout", headers=headers)
+        assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # 5. Verify token is invalid
+        me_again_resp = await ac.get("/users/me", headers=headers)
+        assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+@pytest.mark.asyncio
+async def test_e2e_transaction_workflow(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get the token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # NEW STEP: Create a category first to get a valid ID
+        category_payload = {"name": "Test Category for E2E"}
+        create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+        assert create_category_resp.status_code == status.HTTP_201_CREATED
+        category_id = create_category_resp.json()["id"]
+
+        # 2. Create a new transaction
+        tx_payload = {"amount": -55.40, "description": "Milk and eggs"}
+        tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers)
+        assert tx_resp.status_code == status.HTTP_201_CREATED
+        tx_id = tx_resp.json()["id"]
+
+        # 3. Assign the category
+        assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert assign_resp.status_code == status.HTTP_200_OK
+
+        # 4. Verify assignment
+        get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        assert category_id in get_tx_resp.json()["category_ids"]
+
+        # 5. Unassign the category
+        unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert unassign_resp.status_code == status.HTTP_200_OK
+
+        # 6. Get the transaction again and verify the category is gone
+        get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        final_tx_data = get_tx_again_resp.json()
+        assert category_id not in final_tx_data["category_ids"]
+
+        # 7. Delete the transaction for cleanup
+        delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # NEW STEP: Clean up the created category
+        delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+@pytest.mark.asyncio
+async def test_register_then_login_and_fetch_me(fastapi_app):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # Use unique email to avoid duplicates across runs
+        suffix = uuid.uuid4().hex[:8]
+        email = f"newuser_{suffix}@example.com"
+        password = "StrongPassw0rd!"
+
+        reg = await ac.post("/auth/register", json={"email": email, "password": password})
+        assert reg.status_code in (status.HTTP_201_CREATED, status.HTTP_200_OK)
+
+        login = await ac.post("/auth/jwt/login", data={"username": email, "password": password})
+        assert login.status_code == status.HTTP_200_OK
+        token = login.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+        try:
+            me = await ac.get("/users/me", headers=headers)
+            assert me.status_code == status.HTTP_200_OK
+            assert me.json()["email"] == email
+        finally:
+            # Cleanup: delete the created user so future runs won’t conflict
+            d = await ac.delete("/users/me", headers=headers)
+            assert d.status_code == status.HTTP_204_NO_CONTENT
+
+
+@pytest.mark.asyncio
+async def test_delete_current_user_revokes_access(fastapi_app):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        email = "todelete@example.com"
+        password = "Passw0rd!"
+        reg = await ac.post("/auth/register", json={"email": email, "password": password})
+        assert reg.status_code in (status.HTTP_200_OK, status.HTTP_201_CREATED)
+
+        login = await ac.post("/auth/jwt/login", data={"username": email, "password": password})
+        token = login.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # Delete self
+        d = await ac.delete("/users/me", headers=headers)
+        assert d.status_code == status.HTTP_204_NO_CONTENT
+
+        # Access should now fail
+        me = await ac.get("/users/me", headers=headers)
+        assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_update_category_conflict_and_404(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        a = (await ac.post("/categories/create", json={"name": "A"}, headers=h)).json()
+        b = (await ac.post("/categories/create", json={"name": "B"}, headers=h)).json()
+
+        # Attempt to rename A -> B should conflict
+        conflict = await ac.patch(f"/categories/{a['id']}", json={"name": "B"}, headers=h)
+        assert conflict.status_code == status.HTTP_409_CONFLICT
+
+        # Update non-existent
+        missing = await ac.patch("/categories/999999", json={"name": "Z"}, headers=h)
+        assert missing.status_code == status.HTTP_404_NOT_FOUND
+
+@pytest.mark.asyncio
+async def test_category_cross_user_isolation(fastapi_app):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # Generate unique emails for both users
+        sfx = uuid.uuid4().hex[:8]
+        u1 = {"email": f"u1_{sfx}@example.com", "password": "Aaaaaa1!"}
+        u2 = {"email": f"u2_{sfx}@example.com", "password": "Aaaaaa1!"}
+
+        # user1
+        assert (await ac.post("/auth/register", json=u1)).status_code in (200, 201)
+        t1 = (await ac.post("/auth/jwt/login", data={"username": u1["email"], "password": u1["password"]})).json()["access_token"]
+        h1 = {"Authorization": f"Bearer {t1}"}
+
+        # user1 creates a category
+        c = (await ac.post("/categories/create", json={"name": "Private"}, headers=h1)).json()
+        cat_id = c["id"]
+
+        # user2
+        assert (await ac.post("/auth/register", json=u2)).status_code in (200, 201)
+        t2 = (await ac.post("/auth/jwt/login", data={"username": u2["email"], "password": u2["password"]})).json()["access_token"]
+        h2 = {"Authorization": f"Bearer {t2}"}
+
+        try:
+            # user2 cannot read/delete user1's category
+            g = await ac.get(f"/categories/{cat_id}", headers=h2)
+            assert g.status_code == status.HTTP_404_NOT_FOUND
+            d = await ac.delete(f"/categories/{cat_id}", headers=h2)
+            assert d.status_code == status.HTTP_404_NOT_FOUND
+        finally:
+            # Cleanup: remove the created category as its owner
+            try:
+                _ = await ac.delete(f"/categories/{cat_id}", headers=h1)
+            except Exception:
+                pass
+            # Cleanup: delete both users to avoid email conflicts later
+            try:
+                _ = await ac.delete("/users/me", headers=h1)
+            except Exception:
+                pass
+            try:
+                _ = await ac.delete("/users/me", headers=h2)
+            except Exception:
+                pass
+

