├── .gitignore
├── Dockerfile
├── LICENSE
├── README.md
├── ansible
├── deploy.yaml
├── install-app.yaml
├── install-caddy.yml
├── install-db.yaml
├── install-redis.yaml
├── myhosts.ini
└── vars.yml
├── build.sh
├── conf
├── caddy.conf
├── favicon.ico
├── loginscript.sh
├── pydaemon.service
├── robots.txt
├── server-config-localdev.json
├── server-config.json
└── uwsgi.ini
├── migrations
├── 001_users.py
└── 002_movies.py
├── migrations_sqlite
├── 001_init.py
└── 002_movies.py
├── py
├── account.py
├── api_account.py
├── api_dev.py
├── api_movies.py
├── bgtasks.py
├── config.py
├── cron.py
├── db.py
├── main.py
├── mule1.py
├── red.py
├── ui_auth.py
├── util.py
└── webutil.py
├── requirements.txt
├── rsync.sh
├── run.sh
├── scripts
└── dbmigrate.py
├── shell.sh
├── templates
├── auth.html
└── example.html
├── test
├── api-list.jpg
├── auth.jpg
├── quick.sh
├── sample.log.txt
├── test_api.py
└── test_redis.py
└── www
└── index.html
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | .DS_Store
3 | *.log
4 | *.db
5 | /data/
6 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.11-slim-bullseye
2 |
3 | WORKDIR /app
4 |
5 | # uwsgi must be compiled - install necessary build tools, compile uwsgi
6 | # and then remove the build tools to minimize image size
7 | # (buildDeps are removed, deps are kept)
8 | RUN set -ex \
9 | && buildDeps=' \
10 | build-essential \
11 | ' \
12 | && deps=' \
13 | htop \
14 | ' \
15 | && apt-get update && apt-get install -y $buildDeps $deps --no-install-recommends && rm -rf /var/lib/apt/lists/* \
16 | && pip install uWSGI==2.0.24 \
17 | && apt-get purge -y --auto-remove $buildDeps \
18 | && find /usr/local -depth \
19 | \( \
20 | \( -type d -a -name test -o -name tests \) \
21 | -o \
22 | \( -type f -a -name '*.pyc' -o -name '*.pyo' \) \
23 | \) -exec rm -rf '{}' +
24 |
25 | # install other py libs - not require compilation
26 | COPY requirements.txt /app/requirements.txt
27 | RUN pip install -r /app/requirements.txt
28 |
29 | # copy source files
30 | COPY conf /app/conf
31 | COPY py /app/py
32 | COPY migrations /app/migrations
33 | COPY migrations_sqlite /app/migrations_sqlite
34 | COPY scripts /app/scripts
35 | COPY templates /app/templates
36 | COPY test /app/test
37 | COPY conf/loginscript.sh /etc/profile
38 |
39 | # background spooler dir
40 | RUN mkdir /tmp/pysrv_spooler
41 |
42 | # we don't need this file with Docker (autoload is enabled) but uwsgi looks for it
43 | RUN echo `date +%s` >/app/RESTART
44 |
45 | EXPOSE 80
46 |
47 |
48 | # our server config file
49 | # - you should write your own config file and put OUTSIDE the repository
50 | # since the config file contains secrets
51 | # - here I use the sample template from repo
52 | # - it is also possible to override the config with env variables, either here
53 | # or in Amazon ECS or Kubernetes configuration
54 | # COPY conf/server-config-localdev.json /app/real-server-config.json
55 | # ENV PYSRV_DATABASE_HOST host.docker.internal
56 | # ENV PYSRV_REDIS_HOST host.docker.internal
57 | # ENV PYSRV_DATABASE_PASSWORD x
58 |
59 | # build either a production or dev image
60 | ARG BUILDMODE=production
61 | ENV ENVBUILDMODE=$BUILDMODE
62 |
63 | RUN echo "BUILDMODE $ENVBUILDMODE"
64 |
65 | # run in shell mode with ENV expansion
66 | CMD uwsgi --ini /app/conf/uwsgi.ini:uwsgi-$ENVBUILDMODE
67 |
68 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 Tomi Mickelsson
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | RESTPie3 - Python REST API Server Starter Kit
3 | =============================================
4 |
5 | This is a lightweight python3 REST API server that offers
6 | essential web service features in a simple package. This is not a framework,
7 | just **a practical and clean codebase that relies on a few core components**
8 | that do the job well. Fork and create your own REST API server quickly.
9 |
10 | Open sourced on Sep 2018 after years of production use at multiple sites.
11 |
12 | Update Sep 2020: Run in Raspberry with an SQLite database.
13 |
14 | Update May 2023: Python and libraries updated, Python 3.11 into use. Still a fine foundation for a new project - the architecture does not age, and simple outlives complex.
15 |
16 | Update March 2024: Ansible scripts for automatic install to cloud.
17 |
18 | **Table of contents**
19 |
20 | * [Features](#features)
21 | * [Building blocks](#building-blocks)
22 | * [Source files](#source-files)
23 | * [Run locally with Docker](#run-locally-with-docker)
24 | * [Develop locally with Docker](#develop-locally-with-docker)
25 | * [API methods](#api-methods)
26 | * [Authentication & authorization](#authentication--authorization)
27 | * [Session data](#session-data)
28 | * [Redis storage](#redis-storage)
29 | * [Background workers & cron](#background-workers--cron)
30 | * [Mules: extra servers](#mules)
31 | * [Logging](#logging)
32 | * [Tests](#tests)
33 | * [Deploy to cloud](#deploy-to-cloud)
34 | * [Security](#security)
35 | * [Scaling up](#scaling-up)
36 | * [Run in Raspberry](#run-in-raspberry)
37 | * [What about the front-end?](#what-about-the-front-end)
38 | * [Need help?](#need-help)
39 | * [License](#license)
40 | * [Screenshot API list](#screenshot)
41 | * [Screenshot Auth](#screenshot2)
42 |
43 |
44 | Features
45 | --------
46 |
47 | A quick list of the features of this Python API server:
48 |
49 | * Simple and flexible server with minimum dependencies
50 | * Process-based request workers, not thread-based nor async
51 | * Secure server-side sessions with Redis storage
52 | * Robust worker management: restarts, timecapping, max life
53 | * Background tasks
54 | * Built-in cron
55 | * Automatic directory page listing the API methods and their docstrings [Screenshot](#screenshot)
56 | * Redis as a generic storage with expiring keys, lightweight queues
57 | * Email & password authentication with secure algorithms
58 | * User role model and authorization of API methods via simple decorator
59 | * Logging system with practical data for troubleshooting, detects slow
60 | requests, warnings&errors colorized
61 | * Server reload on code change
62 | * Database ORM and migrations
63 | * Database init schemas for PostgreSQL and SQLite
64 | * Docker image for the "big cloud" and local development
65 | * Fast rsync deployment of updates to Linux VPS servers
66 | * Tests for the API
67 | * Raspberry compatible
68 | * Simple UI for login/signup/forgot/reset password [Screenshot](#screenshot2)
69 |
70 |
71 | Building blocks
72 | ---------------
73 |
74 | The core building blocks of this server are mature open-source components that
75 | I have years of experience of.
76 |
77 | * [Python](http://python.org) is a high-level and versatile scripting language
78 | that provides powerful features with an exceptionally clear syntax.
79 |
80 | The language is well designed and has received increased fame and
81 | popularity over the recent years. Huge number of developers are picking
82 | Python in their work. In Sep 2017, a StackOverflow study writes about [The Incredible
83 | Growth of Python](https://stackoverflow.blog/2017/09/06/incredible-growth-python/):
84 | "Python has a solid claim to being the fastest-growing major programming
85 | language." In the [TIOBE index](http://www.tiobe.com/tiobe-index/)
86 | Python stands at position 3 as of Sep 2018.
87 |
88 | Having been coding Python professionally for close to two decades, I can say
89 | it has boosted my productivity and still is my primary language for many
90 | tasks, including developing the business logic in the back-end.
91 |
92 | * [Flask](http://flask.pocoo.org/) is the Python web framework. Flask is
93 | considered as an unopinionated micro-framework that only provides the
94 | essentials of a web framework without enforcing other components (like
95 | database, orm, admin interface, sessions etc.) As a webdev veteran I
96 | appreciate this flexibility since I do want to pick the best of breed
97 | components myself. The core stays but other needs may vary from project to
98 | project, from Raspberry to the AWS cloud. The flexibility lets me be in
99 | control and simplify.
100 |
101 | * [uwsgi](https://uwsgi-docs.readthedocs.io/en/latest/) is the master daemon
102 | that runs and supervises the Python worker processes. uwsgi has a list of
103 | power features that are essential to a robust back-end: timecapped requests,
104 | recycling of workers, background tasks, cron jobs, timers, logging, auto
105 | reloads on code change, run-as privileges. uwsgi is configured via the
106 | [uwsgi.ini](conf/uwsgi.ini) file.