7project/backend/tests/test_integration_app.py

@@ -0,0 +1,170 @@
+from fastapi import status
+import pytest
+from httpx import AsyncClient, ASGITransport
+
+
+def test_root_ok(client):
+    resp = client.get("/")
+    assert resp.status_code == status.HTTP_200_OK
+    assert resp.json() == {"status": "ok"}
+
+
+def test_authenticated_route_requires_auth(client):
+    resp = client.get("/authenticated-route")
+    assert resp.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_create_and_get_category(fastapi_app, test_user):
+    # Use AsyncClient for async tests
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define and create the new category
+        category_name = "Async Integration Test"
+        category_payload = {"name": category_name}
+        create_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+
+        # 3. Assert creation was successful
+        assert create_resp.status_code == status.HTTP_201_CREATED
+        created_data = create_resp.json()
+        category_id = created_data["id"]
+        assert created_data["name"] == category_name
+
+        # 4. GET the list of categories to verify
+        list_resp = await ac.get("/categories/", headers=headers)
+        assert list_resp.status_code == status.HTTP_200_OK
+
+        # 5. Check that our new category is in the list
+        categories_list = list_resp.json()
+        assert any(cat["name"] == category_name for cat in categories_list)
+
+        delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+
+@pytest.mark.asyncio
+async def test_create_transaction_missing_amount_fails(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define an invalid payload
+        invalid_payload = {"description": "This should fail"}
+
+        # 3. Attempt to create the transaction
+        resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers)
+
+        # 4. Assert the expected validation error
+        assert resp.status_code == status.HTTP_422_UNPROCESSABLE_CONTENT
+
+
+@pytest.mark.asyncio
+async def test_login_invalid_credentials(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        bad = await ac.post("/auth/jwt/login", data={"username": test_user["username"], "password": "nope"})
+        assert bad.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_400_BAD_REQUEST)
+        unknown = await ac.post("/auth/jwt/login", data={"username": "nouser@example.com", "password": "x"})
+        assert unknown.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_400_BAD_REQUEST)
+
+
+@pytest.mark.asyncio
+async def test_category_duplicate_name_conflict(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        p = {"name": "Food"}
+        r1 = await ac.post("/categories/create", json=p, headers=h)
+        assert r1.status_code == status.HTTP_201_CREATED
+        r2 = await ac.post("/categories/create", json=p, headers=h)
+        assert r2.status_code == status.HTTP_409_CONFLICT
+
+@pytest.mark.asyncio
+async def test_create_transaction_invalid_date_format(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        bad = await ac.post("/transactions/create", json={"amount": 10, "description": "x", "date": "31-12-2024"}, headers=h)
+        assert bad.status_code == status.HTTP_400_BAD_REQUEST
+
+@pytest.mark.asyncio
+async def test_update_transaction_rejects_duplicate_category_ids(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        tx = (await ac.post("/transactions/create", json={"amount": 5, "description": "x"}, headers=h)).json()
+        dup = await ac.patch(f"/transactions/{tx['id']}/edit", json={"category_ids": [1, 1]}, headers=h)
+        assert dup.status_code == status.HTTP_400_BAD_REQUEST
+
+@pytest.mark.asyncio
+async def test_assign_unassign_category_not_found_cases(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        # Create tx and category
+        tx = (await ac.post("/transactions/create", json={"amount": 1, "description": "a"}, headers=h)).json()
+        cat = (await ac.post("/categories/create", json={"name": "X"}, headers=h)).json()
+
+        # Missing transaction
+        r1 = await ac.post(f"/transactions/999999/categories/{cat['id']}", headers=h)
+        assert r1.status_code == status.HTTP_404_NOT_FOUND
+
+        # Missing category
+        r2 = await ac.post(f"/transactions/{tx['id']}/categories/999999", headers=h)
+        assert r2.status_code == status.HTTP_404_NOT_FOUND
+
+@pytest.mark.asyncio
+async def test_transactions_date_filter_and_balance_series(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        # Seed transactions spanning days
+        data = [
+            {"amount": 100, "description": "day1", "date": "2024-01-01"},
+            {"amount": -25, "description": "day2", "date": "2024-01-02"},
+            {"amount": 50, "description": "day3", "date": "2024-01-03"},
+        ]
+        for p in data:
+            r = await ac.post("/transactions/create", json=p, headers=h)
+            assert r.status_code == status.HTTP_201_CREATED
+
+        # Filtered list (2nd and 3rd only)
+        lst = await ac.get("/transactions/", params={"start_date": "2024-01-02", "end_date": "2024-01-03"}, headers=h)
+        assert lst.status_code == status.HTTP_200_OK
+        assert len(lst.json()) == 2
+
+        # Balance series should be cumulative per date
+        series = await ac.get("/transactions/balance_series", headers=h)
+        assert series.status_code == status.HTTP_200_OK
+        s = series.json()
+        assert s == [
+            {"date": "2024-01-01", "balance": 100.0},
+            {"date": "2024-01-02", "balance": 75.0},
+            {"date": "2024-01-03", "balance": 125.0},
+        ]
+
+@pytest.mark.asyncio
+async def test_delete_transaction_not_found(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        r = await ac.delete("/transactions/999999/delete", headers=h)
+        assert r.status_code == status.HTTP_404_NOT_FOUND
+

7project/backend/tests/test_unit_user_service.py

@@ -0,0 +1,55 @@
+import types
+import asyncio
+import pytest
+
+from app.services import user_service
+
+
+def test_get_oauth_provider_known_unknown():
+    # Known providers should return a provider instance
+    bankid = user_service.get_oauth_provider("BankID")
+    mojeid = user_service.get_oauth_provider("MojeID")
+    assert bankid is not None
+    assert mojeid is not None
+
+    # Unknown should return None
+    assert user_service.get_oauth_provider("DoesNotExist") is None
+
+
+def test_get_jwt_strategy_lifetime():
+    strategy = user_service.get_jwt_strategy()
+    assert strategy is not None
+    # Basic smoke check: strategy has a lifetime set to 604800
+    assert getattr(strategy, "lifetime_seconds", None) in (604800,)
+
+
+@pytest.mark.asyncio
+async def test_on_after_request_verify_enqueues_email(monkeypatch):
+    calls = {}
+
+    def fake_enqueue_email(to: str, subject: str, body: str):
+        calls.setdefault("emails", []).append({
+            "to": to,
+            "subject": subject,
+            "body": body,
+        })
+
+    # Patch the enqueue_email used inside user_service
+    monkeypatch.setattr(user_service, "enqueue_email", fake_enqueue_email)
+
+    class DummyUser:
+        def __init__(self, email):
+            self.email = email
+
+    mgr = user_service.UserManager(user_db=None)  # user_db not needed for this method
+    user = DummyUser("test@example.com")
+
+    # Call the hook
+    await mgr.on_after_request_verify(user, token="abc123", request=None)
+
+    # Verify one email has been enqueued with expected content
+    assert len(calls.get("emails", [])) == 1
+    email = calls["emails"][0]
+    assert email["to"] == "test@example.com"
+    assert "ověření účtu" in email["subject"].lower()
+    assert "abc123" in email["body"]

7project/charts/myapp-chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: myapp-chart
+version: 0.1.0
+description: Helm chart for my app with MariaDB Database CR
+appVersion: "1.0.0"
+type: application

7project/charts/myapp-chart/templates/app-deployment.yaml

@@ -0,0 +1,124 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.app.name }}
+spec:
+  replicas: {{ .Values.app.replicas }}
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: {{ .Values.app.name }}
+      endpoint: metrics
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.app.name }}
+        endpoint: metrics
+    spec:
+      containers:
+        - name: {{ .Values.app.name }}
+          image: "{{- if .Values.image.digest -}}{{ .Values.image.repository }}@{{ .Values.image.digest }}{{- else -}}{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}{{- end -}}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
+          ports:
+            - containerPort: {{ .Values.app.port }}
+          env:
+            - name: MARIADB_HOST
+              value: "mariadb-repl-maxscale-internal.mariadb-operator.svc.cluster.local"
+            - name: MARIADB_PORT
+              value: '3306'
+            - name: MARIADB_DB
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_DB
+            - name: MARIADB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_USER
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_PASSWORD
+            - name: RABBITMQ_USERNAME
+              value: {{ .Values.rabbitmq.username | quote }}
+            - name: RABBITMQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: RABBITMQ_PASSWORD
+            - name: RABBITMQ_HOST
+              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
+            - name: RABBITMQ_PORT
+              value: {{ .Values.rabbitmq.port | quote }}
+            - name: RABBITMQ_VHOST
+              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
+            - name: MAIL_QUEUE
+              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
+            - name: MOJEID_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MOJEID_CLIENT_ID
+            - name: MOJEID_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MOJEID_CLIENT_SECRET
+            - name: BANKID_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: BANKID_CLIENT_ID
+            - name: BANKID_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: BANKID_CLIENT_SECRET
+            - name: CSAS_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: CSAS_CLIENT_ID
+            - name: CSAS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: CSAS_CLIENT_SECRET
+            - name: DOMAIN
+              value: {{ required "Set .Values.domain" .Values.domain | quote }}
+            - name: DOMAIN_SCHEME
+              value: {{ required "Set .Values.domain_scheme" .Values.domain_scheme | quote }}
+            - name: FRONTEND_DOMAIN
+              value: {{ required "Set .Values.frontend_domain" .Values.frontend_domain | quote }}
+            - name: FRONTEND_DOMAIN_SCHEME
+              value: {{ required "Set .Values.frontend_domain_scheme" .Values.frontend_domain_scheme | quote }}
+            - name: SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: SENTRY_DSN
+            - name: DB_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: DB_ENCRYPTION_KEY
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.app.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.app.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3

7project/charts/myapp-chart/templates/database-grant.yaml

@@ -0,0 +1,18 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: grant
+spec:
+  mariaDbRef:
+    name: {{ .Values.mariadb.mariaDbRef.name }}
+    namespace: {{ .Values.mariadb.mariaDbRef.namespace }}
+  privileges:
+    - "ALL PRIVILEGES"
+  database: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  table: "*"
+  username: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  grantOption: true
+  host: "%"
+  cleanupPolicy: {{ .Values.mariadb.cleanupPolicy }}
+  requeueInterval: {{ .Values.mariadb.requeueInterval | quote }}
+  retryInterval: {{ .Values.mariadb.retryInterval | quote }}

7project/charts/myapp-chart/templates/database-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ required "Set .Values.database.secretName" .Values.database.secretName }}
+type: kubernetes.io/basic-auth
+stringData:
+  password: {{ required "Set .Values.database.password" .Values.database.password | quote }}

7project/charts/myapp-chart/templates/database-user.yaml

@@ -0,0 +1,16 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: {{ required "Set .Values.deployment" .Values.deployment }}
+spec:
+  mariaDbRef:
+    name: {{ .Values.mariadb.mariaDbRef.name }}
+    namespace: {{ .Values.mariadb.mariaDbRef.namespace }}
+  passwordSecretKeyRef:
+    name: {{ required "Set .Values.database.secretName" .Values.database.secretName }}
+    key: password
+  maxUserConnections: 20
+  host: "%"
+  cleanupPolicy: {{ .Values.mariadb.cleanupPolicy }}
+  requeueInterval: {{ .Values.mariadb.requeueInterval | quote }}
+  retryInterval: {{ .Values.mariadb.retryInterval | quote }}