107 |
108 | * [PostgreSQL](http://postgresql.org) is the main database, "the most advanced
109 | open source database" that is getting stronger every year. PostgreSQL is a
110 | powerhouse of features with a rock-solid implementation. Personally I enjoy
111 | the JSON functionality the most, since it provides good amount of
112 | flexibility to the relational model that I still prefer in a master database
113 | over the schema-free solutions.
114 |
115 | Someone wrote an article saying [PostgreSQL is the worlds' best database](https://www.2ndquadrant.com/en/blog/postgresql-is-the-worlds-best-database/).
116 |
117 | Note that the code also supports [SQLite](https://www.sqlite.org/index.html)
118 | database. SQLite maybe convenient in a lighter setup if the full power of
119 | PostgreSQL is not needed such as in a Raspberry.
120 |
121 | * [Redis](https://redis.io/) is a persistent in-memory database that is used
122 | as a storage for server-side session data and as a lightweight caching and
123 | queueing system. Fast and solid.
124 |
125 | * [Peewee](http://docs.peewee-orm.com/en/latest/) is a straightforward
126 | database ORM library. It is small and easy to learn, and has all the
127 | necessary features. I favor the simplicity of the ActiveRecord pattern with
128 | 1-1 mapping of classes and database, as opposed to more complex data mapper
129 | pattern that is followed by the big
130 | [SQLAlchemy](https://www.sqlalchemy.org/) library. I know SQL and like to
131 | operate at the row level, and have explicit control.
132 | Peewee makes database access a breeze and allows you to execute raw
133 | SQL if you need the full power of the database. Peewee supports SQLite,
134 | MySQL and PostgreSQL.
135 |
136 | For scheme migrations,
137 | [Peewee-migrate](https://github.com/klen/peewee_migrate) is an easy choice
138 | that fits well with Peewee.
139 |
140 |
141 | If you'd like to replace some of these components, it is possible, this is a
142 | small codebase.
143 |
144 |
145 | Source files
146 | ------------
147 |
148 | The whole of this server fits into a small set of files:
149 |
150 | ```
151 | ├── /ansible/ # ansible files for automated cloud install
152 | ├── /conf/ # configuration files
153 | │ ├── /caddy.conf # config for Caddy www proxy that ansible setups
154 | │ ├── /favicon.ico # site icon
155 | │ ├── /loginscript.sh # docker shell login script, sets paths
156 | │ ├── /pydaemon.service # systemd daemon config
157 | │ ├── /robots.txt # deny all from robots
158 | │ ├── /server-config-localdev.json # main server config for localdev in docker
159 | │ ├── /server-config.json # main server config, ansible fills and copies to cloud
160 | │ └── /uwsgi.ini # uwsgi daemon config, for localdev & server
161 | ├── /migrations/ # db migrations - postgresql
162 | │ ├── /001_users.py # users table, the foundation
163 | │ └── /002_movies.py # movies table, just as an example
164 | ├── /migrations_sqlite/ # db migrations - sqlite
165 | │ ├── /001_init.py # users table, the foundation
166 | │ └── /002_movies.py # movies table, just as an example
167 | ├── /py/ # python modules
168 | │ ├── /account.py # account related: passwords, user session
169 | │ ├── /api_account.py # API-endpoints for login/signup/logout
170 | │ ├── /api_dev.py # API-endpoints for dev/testing/api list
171 | │ ├── /api_movies.py # API-endpoints for movies basic crud
172 | │ ├── /bgtasks.py # background tasks, 1 sample method
173 | │ ├── /config.py # central config for the app
174 | │ ├── /cron.py # cron methods: run every min, hourly, daily
175 | │ ├── /db.py # database classes and methods
176 | │ ├── /main.py # server main
177 | │ ├── /red.py # redis: get/set keyvals, lists, atomic
178 | │ ├── /ui_auth.py # quick auth pages
179 | │ ├── /util.py # misc utility functions
180 | │ └── /webutil.py # core web flow: before/after request, auth, role check
181 | ├── /scripts/ # scripts
182 | │ └── /dbmigrate.py # db migration
183 | ├── /templates/ # templates (if you really need them)
184 | │ ├── /auth.html # login/signup form
185 | │ └── /example.html # very basic jinja2 example
186 | ├── /test/ # test scripts
187 | │ ├── /quick.sh # quick adhoc curl example
188 | │ ├── /test_api.py # test API methods
189 | │ ├── /test_redis.py # test redis module
190 | │ └── /sample.log.txt # sample logging output from api test
191 | ├── /www/ # static files for Caddy
192 | ├── build.sh # build Docker image in dev mode
193 | ├── Dockerfile # docker image config
194 | ├── requirements.txt # python 3rd party dependencies
195 | ├── rsync.sh # rsync sources to server and reload (instead of ansible)
196 | ├── run.sh # run server locally with Docker in dev mode
197 | └── shell.sh # run interactive shell inside docker instance
198 | ```
199 |
200 | So how do you get started with your own project? I suggest to take this route:
201 |
202 | * browse briefly the source files, understand their role
203 | * read and throw away `002_movies.py` and `api_movies.py`, they exist only as
204 | a sample
205 | * discard `cron.py, bgtasks.py` if you don't need background processing
206 | * discard `templates` if you only create an API server
207 | * write your own business logic:
208 | * create data classes and methods in `db.py or db_x.py`
209 | * create API modules in `api_x.py`
210 | * create database migrations
211 | * create tests
212 |
213 |
214 | Run locally with Docker
215 | -----------------------
216 |
217 | RESTPie3 is easy to run locally via Docker.
218 | The base image is an [official python image](https://hub.docker.com/_/python)
219 | variant **python:3.11-slim-bullseye**.
220 |
221 | If you already have Docker installed, the quick steps to run RESTPie3 with
222 | SQLite and Redis are:
223 |
224 | docker pull redis:5
225 |
226 | # create + start the redis instance
227 | docker run -d --name redis -p 6379:6379 redis:5
228 |
229 | # download and build RESTPie3
230 | git clone https://github.com/tomimick/restpie3
231 | cd restpie3
232 | ./build.sh
233 |
234 | # start RESTPie3
235 | ./run.sh
236 |
237 | # in another term, create initial database schema
238 | docker exec -it restpie-dev bash -l -c 'python /app/scripts/dbmigrate.py'
239 |
240 |
241 | If all went OK, RESTPie3, SQLite and Redis are running and you should be able to list
242 | the REST API at http://localhost:8100/api/list
243 |
244 | The SQLite database is empty at this point so empty lists are returned from
245 | the API. You are also logged out so some of the API end-points can't be
246 | accessed. To quickly test the API, you can invoke this example script which
247 | uses curl to do a signup and insert a new movie in the database:
248 |
249 | ./test/quick.sh
250 |
251 | For a serious setup you want to have full PostgreSQL. Do the setup like this:
252 |
253 | docker pull postgres:15
254 |
255 | # create + start a postgres instance - use your own db + password!
256 | # the params here must match the ones in conf/server-config-localdev.json
257 | docker run -d --name pos-restpie -p 5432:5432 -e POSTGRES_DB=tmdb -e POSTGRES_USER=tm -e POSTGRES_PASSWORD=MY_PASSWORD postgres:12
258 |
259 | # activate the uuid extension
260 | docker exec -it pos-restpie psql -U tm -d tmdb -c 'create extension "uuid-ossp"'
261 |
262 | # and then in server-config-localdev.json
263 | # set PYSRV_DATABASE_HOST (see PYSRV_DATABASE_HOST_POSTGRESQL)
264 |
265 | To start and stop these docker instances, invoke:
266 |
267 | docker start redis
268 | docker start pos-restpie
269 | docker start restpie-dev
270 | docker stop redis
271 | docker stop pos-restpie
272 | docker stop restpie-dev
273 |
274 |
275 |
276 | Develop locally with Docker
277 | ---------------------------
278 |
279 | Docker is great for packaging software to be run in the cloud, but it is also
280 | beneficial while developing the software. With Docker you can isolate and play
281 | easily with different dev environments and services without installing
282 | anything on the local machine and without facing ugly local version conflicts.
283 | Running the same docker image locally also ensures the environment is
284 | identical to the release environment, which makes a lot of sense.
285 |
286 | ./run.sh
287 |
288 | The above command runs the dev instance in the foreground so you are able to
289 | see the logging output in the console and detect errors immediately. You can
290 | stop the server with CTRL+C. When the instance ends, its data is deleted (the
291 | --rm option) - this is good as we don't want to create a long list of dangling
292 | temporary instances.
293 |
294 | Now the COOL thing in the dev mode here is that we are using Docker volumes to
295 | map a local root folder containing all source files to `/app/` folder
296 | inside the Docker instance. This makes it possible to use any local file
297 | editor to edit the python sources and when a file is saved, the server inside
298 | the Docker instance reloads itself automatically!
299 |
300 | To see the executed SQL statements of the server in the console, you can set
301 | the PYSRV_LOG_SQL env variable:
302 |
303 | docker run -it --rm --name restpie-dev -p 8100:80 -v `pwd`/:/app/ -e PYSRV_LOG_SQL=1 restpie-dev-image
304 |
305 |
306 | If you want to run a shell inside the dev instance, invoke in another terminal
307 | session, while dev instance is running:
308 |
309 | docker exec -it restpie-dev bash -l
310 |
311 | # or just
312 | ./shell.sh
313 |
314 | # see files in the instance file system
315 | ls
316 | ll
317 |
318 | # see running processes
319 | htop
320 |
321 | # run python files
322 | python scripts/something.py
323 |
324 | You can modify the [login script](conf/loginscript.sh) to set paths and
325 | aliases etc for this interactive shell.
326 |
327 |
328 | API methods
329 | -----------
330 |
331 | The available API methods are implemented in api_x.py modules:
332 |
333 | * `api_account.py` contains the core email/password login/signup/logout
334 | methods that you most likely need anyway.
335 | * `api_dev.py` contains misc methods for testing and developing which you can
336 | discard after learning the mechanics.
337 | * `api_movies.py` is just a sample module to demonstrate a basic CRUD REST
338 | API. You definately want to discard this and transform into your actual
339 | data models - just read and learn it.
340 |
341 | The server has built-in little [introspection](#screenshot) for listing the available APIs as
342 | a HTML page. You just declare, implement and document the API methods
343 | normally with the Flask decorator, docstrings and the methods will be
344 | automatically listed at
345 | [localhost:8100/api/list](http://localhost:8100/api/list). This is a neat way
346 | to document your server API. You can decide whether you want to disable this
347 | functionality in production or not.
348 |
349 | To parse and serialize JSON data I am simply using the Flask and Peewee
350 | primitives: `jsonify, JSONEncoder and Peewee
351 | model_to_dict/dict_to_model`. I am not using other libraries such as
352 | [Flask-RestPlus](https://flask-restplus.readthedocs.io/en/stable/) or
353 | [Connexion](https://github.com/zalando/connexion). I have used
354 | [Flask-Restful](https://flask-restful.readthedocs.io/en/latest/) before but I
355 | am not sure these libs add value. You might be able to reduce the number
356 | of code lines a little with them but possibly loosing simplicity and control.
357 | In my opinion Flask already provides the core I need. Adding one of these libs
358 | is perfectly possible though should you want it.
359 |
360 | Also I am not using [Swagger](https://swagger.io/) here but I do have felt the
361 | temptation! The first question with Swagger would be which way to go: To first
362 | create the API spec manually and then generate the method stubs, or first
363 | write the methods with annotations and then generate the API spec? I am not
364 | sure about the order and [neither is the community](https://news.ycombinator.com/item?id=14035936). Swagger maybe good for big projects but this is a
365 | small and cute project :)
366 |
367 |
368 | Authentication & authorization
369 | ------------------------------
370 |
371 | Simple email-password based signup and login authentication is included in the
372 | server. It relies on [PassLib](https://passlib.readthedocs.io/en/stable/)
373 | Python library for strong uptodate hashing algorithms.
374 |
375 | A Python decorator called `login_required` can be inserted before an API
376 | method that controls that the method requires an authenticated user session,
377 | and optionally to specify if the method requires a certain user level. User
378 | accounts have a role-field whose value is one of:
379 |
380 | ```python
381 | user.role = (disabled, readonly, editor, admin, superuser)
382 | ```
383 |
384 | You can set the user roles that are meaningful for your project, see the
385 | migration [001_users.py](migrations/001_users.py). If this simple linear role
386 | model is too limited, you can introduce a capability model perhaps with a text
387 | array field, similar to `user.tags`.
388 |
389 | For example, this method requires that the user is logged on and has a role
390 | editor:
391 |
392 | ```python
393 | @app.route('/api/movies/', methods = ['POST'])
394 | @login_required(role='editor')
395 | def movie_create():
396 | """Creates a movie and returns it."""
397 | #...code here...
398 | ```
399 |
400 | If the user does not have an editor role or above, the API server returns 401
401 | Unauthorized to the client.
402 |
403 | API methods which don't have a `login_required` decorator attached are
404 | available for anybody, including non authenticated visitors.
405 |
406 | Accounts with role=disabled are stopped at the door and not let in to the
407 | server at all.
408 |
409 | If you want to support Facebook or Google OAuth authentication method, I
410 | recommend you use the [rauth](https://github.com/litl/rauth) library.
411 |
412 | By default the server allows accessing the API from all domains, CORS
413 | `Access-Control-Allow-Origin value='*'` but it can be set in the config file.
414 |
415 |
416 | Session data
417 | ------------
418 |
419 | Server-side session data is stored in Redis. Data written into a session is
420 | not visible at the client side.
421 |
422 | Flask provides a thread-global session object that acts like a dictionary. You
423 | set keys to values in the session. A value can be any object that can be
424 | [pickled](https://docs.python.org/3/library/pickle.html). Modifications to the
425 | session data are automatically saved to Redis by Flask at the end of the
426 | request.
427 |
428 | This starter stores two core data in the session: `userid` and `role` of the
429 | user. (Role-field is in session for performance reason: otherwise we would
430 | need to query it from the database with EVERY request that specifies
431 | login_required. Note that if the user role changes, you need to update it in
432 | session too.)
433 |
434 | A common operation in an API method is to access the calling user object,
435 | myself. There is a call `webutil.get_myself()` that loads myself from the
436 | database, or None for a visitor.
437 |
438 | Flask also provides a thread-global object called `g` where you can store
439 | data, but this data is *only stored for the duration of the request.* This
440 | data is not stored in Redis and is discarded when the request ends. `g` can be
441 | used for caching common data during the request, but don't overuse it.
442 |
443 | Redis is a persistent storage, unlike memcached, which means that if the
444 | server gets rebooted, the user sessions will be restored and logged-in users
445 | do not need to relogin.
446 |
447 | By default, the session is remembered for 1 month. If there is no user
448 | activity during 1 month, the session gets deleted. This time is controlled by
449 | PERMANENT_SESSION_LIFETIME in [config.py](py/config.py).
450 |
451 |
452 | Redis storage
453 | -------------
454 |
455 | You can also use Redis for other than session data. Redis can act as a
456 | convenient schema-free storage for various kinds of data, perhaps for
457 | temporary data, or for lists whose size can be limited, or act as a
458 | distributed cache within a cluster of servers.
459 |
460 | A typical case might be that a background worker puts the calculation results
461 | into Redis where the data is picked from by an API method (if the result is
462 | secondary in nature and does not belong to the master database).
463 |
464 | The module [red.py](py/red.py) provides simple methods for using Redis:
465 |
466 | ```python
467 | # store a value into Redis (here value is a dict but can be anything)
468 | value = {"type":"cat", "name":"Sophia"}
469 | red.set_keyval("mykey", value)
470 |
471 | # get a value
472 | value = red.get_keyval("mykey")
473 |
474 | # store a value that will expire/disappear after 70 minutes:
475 | red.set_keyval("cron_calculation_cache", value, 70*60)
476 | ```
477 |
478 | To append data into a list:
479 |
480 | ```python
481 | # append item into a list
482 | item = {"action":"resize", "url":"https://example.org/a.jpg"}
483 | red.list_append("mylist", item)
484 |
485 | # take first item from a list
486 | item = red.list_pop("mylist")
487 |
488 | # append item into a FIFO list with a max size of 100
489 | # (discards the oldest items first)
490 | red.list_append("mylist", data_item, 100)
491 | ```
492 |
493 | red.py can be extended to cover more functionality that
494 | [Redis provides](https://redis.io/commands).
495 |
496 |
497 | Background workers & cron
498 | -------------------------
499 |
500 | uwsgi provides a simple mechanism to run long running tasks in background
501 | worker processes.
502 |
503 | In any Python module (like in [bgtasks.py](py/bgtasks.py)) you have code
504 | to be run in a background worker:
505 |
506 | ```python
507 | @spool(pass_arguments=True)
508 | def send_email(*args, **kwargs):
509 | """A background worker that is executed by spooling arguments to it."""
510 | #...code here...
511 | ```
512 |
513 | You start the above method in a background worker process like this:
514 |
515 | ```python
516 | bgtasks.send_email.spool(email="tomi@tomicloud.com",
517 | subject="Hello world!", template="welcome.html")
518 | ```
519 |
520 | The number of background worker processes is controlled by `spooler-processes`
521 | configuration in [uwsgi.ini](conf/uwsgi.ini). The spooled data is written and
522 | read into a temp file on disk, not in Redis.