7project/charts/myapp-chart/templates/database.yaml

@@ -0,0 +1,14 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: {{ required "Set .Values.deployment" .Values.deployment }}
+spec:
+  mariaDbRef:
+    name: {{ .Values.mariadb.mariaDbRef.name | required "Values mariadb.mariaDbRef.name is required" }}
+    namespace: {{ .Values.mariadb.mariaDbRef.namespace | default .Release.Namespace }}
+  characterSet: utf8
+  collate: utf8_general_ci
+  cleanupPolicy: {{ .Values.mariadb.cleanupPolicy }}
+  requeueInterval: {{ .Values.mariadb.requeueInterval | quote }}
+  retryInterval: {{ .Values.mariadb.retryInterval | quote }}
+

7project/charts/myapp-chart/templates/monitoring.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: fastapi-servicemonitor
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.app.name }}
+  endpoints:
+    - port: http
+      path: /metrics
+      interval: 15s

7project/charts/myapp-chart/templates/prod.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod
+type: Opaque
+stringData:
+  MOJEID_CLIENT_ID: {{ .Values.oauth.mojeid.clientId | quote }}
+  MOJEID_CLIENT_SECRET: {{ .Values.oauth.mojeid.clientSecret | quote }}
+  BANKID_CLIENT_ID: {{ .Values.oauth.bankid.clientId | quote }}
+  BANKID_CLIENT_SECRET: {{ .Values.oauth.bankid.clientSecret | quote }}
+  CSAS_CLIENT_ID: {{ .Values.oauth.csas.clientId | quote }}
+  CSAS_CLIENT_SECRET: {{ .Values.oauth.csas.clientSecret | quote }}
+  # Database credentials
+  MARIADB_DB: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  MARIADB_USER: {{ required "Set .Values.deployment" .Values.deployment | quote }}
+  MARIADB_PASSWORD: {{ .Values.database.password | default "" | quote }}
+  # RabbitMQ credentials
+  RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }}
+  RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }}
+  SENTRY_DSN: {{ .Values.sentry_dsn | quote }}
+  DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }}

7project/charts/myapp-chart/templates/rabbitmq-cluster.yaml

@@ -0,0 +1,10 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: "rabbitmq-cluster"
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.rabbitmq.replicas | default 1 }}
+  persistence:
+    storage: {{ .Values.rabbitmq.storage | default "1Gi" }}
+  resources: {}

7project/charts/myapp-chart/templates/rabbitmq-permission.yaml

@@ -0,0 +1,15 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ printf "%s-permission" (.Values.rabbitmq.username | default "demo-app") }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  rabbitmqClusterReference:
+    name: rabbitmq-cluster
+    namespace: {{ .Release.Namespace }}
+  vhost: {{ .Values.rabbitmq.vhost | default "/" | quote }}
+  user: {{ .Values.rabbitmq.username | default "demo-app" }}
+  permissions:
+    configure: ".*"
+    read: ".*"
+    write: ".*"

7project/charts/myapp-chart/templates/rabbitmq-queue.yaml

@@ -0,0 +1,12 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: {{ .Values.worker.mailQueueName | replace "_" "-" | lower }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  rabbitmqClusterReference:
+    name: rabbitmq-cluster
+    namespace: {{ .Release.Namespace }}
+  name: {{ .Values.worker.mailQueueName }}
+  vhost: {{ .Values.rabbitmq.vhost | default "/" | quote }}
+  durable: true

7project/charts/myapp-chart/templates/rabbitmq-user-secret.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.rabbitmq.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}
+  namespace: {{ .Release.Namespace }}
+stringData:
+  password: {{ .Values.rabbitmq.password | quote }}
+  username: {{ .Values.rabbitmq.username | quote }}
+{{- end }}

7project/charts/myapp-chart/templates/rabbitmq-user.yaml

@@ -0,0 +1,13 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: {{ .Values.rabbitmq.username | default "demo-app" }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  rabbitmqClusterReference:
+    name: rabbitmq-cluster
+    namespace: {{ .Release.Namespace }}
+  tags:
+    - management
+  importCredentialsSecret:
+    name: {{ printf "%s-user-credentials" (.Values.rabbitmq.username | default "app-user") }}

7project/charts/myapp-chart/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.app.name }}
+  labels:
+    app: {{ .Values.app.name }}
+spec:
+  ports:
+    - name: http
+      port: {{ .Values.service.port }}
+      targetPort: {{ .Values.app.port }}
+  selector:
+    app: {{ .Values.app.name }}

7project/charts/myapp-chart/templates/tunnel.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.cfargotunnel.com/v1alpha1
+kind: TunnelBinding
+metadata:
+  name: guestbook-tunnel-binding
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - name: app-server
+    spec:
+      target: {{ printf "http://%s.%s.svc.cluster.local" .Values.app.name .Release.Namespace | quote }}
+      fqdn: {{ required "Set .Values.domain via --set domain=example.com" .Values.domain | quote }}
+      noTlsVerify: true
+tunnelRef:
+  kind: ClusterTunnel
+  name: cluster-tunnel