523 |
524 | Crons are useful for running background tasks in specified times, like in
525 | every hour or every night. uwsgi has an easy built-in support for crons. To
526 | have a nightly task you simple code:
527 |
528 | ```python
529 | @cron(0,2,-1,-1,-1)
530 | #(minute, hour, day, month, weekday) - in server local time
531 | def daily(num):
532 | """Runs every night at 2:00AM."""
533 | #...code here...
534 | ```
535 |
536 | Mules
537 | -----
538 |
539 | Mules are independent background worker processes/servers that start and stop
540 | along with the main API server.
541 |
542 | The benefit of mules is ease of setup and ease of sharing code and
543 | environment. You can develop extra servers with little effort - uwsgi manages
544 | the config and lifetimes of mules. If a mule exits for some reason, it is
545 | automatically restarted by uwsgi. (It is also possible to communicate between
546 | mules - read more [in the
547 | docs](https://uwsgi-docs.readthedocs.io/en/latest/Mules.html)).
548 |
549 | In the included toy example [mule1.py](py/mule1.py) a TCP server is created
550 | that listens on port 9999 and echoes back whatever it receives from TCP
551 | clients. You can test it by sending data to it with netcat-tool like this:
552 |
553 | echo "hello world" | nc 192.168.100.10 9999
554 |
555 |
556 | You can have any number of different mules, each running in their own process.
557 | They are configured in [uwsgi.ini](conf/uwsgi.ini):
558 |
559 | mule = py/mule1.py
560 | mule = py/mule2.py
561 |
562 |
563 |
564 | Logging
565 | -------
566 |
567 | Logging is an essential tool in monitoring and troubleshooting the server
568 | operation. This server automatically logs several useful data in the log file,
569 | including the request path, method and parameters, and return codes and
570 | tracebacks. Userid and origin ip address is logged too.
571 |
572 | Secrets should not be written into a log file to prevent unnecessary leakage
573 | of data. Currently this server automatically prevents logging keys
574 | ["password", "passwd", "pwd"] if they exist in the input parameters of an API
575 | method. You should extend this list to cover your secret keys.
576 |
577 | In local development, the log is dumped to the console, and at server the log
578 | is dumped to a file `/app/app.log`. It is also possible to send the logging
579 | output to a remote `rsyslog`. This can be useful in a cluster setup.
580 |
581 | Slow queries that take more than 1 second to finish are logged with a warning
582 | SLOW! and the log line includes the actual amount of time it took to respond.
583 | It is good to monitor where the pressure starts to cumulate in a server and
584 | then optimize the code or put the execution into a background worker.
585 |
586 | Requests that take more than 20 seconds get terminated and the following line
587 | is logged: `HARAKIRI ON WORKER 1 (pid: 47704, try: 1)`. This harakiri time is
588 | configurable.
589 |
590 | To log the executed SQL statements during development, see PYSRV_LOG_SQL
591 | above.
592 |
593 | Note that as the server logs may contain sensitive data, you should not keep
594 | the production logs for too long time, and you should mention in the policy
595 | statement what data you collect. The GDPR legislation in Europe has a saying
596 | on this.
597 |
598 | To monitor the log file in realtime at server you can invoke:
599 |
600 | tail -f -n 500 /app/app.log
601 |
602 | To see the logged errors only, in most recent first order:
603 |
604 | tac /app/app.log | grep "^ERR " | less -r
605 |
606 | This starter comes with a simple log line colorizer out of the box, hilighting
607 | warnings and errors with a simple logging.Formatter. This is convenient but
608 | the escape codes are inserted into the log file. If you want to have a more
609 | powerful logging colorizer, take a look of
610 | [grc](https://github.com/garabik/grc) for example.
611 |
612 | As an example, the server logs [this output](test/sample.log.txt) when the
613 | included API tests are run.
614 |
615 |
616 | Tests
617 | -----
618 |
619 | The test folder contains two test scripts for testing the server API and the
620 | Redis module. Keeping tests up-todate and running them frequently or
621 | automatically during the process is a safety net that protects you from
622 | mistakes and bugs. With dynamic languages such as Python or Javascript or
623 | Ruby, tests are even more important than with compiled languages.
624 |
625 | For locally run tests I expose a method `/apitest/dbtruncate` in
626 | [api_dev.py](py/api_dev.py) that truncates the data in the database tables
627 | before running the API tests. If you like to write tests in a different way,
628 | just remove it.
629 |
630 | Run tests inside the DEV instance:
631 |
632 | docker exec -it restpie-dev bash -l -c 'python /app/test/test_api.py'
633 | docker exec -it restpie-dev bash -l -c 'python /app/test/test_redis.py'
634 |
635 |
636 | Deploy to Cloud
637 | ---------------
638 |
639 | There are endless ways to deploy server software to cloud, X amount of tools and Y amount of different kinds of online services. For an early startup or for a hobby project my advice is this: start small and easy - buy a cheap virtual private server, VPS, or a few of them, from a big or a small cloud vendor and run your backend services there. Have control of your infra. Have simple scripts to automate things. Then automate more via Github Actions and so on. There is time later to grow your infra if you get past product-market-fit challenges and actually enjoy a bigger business.
640 |
641 | [Ansible](https://www.ansible.com/) is one of the best lightweigt tools to automate infra tasks. It simply runs commands over the SSH against all your servers.
642 |
643 | I have prepared Ansible scripts to setup RESTPie3 quickly on a Linux server(s). These steps have been verified to work with Debian 12.5 "bookworm".
644 |
645 | The scripts setup Redis + PostgreSQL + RESTPie3 + Caddy on your server(s). [Caddy](https://caddyserver.com) is a solid and simple www server written in Go that can run as a proxy in front of uwsgi.
646 |
647 | Prerequisites:
648 | - Have a root ssh access to your server(s) via ssh publickey, and use ssh-agent to store your private key so you don't have to type the passphare all the time. After setup you should disable server root access.
649 | - Update your server to the latest versions: `apt update & apt upgrade`
650 | - Locally create a new ssh-key for the user-level Linux account that is later used for deploys
651 | `ssh-keygen -t rsa -f ~/.ssh/id_myapp -C 'restpie3 deploy account'`
652 | - If you run OSX, update local rsync to latest 3.x: `brew install rsync`
653 | - Install Ansible tools and extensions locally (OSX: `brew install ansible`)
654 | - Put your desired config/secrets into [vars.yml](ansible/vars.yml) Note: do NOT commit secrets into git! Move this file elsewhere or put into `.gitignore`
655 | - Write the IP-address or domain name of your server into [myhosts.ini](ansible/myhosts.ini). If you have multiple servers, write them all here.
656 |
657 | Then run these scripts:
658 |
659 | cd restpie3/ansible/
660 | ansible-playbook -i myhosts.ini install-redis.yaml
661 | ansible-playbook -i myhosts.ini install-caddy.yaml
662 | ansible-playbook -i myhosts.ini install-db.yaml
663 | ansible-playbook -i myhosts.ini install-app.yaml
664 |
665 | Now you should have a running RESTPie3 at the server you configured. Point your browser there. You should see text `RESTPie3 setup works!`
666 |
667 | Your code updates from local machine to server can be deployed with:
668 |
669 | ansible-playbook -i myhosts.ini deploy.yaml
670 |
671 | Later you might want to run this script from Github Action to have consistent automation.
672 |
673 | For a production setup you should harden the security of this simple setup with the usual steps like: create a private network behind a load balancer, disable ssh root login, carefully build access control, etc.
674 |
675 |
676 | Security
677 | --------
678 |
679 | A few words about security practices in this software:
680 |
681 | * no secrets are stored in code but in an external configuration file or in
682 | environment variables
683 | * all requests are logged and can be inspected later
684 | * no secrets are leaked to the log file
685 | * server based sessions with an opaque uuid cookie
686 | * no Javascript access to uuid cookie
687 | * config to require https for cookies (do enable in production)
688 | * strong algorithms are used for password auth
689 | * only salt and password hash is stored in the database
690 | * session can be either permanent or end on browser close
691 | * sensitive user objects have a random uuid and not an integer id
692 | * possible to add a fresh cookie check by saving IP+agent string to session
693 | * database code is not vulnerable to SQL injections
694 | * authorization is enforced via user roles and function decorator, not
695 | requiring complex code
696 | * uwsgi supports running code as a lower privileged user
697 |
698 | Of course the overall security of the service is also heavily dependent on the
699 | configuration of the server infrastructure and access policies.
700 |
701 |
702 | Scaling up
703 | ----------
704 |
705 | While the codebase of this server is small, it has decent muscle. The
706 | *stateless* design makes it perfectly possible to scale it up to work in a
707 | bigger environment. There is nothing in the code that "does not scale". The
708 | smallness and flexibility of the software makes it actually easier to scale,
709 | allowing easier switch of components in case that is needed. For
710 | example, you can start with the uwsgi provided background tasks framework and
711 | replace that later on with, say [Celery](http://www.celeryproject.org/), if
712 | you see it scales and fits better.
713 |
714 | In a traditional setup you first scale up vertically, you "buy a bigger
715 | server". This code contains a few measures that helps scaling up
716 | vertically:
717 |
718 | * you can add worker processes to match the single server capacity
719 | * you can add more background processes if there is a lot of background jobs
720 | * slow requests are logged so you see when they start to cumulate
721 | * stuck requests never halt the whole server - stuck workers are killed after
722 | 20 seconds by default, freeing resources to other workers (harakiri)
723 | * you can optimize SQL, write raw queries, let the database do work better
724 | * you can cache data in Redis
725 |
726 | When you outgrow the biggest single server, and start adding servers, you
727 | scale horizontally. The core API server component can be cloned into a cluster
728 | of servers where each of them operates independently of the others. Scaling
729 | the API server here is easy, it is the other factors that become harder, like
730 | database scaling and infra management.
731 |
732 |
733 | Run in Raspberry
734 | ----------------
735 |
736 | RESTPie3 runs fine in Raspberry. RESTPie3 is lightweight, does not consume
737 | much resources, and supports robust daemon and worker management that is
738 | important in a setup that may have more hiccups such as power outages or
739 | connectivity issues.
740 |
741 | In a Raspberry setup there usually is less need for a big database. Hence
742 | RESTPie3 also supports SQLite which is a small but solid zero configuration
743 | SQL database.
744 |
745 | To activate SQLite mode, configure server-config.json like this:
746 |
747 | "PYSRV_DATABASE_HOST": "/app/data/mydb.sqlite",
748 |
749 | Then follow steps in "Run and Develop locally with Docker". Invoke ./run.sh.
750 | Then initialize SQLite database inside the container, from another terminal:
751 |
752 | docker exec -it restpie-dev bash -l -c 'python3 /app/scripts/dbmigrate.py'
753 |
754 | The SQLite database file will be created into RESTPiE3/data/mydb.sqlite. Note
755 | that this file is outside the container, accessed via volume so the file is
756 | not destroyed when the image is destroyed.
757 |
758 | Local container should now run with SQLite database.
759 |
760 | **Setup Raspberry**
761 |
762 | The setup steps for Raspberry are similar as with any Linux host. Here's the
763 | steps in short. I assume you already have a working SSH connection to
764 | Raspberry with pubkey configured.
765 |
766 | ```console
767 | # in raspberry:
768 | sudo apt-get update
769 | sudo apt-get install redis-server
770 | sudo apt-get install python3-pip
771 | sudo mkdir /app/
772 | sudo chown pi /app
773 |
774 | # in local machine:
775 | pico rsync.sh # write your own HOST
776 | # then transfer files to raspberry /app/
777 | ./rsync.sh
778 |
779 | # in raspberry:
780 | pico /app/requirements.txt # remove psycopg2-binary
781 | sudo pip3 install -r /app/requirements.txt
782 | sudo pip3 install uwsgi
783 | cd /app/
784 | export PYTHONPATH=/app/py/
785 | cp conf/server-config.json real-server-config.json
786 | export PYSRV_CONFIG_PATH=/app/real-server-config.json
787 |
788 | # init sqlite database
789 | mkdir data
790 | python3 scripts/dbmigrate.py
791 | # empty database was created at /app/data/mydb.sqlite
792 | pico /app/real-server-config.json # make sure all is correct, change PYSRV_REDIS_HOST to "localhost:6379"
793 |
794 | # setup server as a service, to start on reboot
795 | sudo cp conf/pydaemon.service /etc/systemd/system/
796 | sudo systemctl enable pydaemon
797 | sudo systemctl daemon-reload
798 | sudo systemctl start pydaemon
799 |
800 | # in local machine:
801 | # edit sources, then rsync...
802 | ./rsync.sh
803 | # server reloads itself automatically
804 | ```
805 |
806 |
807 | What about the front-end?
808 | -------------------------
809 |
810 | This is primarily a back-end Python server that provides a REST API to the
811 | world. There is no front-end implementation in this project apart from the
812 | four quick auth pages. This is because the focus is on creating a good REST
813 | API server that serves web front-ends and native mobile apps, but also because
814 | I think that it is good to modularize the front-end and back-end code cleanly
815 | into separate code bases.
816 |
817 | There is a simple [example.html](templates/example.html) page if you just want
818 | to quickly output an HTML page that is generated at server side in the old
819 | fashioned way.
820 |
821 | Also included are simple HTML pages for [login, signup, forgot password and reset password](templates/auth.html) since these pages are usually
822 | required in every project and it is boring to always build them from
823 | scratch. Only HTML and CSS is used with zero lines of Javascript.
824 | It is easy to start the project with them and create something fancier
825 | later if needed.
826 |
827 |
828 | Need help?
829 | ----------
830 |
831 | This starter is intended to provide you a quick start in building a great
832 | foundation for an API back-end. Take this code and see if it works for you.
833 | This server is not a toy - it is a practical, solid server that is based on my
834 | experience in building full-stack services over the years.
835 |
836 | If you need dev power in building your great service, back or front, you can
837 | [email me](mailto:tomi.mickelsson@gmail.com) to ask if I am available for
838 | freelancing work. Check my blog at [tomicloud.com](https://tomicloud.com).
839 |
840 |
841 | License
842 | -------
843 | MIT License
844 |
845 |
846 | Screenshot
847 | ----------
848 |
849 | [/api/list](http://localhost:8100/api/list) returns an HTML page that lists
850 | the available API methods and their docstring automatically.
851 |
852 | 
853 |
854 | Screenshot2
855 | -----------
856 |
857 | [/auth/signup](http://localhost:8100/auth/signup) quick auth pages for
858 | login/signup/forgot password/reset password.
859 |
860 | 
861 |
862 |
--------------------------------------------------------------------------------
/ansible/deploy.yaml:
--------------------------------------------------------------------------------
1 |
2 | - name: Deploy software to server
3 | hosts: apphosts
4 | # note: deploy happens via regular user, not root, which should be disabled
5 |
6 | vars_files:
7 | - vars.yml
8 |
9 | tasks:
10 | - name: Synch files to server
11 | ansible.posix.synchronize:
12 | src: "{{ src_folder }}"
13 | dest: /app/
14 | rsync_opts:
15 | - "--exclude=.git"
16 | - "--chown={{ app_user }}:staff"
17 |
18 | - name: DB migration
19 | ansible.builtin.shell:
20 | cmd: /app/PYENV/bin/python3 /app/scripts/dbmigrate.py
21 | chdir: /app/
22 | environment:
23 | PYTHONPATH: /app/py/
24 | PYSRV_CONFIG_PATH: /app/real-server-config.json
25 | PATH: "/app/PYENV/bin/:{{ ansible_env.PATH }}"
26 | when: 0
27 | # when toggles true/false
28 |
29 | - name: Restart server
30 | ansible.builtin.file:
31 | path: /app/RESTART
32 | state: touch
33 | mode: u=rw,g=r,o=r
34 |
--------------------------------------------------------------------------------
/ansible/install-app.yaml:
--------------------------------------------------------------------------------
1 |
2 | - name: Install our python app server
3 | hosts: apphostsroot
4 |
5 | vars_files:
6 | - vars.yml
7 |
8 | tasks:
9 | - name: Create unix user
10 | ansible.builtin.user:
11 | name: "{{ app_user }}"
12 | groups: "sudo"
13 |
14 | - name: Upload ssh pubkey to authorized key
15 | ansible.posix.authorized_key:
16 | user: "{{ app_user }}"
17 | state: present
18 | key: "{{ lookup('file', '~/.ssh/id_myapp.pub') }}"
19 |
20 | - name: Create /app dir
21 | ansible.builtin.file:
22 | path: /app/
23 | state: directory
24 | owner: "{{ app_user }}"
25 | mode: u=rw,g=r,o=r
26 |
27 | - name: Install packages
28 | ansible.builtin.apt:
29 | pkg:
30 | - python3-pip
31 | - python3-venv
32 | - uwsgi-core
33 | - uwsgi-plugin-python3
34 | - htop
35 |
36 | - name: Create python virtual env