7project/charts/myapp-chart/templates/worker-deployment.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ printf "%s-worker" .Values.app.name }}
+spec:
+  replicas: {{ .Values.worker.replicas }}
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: {{ printf "%s-worker" .Values.app.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ printf "%s-worker" .Values.app.name }}
+    spec:
+      containers:
+        - name: {{ printf "%s-worker" .Values.app.name }}
+          image: "{{- if .Values.image.digest -}}{{ .Values.image.repository }}@{{ .Values.image.digest }}{{- else -}}{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}{{- end -}}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
+          command:
+            - celery
+            - -A
+            - app.celery_app
+            - worker
+            - -Q
+            - $(MAIL_QUEUE)
+            - --loglevel
+            - INFO
+          env:
+            - name: MARIADB_HOST
+              value: "mariadb-repl-maxscale-internal.mariadb-operator.svc.cluster.local"
+            - name: MARIADB_PORT
+              value: '3306'
+            - name: MARIADB_DB
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_DB
+            - name: MARIADB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_USER
+            - name: MARIADB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: MARIADB_PASSWORD
+            - name: RABBITMQ_USERNAME
+              value: {{ .Values.rabbitmq.username | quote }}
+            - name: RABBITMQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: RABBITMQ_PASSWORD
+            - name: RABBITMQ_HOST
+              value: {{ printf "%s.%s.svc.cluster.local" "rabbitmq-cluster" .Release.Namespace | quote }}
+            - name: RABBITMQ_PORT
+              value: {{ .Values.rabbitmq.port | quote }}
+            - name: RABBITMQ_VHOST
+              value: {{ .Values.rabbitmq.vhost | default "/" | quote }}
+            - name: MAIL_QUEUE
+              value: {{ .Values.worker.mailQueueName | default "mail_queue" | quote }}
+            - name: SENTRY_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: SENTRY_DSN
+            - name: CSAS_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: CSAS_CLIENT_ID
+            - name: CSAS_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: CSAS_CLIENT_SECRET
+            - name: DB_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: DB_ENCRYPTION_KEY

7project/charts/myapp-chart/values-dev.yaml

@@ -0,0 +1,5 @@
+env: dev
+
+mariadb:
+  cleanupPolicy: Delete
+

7project/charts/myapp-chart/values-prod.yaml

@@ -0,0 +1,7 @@
+env: prod
+
+app:
+  replicas: 3
+
+worker:
+  replicas: 3

7project/charts/myapp-chart/values.yaml

@@ -0,0 +1,78 @@
+# Base values shared across environments
+env: dev
+
+# Optional PR number used to suffix DB name, set via --set prNumber=123 in CI
+prNumber: ""
+
+# Optional deployment identifier used to suffix resource names (db, user, secret)
+# Example: --set deployment=alice or --set deployment=feature123
+deployment: ""
+
+# Public domain to expose the app under (used by TunnelBinding fqdn)
+# Set at install time: --set domain=example.com
+domain: ""
+domain_scheme: ""
+
+frontend_domain: ""
+frontend_domain_scheme: ""
+
+sentry_dsn: ""
+
+image:
+  repository: lukastrkan/cc-app-demo
+  # You can use a tag or digest. If digest is provided, it takes precedence.
+  digest: ""
+  pullPolicy: IfNotPresent
+
+app:
+  name: "finance-tracker"
+  replicas: 1
+  port: 8000
+
+worker:
+  name: app-demo-worker
+  replicas: 1
+  # Queue name for Celery worker and for CRD Queue
+  mailQueueName: "mail_queue"
+
+
+service:
+  port: 80
+
+oauth:
+  bankid:
+    clientId: ""
+    clientSecret: ""
+  mojeid:
+    clientId: ""
+    clientSecret: ""
+  csas:
+    clientId: ""
+    clientSecret: ""
+
+rabbitmq:
+  create: true
+  replicas: 1
+  storage: 5Gi
+  # Optional: override the generated cluster name; default is "<app.name>-rabbit[-<deployment>]"
+  clusterName: ""
+  port: "5672"
+  username: demo-app
+  password: ""
+  vhost: "/"
+
+mariadb:
+  name: app-demo-database
+  cleanupPolicy: Skip
+  requeueInterval: 10h
+  retryInterval: 30s
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+
+# Database access resources
+database:
+  userName: app-demo-user
+  secretName: app-demo-database-secret
+  password: ""
+  encryptionSecret: ""