37 | ansible.builtin.command: "python3 -m venv /app/PYENV/"
38 |
39 | - name: Copy source files to server
40 | ansible.posix.synchronize:
41 | src: "{{ src_folder }}"
42 | dest: /app/
43 | owner: false
44 | group: false
45 | rsync_opts:
46 | - "--exclude=.git"
47 |
48 | - name: Create RESTART file
49 | ansible.builtin.file:
50 | path: /app/RESTART
51 | state: touch
52 |
53 | - name: Recursively change ownership of dir
54 | ansible.builtin.file:
55 | path: /app/
56 | state: directory
57 | recurse: yes
58 | owner: "{{ app_user }}"
59 | group: "staff"
60 |
61 | - name: Install py libs
62 | ansible.builtin.pip:
63 | requirements: /app/requirements.txt
64 | virtualenv: /app/PYENV/
65 |
66 | - name: Copy srv config file with correct data
67 | ansible.builtin.template:
68 | src: "{{ src_folder }}/conf/server-config.json"
69 | dest: /app/real-server-config.json
70 | owner: "{{ app_user }}"
71 | group: root
72 | mode: u=rw,g=r,o=r
73 |
74 | - name: Copy service file
75 | ansible.builtin.copy:
76 | src: "{{ src_folder }}/conf/pydaemon.service"
77 | dest: /etc/systemd/system/
78 | owner: root
79 | group: root
80 | mode: u=rwx,g=rx,o=rx
81 |
82 | - name: Enable pydaemon service
83 | ansible.builtin.systemd_service:
84 | name: pydaemon
85 | enabled: true
86 | masked: no
87 |
88 | - name: Start pydaemon
89 | ansible.builtin.systemd_service:
90 | daemon_reload: true
91 | state: started
92 | name: pydaemon
93 |
94 | - name: Init db schema
95 | ansible.builtin.shell:
96 | cmd: /app/PYENV/bin/python3 /app/scripts/dbmigrate.py
97 | chdir: /app/
98 | environment:
99 | PYTHONPATH: /app/py/
100 | PYSRV_CONFIG_PATH: /app/real-server-config.json
101 | PATH: "/app/PYENV/bin/:{{ ansible_env.PATH }}"
102 |
--------------------------------------------------------------------------------
/ansible/install-caddy.yml:
--------------------------------------------------------------------------------
1 |
2 | - name: Install Caddy www server
3 | hosts: wwwhost
4 | # assumes you have static files at /app/www/
5 |
6 | vars_files:
7 | - vars.yml
8 |
9 | tasks:
10 | - name: Install Caddy
11 | ansible.builtin.apt:
12 | pkg:
13 | - caddy
14 |
15 | - name: Copy our caddy config
16 | ansible.builtin.copy:
17 | src: "{{ src_folder }}/conf/caddy.conf"
18 | dest: /etc/caddy/Caddyfile
19 | owner: root
20 | group: root
21 | mode: u=rw,g=r,o=r
22 |
23 | - name: Restart caddy
24 | ansible.builtin.systemd_service:
25 | state: restarted
26 | name: caddy
27 |
--------------------------------------------------------------------------------
/ansible/install-db.yaml:
--------------------------------------------------------------------------------
1 |
2 | - name: Install PostgreSQL database server
3 | hosts: dbhost
4 | become: yes
5 |
6 | vars_files:
7 | - vars.yml
8 |
9 | tasks:
10 | - name: Install PostgreSQL server
11 | ansible.builtin.apt:
12 | name: postgresql
13 |
14 | - name: Install pip
15 | ansible.builtin.apt:
16 | pkg:
17 | - python3-pip
18 |
19 | - name: Install psycopg2 for community plugin below
20 | ansible.builtin.pip:
21 | name: psycopg2-binary
22 | extra_args: --break-system-packages
23 |
24 | - name: Create db user
25 | community.postgresql.postgresql_user:
26 | name: "{{ db_user }}"
27 | password: "{{ db_password }}"
28 | become: yes
29 | become_user: postgres
30 |
31 | - name: Create app db
32 | community.postgresql.postgresql_db:
33 | name: "{{ db_name }}"
34 | owner: "{{ db_user }}"
35 | become: yes
36 | become_user: postgres
37 |
38 | - name: Add uuid extension
39 | community.postgresql.postgresql_ext:
40 | name: uuid-ossp
41 | db: "{{ db_name }}"
42 | become: yes
43 | become_user: postgres
44 |
--------------------------------------------------------------------------------
/ansible/install-redis.yaml:
--------------------------------------------------------------------------------
1 |
2 | - name: Install Redis server
3 | hosts: redishost
4 |
5 | tasks:
6 | - name: Install Redis
7 | ansible.builtin.apt:
8 | name: redis
9 |
--------------------------------------------------------------------------------
/ansible/myhosts.ini:
--------------------------------------------------------------------------------
1 | [apphosts]
2 | 10.10.10.10 ansible_ssh_user=myapp
3 |
4 | [apphostsroot]
5 | 10.10.10.10 ansible_ssh_user=root
6 |
7 | [redishost]
8 | 10.10.10.10 ansible_ssh_user=root
9 |
10 | [dbhost]
11 | 10.10.10.10 ansible_ssh_user=root
12 |
13 | [wwwhost]
14 | 10.10.10.10 ansible_ssh_user=root
15 |
--------------------------------------------------------------------------------
/ansible/vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 | redis_host: localhost
3 | db_host: localhost
4 | src_folder: /Users/x/restpie3/
5 | app_user: myapp
6 | db_user: my-db-account
7 | db_password: my-password-here
8 | db_name: mydb
9 |
10 | # this file has your secrets - keep it safe, do not commit into repository!
11 | # do not use the default values here!
12 |
--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # run in dev mode
3 |
4 | docker build --build-arg BUILDMODE=debug-docker -t restpie-dev-image .
5 |
6 |
--------------------------------------------------------------------------------
/conf/caddy.conf:
--------------------------------------------------------------------------------
1 | # The Caddyfile is an easy way to configure your Caddy web server.
2 | #
3 | # Unless the file starts with a global options block, the first
4 | # uncommented line is always the address of your site.
5 | #
6 | # To use your own domain name (with automatic HTTPS), first make
7 | # sure your domain's A/AAAA DNS records are properly pointed to
8 | # this machine's public IP, then replace ":80" below with your
9 | # domain name.
10 |
11 | :80 {
12 | # Set this path to your site's directory.
13 | root * /app/www/
14 |
15 | # Enable the static file server.
16 | file_server
17 |
18 | # Another common task is to set up a reverse proxy:
19 | # reverse_proxy localhost:8080
20 |
21 | # Or serve a PHP site through php-fpm:
22 | # php_fastcgi localhost:9000
23 |
24 | # forward to restpie3
25 | handle_path /api/* {
26 | rewrite * /api{uri}
27 | reverse_proxy localhost:8110
28 | }
29 | }
30 |
31 | # Refer to the Caddy docs for more information:
32 | # https://caddyserver.com/docs/caddyfile
33 |
--------------------------------------------------------------------------------
/conf/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tomimick/restpie3/890c5bdb15ce2ebbcc357797a0a4e8eb7f1ffc92/conf/favicon.ico
--------------------------------------------------------------------------------
/conf/loginscript.sh:
--------------------------------------------------------------------------------
1 | # this is /etc/profile
2 | # - a login script when running the interactive shell inside the container
3 |
4 | export PYTHONPATH=/app/py
5 | export PYSRV_CONFIG_PATH=/app/conf/server-config.json
6 | export FLASK_ENV=development
7 | alias l='ls'
8 | alias ll='ls -l'
9 |
10 |
--------------------------------------------------------------------------------
/conf/pydaemon.service:
--------------------------------------------------------------------------------
1 |
2 | # systemd service configuration - uwsgi daemon
3 | #
4 | # https://www.digitalocean.com/community/tutorials/understanding-systemd-units-and-unit-files
5 | # https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uwsgi-and-nginx-on-ubuntu-16-04
6 |
7 | # make start on boot: systemctl enable mydaemon
8 |
9 | [Unit]
10 | Description=pysrv uwsgi daemon
11 | After=network.target
12 |
13 | [Service]
14 | User=root
15 | #User=myapp # user privileges are set by uwsgi
16 | #Group=mygroup
17 | # note: create /tmp/pysrv_spooler on reboot
18 | ExecStartPre=/bin/mkdir -p /tmp/pysrv_spooler;
19 | ExecStart=uwsgi --ini /app/conf/uwsgi.ini:uwsgi-production
20 | RuntimeDirectory=mydaemon
21 | Restart=always
22 | RestartSec=3
23 | KillSignal=SIGQUIT
24 |
25 | [Install]
26 | WantedBy=multi-user.target
27 |
28 |
--------------------------------------------------------------------------------
/conf/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Disallow: /
3 |
4 |
--------------------------------------------------------------------------------
/conf/server-config-localdev.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "python server config, for localdev",
3 |
4 | "PYSRV_IS_PRODUCTION": "",
5 |
6 | "PYSRV_DATABASE_HOST": "/app/data/mydb.sqlite",
7 | "PYSRV_DATABASE_HOST_POSTGRESQL": "host.docker.internal",
8 | "PYSRV_DATABASE_HOST_SQLITE": "/app/data/mydb.sqlite",
9 | "PYSRV_DATABASE_PORT": "5432",
10 | "PYSRV_DATABASE_NAME": "tmdb",
11 | "PYSRV_DATABASE_USER": "tm",
12 | "PYSRV_DATABASE_PASSWORD": "MY_PASSWORD",
13 |
14 | "PYSRV_COOKIE_HTTPS_ONLY": false,
15 | "PYSRV_REDIS_HOST": "host.docker.internal:6379",
16 | "PYSRV_DOMAIN_NAME": "",
17 | "PYSRV_CORS_ALLOW_ORIGIN": "*"
18 | }
19 |
--------------------------------------------------------------------------------
/conf/server-config.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "python server config, modified by ansible",
3 |
4 | "PYSRV_IS_PRODUCTION": "",
5 |
6 | "PYSRV_DATABASE_HOST": "{{ db_host }}",
7 | "PYSRV_DATABASE_PORT": "5432",
8 | "PYSRV_DATABASE_NAME": "{{ db_name }}",
9 | "PYSRV_DATABASE_USER": "{{ db_user }}",
10 | "PYSRV_DATABASE_PASSWORD": "{{ db_password }}",
11 |
12 | "PYSRV_COOKIE_HTTPS_ONLY": false,
13 | "PYSRV_REDIS_HOST": "{{ redis_host }}",
14 | "PYSRV_DOMAIN_NAME": "",
15 | "PYSRV_CORS_ALLOW_ORIGIN": "*"
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/conf/uwsgi.ini:
--------------------------------------------------------------------------------
1 |
2 | # uwsgi daemon config
3 | # https://uwsgi-docs.readthedocs.io/en/latest/Options.html
4 |
5 | # old: local dev - plain python, no docker
6 | [uwsgi-debug]
7 | env = FLASK_ENV=development
8 | env = PYSRV_CONFIG_PATH=conf/server-config.json
9 | http = localhost:8100
10 | master = 1
11 | wsgi-file = py/main.py
12 | callable = app
13 | # processes = 1, otherwise autoreload fails
14 | processes = 1
15 | stats = 127.0.0.1:9100
16 | virtualenv = $(SERVER_VIRTUALENV)
17 | py-autoreload = 1
18 | #harakiri=10 - disable locally, otherwise autoreload fails
19 | disable-logging=1
20 | spooler-quiet=1
21 | spooler-processes=1
22 | spooler-frequency=5
23 | spooler-harakiri=600
24 | spooler = /tmp/my_spooler
25 | # few static files - serve the frontend from elsewhere
26 | static-map = /robots.txt=conf/robots.txt
27 | static-map = /favicon.ico=conf/favicon.ico
28 |
29 |
30 | # local dev with docker - py-autoreload enabled
31 | [uwsgi-debug-docker]
32 | env = FLASK_ENV=development
33 | env = PYSRV_CONFIG_PATH=/app/conf/server-config-localdev.json
34 | http = 0.0.0.0:80
35 | # if using nginx and uwsgi_pass:
36 | # uwsgi-socket = localhost:8010
37 | master = 1
38 | wsgi-file = py/main.py
39 | callable = app
40 | processes = 4
41 | chdir = /app/
42 | pythonpath = /app/py/
43 | py-autoreload = 1
44 | disable-logging=1
45 | spooler-quiet=1
46 | spooler-processes=3
47 | spooler-frequency=5
48 | spooler-max-tasks=100
49 | spooler-harakiri=600
50 | spooler = /tmp/pysrv_spooler
51 | vacuum = true
52 | logger = stdio
53 | # workers live max this many requests and secs
54 | max-requests=100
55 | max-worker-lifetime=36000
56 | # few static files - serve the frontend from elsewhere
57 | static-map = /robots.txt=conf/robots.txt
58 | static-map = /favicon.ico=conf/favicon.ico
59 | mule = py/mule1.py
60 |
61 | # test/production server config - plain python and docker
62 | [uwsgi-production]
63 | plugins = corerouter,python3,logfile,spooler,http
64 | env=PYSRV_CONFIG_PATH=/app/real-server-config.json
65 | # http :8110 is externally available, localhost:8110 is not
66 | http = localhost:8110
67 | # if using nginx and uwsgi_pass:
68 | # uwsgi-socket = localhost:8010
69 | master = 1
70 | wsgi-file = py/main.py
71 | callable = app
72 | processes = 4
73 | chdir = /app/
74 | pythonpath = /app/py/
75 | virtualenv = /app/PYENV/
76 | # deploy-script touches this file and uwsgi restarts
77 | touch-reload=/app/RESTART
78 | harakiri=20
79 | disable-logging=1
80 | spooler-quiet=1
81 | spooler-processes=3
82 | spooler-frequency=5
83 | spooler-max-tasks=100
84 | spooler-harakiri=600
85 | spooler = /tmp/pysrv_spooler
86 | vacuum = true
87 | # log to file (and stdout too so docker run locally works)
88 | logger = file:/app/app.log
89 | logger = stdio
90 | # run as this user - MUST SET LOWER PRIVILEGES! (Port 80 requires root)
91 | uid=myapp
92 | ; gid=appgroup
93 | # workers live max this many requests and secs
94 | max-requests=100
95 | max-worker-lifetime=36000
96 | # few static files - serve the frontend from elsewhere
97 | static-map = /robots.txt=conf/robots.txt
98 | static-map = /favicon.ico=conf/favicon.ico
99 | mule = py/mule1.py
100 |
101 |
--------------------------------------------------------------------------------
/migrations/001_users.py:
--------------------------------------------------------------------------------
1 | """Peewee migrations -- 001_create.py.
2 |
3 | Some examples:
4 |
5 | > Model = migrator.orm['model_name'] # Return model in current state by name
6 |
7 | > migrator.sql(sql) # Run custom SQL
8 | > migrator.python(func, *args, **kwargs) # Run python code
9 | > migrator.create_model(Model) # Create a model
10 | > migrator.remove_model(model, cascade=True) # Remove a model
11 | > migrator.add_fields(model, **fields) # Add fields to a model
12 | > migrator.change_fields(model, **fields) # Change fields
13 | > migrator.remove_fields(model, *field_names, cascade=True)
14 | > migrator.rename_field(model, old_field_name, new_field_name)
15 | > migrator.rename_table(model, new_table_name)
16 | > migrator.add_index(model, *col_names, unique=False)
17 | > migrator.drop_index(model, *col_names)
18 | > migrator.add_not_null(model, *field_names)
19 | > migrator.drop_not_null(model, *field_names)
20 | > migrator.add_default(model, field_name, default)
21 | """
22 |
23 | def migrate(migrator, database, fake=False, **kwargs):
24 | """Write your migrations here."""
25 |
26 | # create extension manually - you must be a superuser to do this
27 | # is needed by uuid_generate_v4()
28 |
29 | # migrator.sql("""CREATE EXTENSION IF NOT EXISTS "uuid-ossp";""")
30 |
31 |
32 | migrator.sql("""CREATE TYPE type_user_role AS ENUM (
33 | 'disabled',
34 | 'readonly',
35 | 'editor',
36 | 'admin',
37 | 'superuser')
38 | """)
39 |
40 |
41 | migrator.sql("""CREATE TABLE users (
42 |
43 | id uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
44 |
45 | created timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
46 | modified timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
47 |
48 | email text UNIQUE,
49 | password text,
50 | first_name text,
51 | last_name text,
52 | role type_user_role DEFAULT 'readonly',
53 | tags text[]
54 | )""")
55 | # normal integer-id: id serial PRIMARY KEY NOT NULL,
56 |
57 |
58 | def rollback(migrator, database, fake=False, **kwargs):
59 | """Write your rollback migrations here."""
60 |
61 |
--------------------------------------------------------------------------------
/migrations/002_movies.py:
--------------------------------------------------------------------------------
1 |
2 | # 002_movies.py
3 |
4 | def migrate(migrator, database, fake=False, **kwargs):
5 |
6 | # an example class for demonstrating CRUD...
7 |
8 | migrator.sql("""CREATE TABLE movies(
9 | id serial PRIMARY KEY NOT NULL,
10 | created timestamp not null default CURRENT_TIMESTAMP,
11 | modified timestamp not null default CURRENT_TIMESTAMP,
12 |
13 | creator uuid REFERENCES users(id),
14 |
15 | title text,
16 | director text
17 | )""")
18 |
19 | def rollback(migrator, database, fake=False, **kwargs):
20 |
21 | migrator.sql("""DROP TABLE movies""")
22 |
23 |
--------------------------------------------------------------------------------
/migrations_sqlite/001_init.py:
--------------------------------------------------------------------------------
1 | # 001_init.py
2 |
3 | def migrate(migrator, database, fake=False, **kwargs):
4 | """Write your migrations here."""