7project/checklist.md

@@ -0,0 +1,81 @@
+# Project Evaluation Checklist
+
+The group earn points by completing items from the categories below.
+You are not expected to complete all items.
+Focus on areas that align with your project goals and interests.
+
+The core deliverables are required.
+This means that you must get at least 2 points for each item in this category.
+
+| **Category**                     | **Item**                                | **Max Points** | **Points**                                      |
+|----------------------------------| --------------------------------------- | -------------- |-------------------------------------------------|
+| **Core Deliverables (Required)** |                                         |                |                                                 |
+| Codebase & Organization          | Well-organized project structure        | 5              | 5                                               |
+|                                  | Clean, readable code                    | 5              | 4                                               |
+|                                  | Use planning tool (e.g., GitHub issues) | 5              | 4                                               |
+|                                  | Proper version control usage            | 5              | 5                                               |
+| 23                               | Complete source code                    | 5              | 5                                               |
+| Documentation                    | Comprehensive reproducibility report    | 10             | 4-5                                             |
+|                                  | Updated design document                 | 5              | 2                                               |
+|                                  | Clear build/deployment instructions     | 5              | 2                                               |
+|                                  | Troubleshooting guide                   | 5              | 1                                               |
+|                                  | Completed self-assessment table         | 5              | 2                                               |
+| 14                               | Hour sheets for all members             | 5              | 3                                               |
+| Presentation Video               | Project demonstration                   | 5              | 0                                               |
+|                                  | Code walk-through                       | 5              | 0                                               |
+| 0                                | Deployment showcase                     | 5              | 0                                               |
+| **Technical Implementation**     |                                         |                |                                                 |
+| Application Functionality        | Basic functionality works               | 10             | 8                                               |
+|                                  | Advanced features implemented           | 10             | 0                                               |
+|                                  | Error handling & robustness             | 10             | 4                                               |
+| 16                               | User-friendly interface                 | 5              | 4                                               |
+| Backend & Architecture           | Stateless web server                    | 5              | 5                                               |
+|                                  | Stateful application                    | 10             | ? WHAT DOES THIS MEAN                           |
+|                                  | Database integration                    | 10             | 10                                              |
+|                                  | API design                              | 5              | 5                                               |
+| 20                               | Microservices architecture              | 10             | 0                                               |
+| Cloud Integration                | Basic cloud deployment                  | 10             | 10                                              |
+|                                  | Cloud APIs usage                        | 10             | ? WHAT DOES THIS MEAN                           |
+|                                  | Serverless components                   | 10             | 0                                               |
+| 10                               | Advanced cloud services                 | 5              | 0                                               |
+| **DevOps & Deployment**          |                                         |                |                                                 |
+| Containerization                 | Basic Dockerfile                        | 5              | 5                                               |
+|                                  | Optimized Dockerfile                    | 5              | 0                                               |
+|                                  | Docker Compose                          | 5              | 5 - dev only                                    |
+| 15                               | Persistent storage                      | 5              | 5                                               |
+| Deployment & Scaling             | Manual deployment                       | 5              | 5                                               |
+|                                  | Automated deployment                    | 5              | 5                                               |
+|                                  | Multiple replicas                       | 5              | 5                                               |
+| 20                               | Kubernetes deployment                   | 10             | 10                                              |
+| **Quality Assurance**            |                                         |                |                                                 |
+| Testing                          | Unit tests                              | 5              | 2                                               |
+|                                  | Integration tests                       | 5              | 2                                               |
+|                                  | End-to-end tests                        | 5              | 5                                               |
+| 9                                | Performance testing                     | 5              | 0                                               |
+| Monitoring & Operations          | Health checks                           | 5              | 5                                               |
+|                                  | Logging                                 | 5              | 2 - only to terminal add logstash               |
+| 9                                | Metrics/Monitoring                      | 5              | 2 - only DB, need to create Prometheus endpoint |
+| Security                         | HTTPS/TLS                               | 5              | 5                                               |
+|                                  | Authentication                          | 5              | 5                                               |
+| 15                               | Authorization                           | 5              | 5                                               |
+| **Innovation & Excellence**      |                                         |                |                                                 |
+| Advanced Features and            | AI/ML Integration                       | 10             | 0                                               |
+| Technical Excellence             | Real-time features                      | 10             | 0                                               |
+|                                  | Creative problem solving                | 10             | ?                                               |
+|                                  | Performance optimization                | 5              | 2                                               |
+| 2                                | Exceptional user experience             | 5              | 0                                               |
+| **Total**                        |                                         | **255**        | **153**                                         |
+
+## Grading Scale
+
+- **Minimum Required: 100 points**
+- **Maximum: 200+ points**
+
+| Grade | Points   |
+| ----- | -------- |
+| A     | 180-200+ |
+| B     | 160-179  |
+| C     | 140-159  |
+| D     | 120-139  |
+| E     | 100-119  |
+| F     | 0-99     |

7project/compose.yml

@@ -15,7 +15,7 @@ services:
     volumes:
       - redis_data:/data
   rabbitmq:
-    image: bitnami/rabbitmq:3.13.3-debian-12-r0
+    image: bitnamilegacy/rabbitmq:3.13.3-debian-12-r0
     network_mode: host
     ports:
       - "5672:5672"

7project/create_migration.sh

@@ -8,4 +8,8 @@ fi
 cd backend || { echo "Directory 'backend' does not exist"; exit 1; }
 alembic revision --autogenerate -m "$1"
 git add alembic/versions/*
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${YELLOW}Don't forget to check imports in the new migration file!${NC}"
 cd - || exit

7project/frontend/README.md

@@ -4,7 +4,7 @@ This template provides a minimal setup to get React working in Vite with HMR and
 
 Currently, two official plugins are available:
 
-- [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react) uses [Babel](https://babeljs.io/) for Fast Refresh
+- [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react) uses [Babel](https://babeljs.io/) (or [oxc](https://oxc.rs) when used in [rolldown-vite](https://vite.dev/guide/rolldown)) for Fast Refresh
 - [@vitejs/plugin-react-swc](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react-swc) uses [SWC](https://swc.rs/) for Fast Refresh
 
 ## React Compiler

7project/frontend/package.json

@@ -11,19 +11,21 @@
   },
   "dependencies": {
     "react": "^19.1.1",
-    "react-dom": "^19.1.1"
+    "react-dom": "^19.1.1",
+    "recharts": "^3.3.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.36.0",
-    "@types/react": "^19.1.13",
+    "@types/node": "^24.6.0",
+    "@types/react": "^19.1.16",
     "@types/react-dom": "^19.1.9",
-    "@vitejs/plugin-react": "^5.0.3",
+    "@vitejs/plugin-react": "^5.0.4",
     "eslint": "^9.36.0",
     "eslint-plugin-react-hooks": "^5.2.0",
-    "eslint-plugin-react-refresh": "^0.4.20",
+    "eslint-plugin-react-refresh": "^0.4.22",
     "globals": "^16.4.0",
-    "typescript": "~5.8.3",
-    "typescript-eslint": "^8.44.0",
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.45.0",
     "vite": "^7.1.7"
   }
 }

7project/frontend/src/App.tsx

@@ -0,0 +1,89 @@
+import { useEffect, useState } from 'react';
+import LoginRegisterPage from './pages/LoginRegisterPage';
+import Dashboard from './pages/Dashboard';
+import { logout } from './api';
+import { BACKEND_URL } from './config';
+
+function App() {
+  const [hasToken, setHasToken] = useState<boolean>(!!localStorage.getItem('token'));
+  const [processingCallback, setProcessingCallback] = useState<boolean>(false);
+
+  useEffect(() => {
+    const path = window.location.pathname;
+
+    // Minimal handling for provider callbacks: /auth|/oauth/:provider/callback?code=...&state=...
+    const parts = path.split('/').filter(Boolean);
+    const isCallback = parts.length === 3 && (parts[0] === 'auth') && parts[2] === 'callback';
+
+    if (isCallback) {
+      // Guard against double invocation in React 18 StrictMode/dev
+      const w = window as any;
+      if (w.__oauthCallbackHandled) {
+        return;
+      }
+      w.__oauthCallbackHandled = true;
+
+      setProcessingCallback(true);
+
+      const provider = parts[1];
+      const qs = window.location.search || '';
+      const base = BACKEND_URL.replace(/\/$/, '');
+      const url = `${base}/auth/${encodeURIComponent(provider)}/callback${qs}`;
+      (async () => {
+        try {
+          const token = localStorage.getItem('token');
+          const res = await fetch(url, {
+            method: 'GET',
+            credentials: 'include',
+            headers: token ? { Authorization: `Bearer ${token}` } : undefined,
+          });
+          let data: any = null;
+          try {
+            data = await res.json();
+          } catch {}
+          if (provider !== 'csas' && res.ok && data?.access_token) {
+            localStorage.setItem('token', data?.access_token);
+            setHasToken(true);
+          }
+        } catch {}
+        // Clean URL and go home regardless of result
+        setProcessingCallback(false);
+        window.history.replaceState({}, '', '/');
+      })();
+    }
+
+    const onStorage = (e: StorageEvent) => {
+      if (e.key === 'token') setHasToken(!!e.newValue);
+    };
+    window.addEventListener('storage', onStorage);
+    return () => window.removeEventListener('storage', onStorage);
+  }, []);
+
+  if (processingCallback) {
+    return (
+      <div style={{ display: 'grid', placeItems: 'center', height: '100vh' }}>
+        <div className="card" style={{ width: 360, textAlign: 'center', padding: 24 }}>
+          <div style={{ display: 'flex', flexDirection: 'column', alignItems: 'center', gap: 12 }}>
+            <svg width="48" height="48" viewBox="0 0 50 50" aria-label="Loading">
+              <circle cx="25" cy="25" r="20" fill="none" stroke="#3b82f6" strokeWidth="5" strokeLinecap="round" strokeDasharray="31.4 31.4">
+                <animateTransform attributeName="transform" type="rotate" from="0 25 25" to="360 25 25" dur="0.9s" repeatCount="indefinite" />
+              </circle>
+            </svg>
+            <div>Finishing sign-in…</div>
+            <div className="muted">Please wait</div>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  if (!hasToken) {
+    return <LoginRegisterPage onLoggedIn={() => setHasToken(true)} />;
+  }
+
+  return (
+    <Dashboard onLogout={() => { logout(); setHasToken(false); }} />
+  );
+}
+
+export default App;