5 |
6 | migrator.sql("""CREATE TABLE users (
7 |
8 | id INTEGER PRIMARY KEY,
9 |
10 | created timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
11 | modified timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
12 |
13 | email text UNIQUE,
14 | password text,
15 | first_name text,
16 | last_name text,
17 | role text DEFAULT 'readonly',
18 | tags text
19 | )""")
20 |
21 | def rollback(migrator, database, fake=False, **kwargs):
22 | """Write your rollback migrations here."""
23 |
24 |
--------------------------------------------------------------------------------
/migrations_sqlite/002_movies.py:
--------------------------------------------------------------------------------
1 | # 002_movies.py
2 |
3 | def migrate(migrator, database, fake=False, **kwargs):
4 |
5 | migrator.sql("""CREATE TABLE movies(
6 | id INTEGER PRIMARY KEY,
7 |
8 | created timestamp not null default CURRENT_TIMESTAMP,
9 | modified timestamp not null default CURRENT_TIMESTAMP,
10 |
11 | creator integer REFERENCES users(id),
12 |
13 | title text,
14 | director text
15 | )""")
16 |
17 | def rollback(migrator, database, fake=False, **kwargs):
18 |
19 | migrator.sql("""DROP TABLE movies""")
20 |
21 |
--------------------------------------------------------------------------------
/py/account.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | # account.py: user account related operations, passwords
5 | #
6 | # Author: Tomi.Mickelsson@iki.fi
7 |
8 | import sys
9 | import re
10 | from flask import request, session
11 | from passlib.context import CryptContext
12 |
13 | import logging
14 | log = logging.getLogger("account")
15 |
16 |
17 | pwd_context = CryptContext(
18 | schemes=["pbkdf2_sha256", "bcrypt"] # list of supported algos
19 | )
20 |
21 |
22 | def build_session(user_obj, is_permanent=True):
23 | """On login+signup, builds the server-side session dict with the data we
24 | need. userid being the most important."""
25 |
26 | assert user_obj
27 | assert user_obj.id
28 |
29 | # make sure session is empty
30 | session.clear()
31 |
32 | # fill with relevant data
33 | session['userid'] = user_obj.id
34 | session['role'] = user_obj.role # if you update user.role, update this too
35 |
36 | # remember session even over browser restarts?
37 | session.permanent = is_permanent
38 |
39 | # could also store ip + browser-agent to verify freshness
40 | # of the session: only allow most critical operations with a fresh
41 | # session
42 |
43 |
44 | def hash_password(password):
45 | """Generate a secure hash out of the password. Salts automatically."""
46 |
47 | return pwd_context.hash(password)
48 |
49 |
50 | def check_password(hash, password):
51 | """Check if given plaintext password matches with the hash."""
52 |
53 | return pwd_context.verify(password, hash)
54 |
55 |
56 | def check_password_validity(passwd):
57 | """Validates the given plaintext password. Returns None for success,
58 | error text on error."""
59 |
60 | err = None
61 |
62 | if not passwd or len(passwd) < 6:
63 | err = "Password must be atleast 6 characters"
64 |
65 | elif not re.search(r"[a-z]", passwd) \
66 | or not re.search(r"[A-Z]", passwd) \
67 | or not re.search(r"[0-9]", passwd):
68 | err = "Password must contain a lowercase, an uppercase, a digit"
69 |
70 | if err:
71 | log.error("password validity: %s", err)
72 |
73 | return err
74 |
75 |
76 | def new_signup_steps(user_obj):
77 | """Perform steps for a new signup."""
78 |
79 | # user_obj.signup_ip = webutil.get_ip()
80 | # user_app.save()
81 |
82 | # send welcome email etc...
83 |
84 |
--------------------------------------------------------------------------------
/py/api_account.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | # api.py: REST API for basic account related stuff: signup/login/logout
5 | #
6 | # Author: Tomi.Mickelsson@iki.fi
7 |
8 | from flask import request, session, g, jsonify
9 |
10 | import db
11 | import webutil
12 | import account
13 | from webutil import app, login_required, get_myself
14 |
15 | import logging
16 | log = logging.getLogger("api")
17 |
18 |
19 | @app.route('/api/login', methods = ['POST'])
20 | def login():
21 | """Logs the user in with email+password.
22 | On success returns the user object,
23 | on error returns 400 and json with err-field."""
24 |
25 | input = request.json or {}
26 | email = input.get('email')
27 | password = input.get('password')
28 |
29 | if not email or not password:
30 | return webutil.warn_reply("Missing input")
31 |
32 | u = db.get_user_by_email(email)
33 | if not u or not account.check_password(u.password, password):
34 | # error
35 | return webutil.warn_reply("Invalid login credentials")
36 | else:
37 | # success
38 | account.build_session(u, is_permanent=input.get('remember', True))
39 |
40 | log.info("LOGIN OK agent={}".format(webutil.get_agent()))
41 | return jsonify(u), 200
42 |
43 |
44 | @app.route('/api/signup', methods = ['POST'])
45 | def signup():
46 | """Signs a new user to the service. On success returns the user object,
47 | on error returns 400 and json with err-field."""
48 |
49 | input = request.json or {}
50 | email = input.get('email')
51 | password = input.get('password')
52 | fname = input.get('fname')
53 | lname = input.get('lname')
54 | company = input.get('company')
55 |
56 | if not email or not password or not fname or not lname:
57 | return webutil.warn_reply("Invalid signup input")
58 |
59 | u = db.get_user_by_email(email)
60 | if u:
61 | msg = "Signup email taken: {}".format(email)
62 | return webutil.warn_reply(msg)
63 |
64 | err = account.check_password_validity(password)
65 | if err:
66 | return jsonify({"err":err}), 400
67 |
68 | # create new user
69 | u = db.User()
70 | u.email = email
71 | u.company = company
72 | u.first_name = fname
73 | u.last_name = lname
74 | u.password = account.hash_password(password)
75 | u.tags = []
76 | u.role = 'editor' # set default to what makes sense to your app
77 | u.save(force_insert=True)
78 |
79 | account.new_signup_steps(u)
80 | account.build_session(u, is_permanent=input.get('remember', True))
81 |
82 | log.info("SIGNUP OK agent={}".format(webutil.get_agent()))
83 |
84 | return jsonify(u), 201
85 |
86 |
87 | @app.route('/api/logout', methods = ['POST'])
88 | @login_required
89 | def logout():
90 | """Logs out the user, clears the session."""
91 | session.clear()
92 | return jsonify({}), 200
93 |
94 |
95 | @app.route('/api/me')
96 | @login_required
97 | def me():
98 | """Return info about me. Attach more data for real use."""
99 |
100 | me = get_myself()
101 | reply = {"me": me}
102 |
103 | return jsonify(reply), 200
104 |
105 |
106 | @app.route('/api/users')
107 | @login_required(role='superuser')
108 | def users():
109 | """Search list of users. Only for superusers"""
110 |
111 | input = request.args or {}
112 | page = input.get('page')
113 | size = input.get('size')
114 | search = input.get('search')
115 |
116 | reply = db.query_users(page, size, search)
117 |
118 | return jsonify(reply), 200
119 |
120 |
--------------------------------------------------------------------------------
/py/api_dev.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | # api_dev.py: misc methods for testing and development
5 | # - remove if not needed, and make sure there is no risk for production
6 | #
7 | # Author: Tomi.Mickelsson@iki.fi
8 |
9 | from flask import jsonify, redirect, render_template
10 | import datetime
11 | import html
12 |
13 | import db
14 | import config
15 | import bgtasks
16 | import red
17 | from webutil import app
18 |
19 | import logging
20 | log = logging.getLogger("api")
21 |
22 |
23 | @app.route('/', methods = ['GET'])
24 | def index():
25 | """Just a redirect to api list."""
26 | return redirect('/api/list')
27 |
28 |
29 | @app.route('/api/list', methods = ['GET'])
30 | def list_api():
31 | """List the available REST APIs in this service as HTML. Queries
32 | methods directly from Flask, no need to maintain separate API doc.
33 | (Maybe this could be used as a start to generate Swagger API spec too.)"""
34 |
35 | # decide whether available in production
36 | # if config.IS_PRODUCTION:
37 | # return "not available in production", 400
38 |
39 | # build HTML of the method list
40 | apilist = []
41 | rules = sorted(app.url_map.iter_rules(), key=lambda x: str(x))
42 | for rule in rules:
43 | f = app.view_functions[rule.endpoint]
44 | docs = f.__doc__ or ''
45 | module = f.__module__ + ".py"
46 |
47 | # remove noisy OPTIONS
48 | methods = sorted([x for x in rule.methods if x != "OPTIONS"])
49 | url = html.escape(str(rule))
50 | if not "/api/" in url and not "/auth/" in url:
51 | continue
52 | apilist.append("
68 | This is a sample login/signup/forgot/reset page to get you quickly started
69 | with the regular auth boilerplate of an app. Just plain HTML and CSS
70 | with zero lines of JS.
71 |