7project/frontend/src/api.ts

@@ -0,0 +1,238 @@
+import { BACKEND_URL } from './config';
+
+export type LoginResponse = {
+  access_token: string;
+  token_type: string;
+};
+
+export type Category = {
+  id: number;
+  name: string;
+  description?: string | null;
+};
+
+export type Transaction = {
+  id: number;
+  amount: number;
+  description?: string | null;
+  category_ids: number[];
+  date?: string | null; // ISO date (YYYY-MM-DD)
+};
+
+export async function deleteTransaction(id: number): Promise<void> {
+  const res = await fetch(`${getBaseUrl()}/transactions/${id}/delete`, {
+    method: 'DELETE',
+    headers: getHeaders('none'),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to delete transaction');
+  }
+}
+
+function getBaseUrl() {
+  const base = BACKEND_URL?.replace(/\/$/, '') || '';
+  return base || '';
+}
+
+function getHeaders(contentType: 'json' | 'form' | 'none' = 'json'): Record<string, string> {
+  const token = localStorage.getItem('token');
+  const headers: Record<string, string> = {};
+
+  if (contentType === 'json') {
+    headers['Content-Type'] = 'application/json';
+  } else if (contentType === 'form') {
+    headers['Content-Type'] = 'application/x-www-form-urlencoded';
+  }
+
+  if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  return headers;
+}
+
+export async function login(email: string, password: string): Promise<void> {
+  const body = new URLSearchParams();
+  body.set('username', email);
+  body.set('password', password);
+
+  const res = await fetch(`${getBaseUrl()}/auth/jwt/login`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: body.toString(),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Login failed');
+  }
+  const data: LoginResponse = await res.json();
+  localStorage.setItem('token', data.access_token);
+}
+
+export async function register(email: string, password: string, first_name?: string, last_name?: string): Promise<void> {
+  const res = await fetch(`${getBaseUrl()}/auth/register`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password, first_name, last_name }),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Registration failed');
+  }
+}
+
+export async function getCategories(): Promise<Category[]> {
+  const res = await fetch(`${getBaseUrl()}/categories/`, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load categories');
+  return res.json();
+}
+
+export type CreateTransactionInput = {
+  amount: number;
+  description?: string;
+  category_ids?: number[];
+  date?: string; // YYYY-MM-DD
+};
+
+export async function createTransaction(input: CreateTransactionInput): Promise<Transaction> {
+  const res = await fetch(`${getBaseUrl()}/transactions/create`, {
+    method: 'POST',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to create transaction');
+  }
+  return res.json();
+}
+
+export async function getTransactions(start_date?: string, end_date?: string): Promise<Transaction[]> {
+  const params = new URLSearchParams();
+  if (start_date) params.set('start_date', start_date);
+  if (end_date) params.set('end_date', end_date);
+  const qs = params.toString();
+  const url = `${getBaseUrl()}/transactions/${qs ? `?${qs}` : ''}`;
+  const res = await fetch(url, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load transactions');
+  return res.json();
+}
+
+export type User = {
+  id: string;
+  email: string;
+  first_name?: string | null;
+  last_name?: string | null;
+  is_active: boolean;
+  is_superuser: boolean;
+  is_verified: boolean;
+};
+
+export async function getMe(): Promise<User> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    headers: getHeaders(),
+  });
+  if (!res.ok) throw new Error('Failed to load user');
+  return res.json();
+}
+
+export type UpdateMeInput = Partial<Pick<User, 'first_name' | 'last_name'>> & { password?: string };
+export async function updateMe(input: UpdateMeInput): Promise<User> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    method: 'PATCH',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to update user');
+  }
+  return res.json();
+}
+
+export async function deleteMe(): Promise<void> {
+  const res = await fetch(`${getBaseUrl()}/users/me`, {
+    method: 'DELETE',
+    headers: getHeaders(),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to delete account');
+  }
+}
+
+export function logout() {
+  localStorage.removeItem('token');
+}
+
+// Categories
+export type CreateCategoryInput = { name: string; description?: string };
+export async function createCategory(input: CreateCategoryInput): Promise<Category> {
+  const res = await fetch(`${getBaseUrl()}/categories/create`, {
+    method: 'POST',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to create category');
+  }
+  return res.json();
+}
+
+export type UpdateCategoryInput = { name?: string; description?: string };
+export async function updateCategory(category_id: number, input: UpdateCategoryInput): Promise<Category> {
+  const res = await fetch(`${getBaseUrl()}/categories/${category_id}`, {
+    method: 'PATCH',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to update category');
+  }
+  return res.json();
+}
+
+// Transactions update
+export type UpdateTransactionInput = {
+  amount?: number;
+  description?: string;
+  date?: string;
+  category_ids?: number[];
+};
+export async function updateTransaction(id: number, input: UpdateTransactionInput): Promise<Transaction> {
+  const res = await fetch(`${getBaseUrl()}/transactions/${id}/edit`, {
+    method: 'PATCH',
+    headers: getHeaders(),
+    body: JSON.stringify(input),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to update transaction');
+  }
+  return res.json();
+}
+
+// Balance series
+export type BalancePoint = { date: string; balance: number };
+export async function getBalanceSeries(start_date?: string, end_date?: string): Promise<BalancePoint[]> {
+  const params = new URLSearchParams();
+  if (start_date) params.set('start_date', start_date);
+  if (end_date) params.set('end_date', end_date);
+  const qs = params.toString();
+  const url = `${getBaseUrl()}/transactions/balance_series${qs ? `?${qs}` : ''}`;
+  const res = await fetch(url, { headers: getHeaders() });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(text || 'Failed to load balance series');
+  }
+  return res.json();
+}

7project/frontend/src/appearance.ts

@@ -0,0 +1,38 @@
+export type Theme = 'system' | 'light' | 'dark';
+export type FontSize = 'small' | 'medium' | 'large';
+
+const THEME_KEY = 'app_theme';
+const FONT_KEY = 'app_font_size';
+
+export function applyTheme(theme: Theme) {
+  const body = document.body;
+  const effective = theme === 'system' ? (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light') : theme;
+  body.setAttribute('data-theme', effective);
+}
+
+export function applyFontSize(size: FontSize) {
+  const root = document.documentElement;
+  const map: Record<FontSize, string> = {
+    small: '12px',
+    medium: '15px',
+    large: '21px',
+  };
+  root.style.fontSize = map[size];
+}
+
+export function saveAppearance(theme: Theme, size: FontSize) {
+  localStorage.setItem(THEME_KEY, theme);
+  localStorage.setItem(FONT_KEY, size);
+}
+
+export function loadAppearance(): { theme: Theme; size: FontSize } {
+  const theme = (localStorage.getItem(THEME_KEY) as Theme) || 'light';
+  const size = (localStorage.getItem(FONT_KEY) as FontSize) || 'medium';
+  return { theme, size };
+}
+
+export function applyAppearanceFromStorage() {
+  const { theme, size } = loadAppearance();
+  applyTheme(theme);
+  applyFontSize(size);
+}

7project/frontend/src/config.ts

@@ -0,0 +1,5 @@
+export const BACKEND_URL: string =
+  import.meta.env.VITE_BACKEND_URL ?? '';
+
+export const VITE_UNIRATE_API_KEY: string =
+  import.meta.env.VITE_UNIRATE_API_KEY ?? 'wYXMiA0bz8AVRHtiS9hbKIr4VP3k5Qff8XnQdKQM45YM3IwFWP6y73r3KMkv1590';

7project/frontend/src/index.css

@@ -24,8 +24,6 @@ a:hover {
 
 body {
   margin: 0;
-  display: flex;
-  place-items: center;
   min-width: 320px;
   min-height: 100vh;
 }