feat: update database configuration for Aiven support and enhance GitHub authentication strategy

Author: PhuocHoan

Makefile

@@ -8,13 +8,13 @@ help:
 	@echo "make clean - Stop and remove volumes"
 
 up:
-	docker compose up
+	docker compose up -d
 
 down:
 	docker compose down
 
 db:
-	docker compose up postgres
+	docker compose up -d postgres
 
 logs:
 	docker compose logs -f

backend/.env.example

@@ -6,18 +6,23 @@
 # -----------------------------------------------------------------------------
 # Database Configuration
 # -----------------------------------------------------------------------------
-# For local development (without Docker): localhost
-# For Docker Compose: postgres (service name)
-# For production (Aiven): Use Aiven connection details
-DB_HOST=localhost
-DB_PORT=5432
-DB_USERNAME=postgres
-DB_PASSWORD=postgres
-DB_NAME=learnix
+# Option 1: Use DATABASE_URL (recommended for production/Aiven)
+# Format: postgres://username:password@host:port/database
+# DATABASE_URL=postgres://avnadmin:password@host.aivencloud.com:12345/defaultdb
 
-# SSL Configuration (required for Aiven PostgreSQL in production)
-# Set to true for production, false for local development
-DB_SSL=false
+# Aiven CA Certificate (required for production)
+# Copy the content of ca.pem from Aiven Console and paste as a single line
+# Or set this in Vercel environment variables
+# DATABASE_CA_CERT="-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+
+# Option 2: Use individual variables (for local development)
+# If DATABASE_URL is set, these are ignored
+# DB_HOST=localhost
+# DB_PORT=5432
+# DB_USERNAME=postgres
+# DB_PASSWORD=postgres
+# DB_NAME=learnix
+# DB_SSL=false
 
 # -----------------------------------------------------------------------------
 # JWT Configuration
@@ -34,11 +39,15 @@ GOOGLE_CLIENT_SECRET=your-google-client-secret
 GOOGLE_CALLBACK_URL=http://localhost:3000/auth/google/callback
 
 # -----------------------------------------------------------------------------
-# OAuth Configuration - GitHub
-# Get these from: https://github.com/settings/developers
+# OAuth Configuration - GitHub App (Modern)
+# Create a GitHub App at: https://github.com/settings/apps
+# Under "Identifying and authorizing users" section:
+#   - Enable "Request user authorization (OAuth) during installation"
+#   - Set Callback URL to your callback endpoint
+# Required permissions: Account permissions > Email addresses (Read-only)
 # -----------------------------------------------------------------------------
-GITHUB_CLIENT_ID=your-github-client-id
-GITHUB_CLIENT_SECRET=your-github-client-secret
+GITHUB_APP_CLIENT_ID=your-github-app-client-id
+GITHUB_APP_CLIENT_SECRET=your-github-app-client-secret
 GITHUB_CALLBACK_URL=http://localhost:3000/auth/github/callback
 
 # -----------------------------------------------------------------------------

backend/.gitignore

@@ -54,3 +54,6 @@ pids
 
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# aiven
+ca.pem

backend/src/app.module.ts

@@ -20,20 +20,42 @@ import { DashboardModule } from './dashboard/dashboard.module';
     }),
     TypeOrmModule.forRootAsync({
       imports: [ConfigModule],
-      useFactory: (configService: ConfigService) => ({
-        type: 'postgres',
-        host: configService.get<string>('DB_HOST'),
-        port: configService.get<number>('DB_PORT'),
-        username: configService.get<string>('DB_USERNAME'),
-        password: configService.get<string>('DB_PASSWORD'),
-        database: configService.get<string>('DB_NAME'),
-        entities: [User, ExternalAuth, Quiz, Question],
-        synchronize: configService.get<string>('NODE_ENV') !== 'production', // Auto-create tables in dev
-        ssl:
-          configService.get<string>('DB_SSL') === 'true'
-            ? { rejectUnauthorized: false }
-            : false,
-      }),
+      useFactory: (configService: ConfigService) => {
+        const databaseUrl = configService.get<string>('DATABASE_URL');
+
+        // Use DATABASE_URL if provided (production/Aiven), otherwise use individual vars (local dev)
+        if (databaseUrl) {
+          // Aiven SSL configuration with CA certificate
+          // Replace literal \n with actual newlines (env files store as escaped string)
+          const caCert = configService.get<string>('DATABASE_CA_CERT');
+
+          return {
+            type: 'postgres',
+            url: databaseUrl,
+            entities: [User, ExternalAuth, Quiz, Question],
+            synchronize: configService.get<string>('NODE_ENV') !== 'production',
+            ssl: caCert
+              ? { rejectUnauthorized: true, ca: caCert }
+              : { rejectUnauthorized: false },
+          };
+        }
+
+        // Fallback to individual environment variables (local development)
+        return {
+          type: 'postgres',
+          host: configService.get<string>('DB_HOST'),
+          port: configService.get<number>('DB_PORT'),
+          username: configService.get<string>('DB_USERNAME'),
+          password: configService.get<string>('DB_PASSWORD'),
+          database: configService.get<string>('DB_NAME'),
+          entities: [User, ExternalAuth, Quiz, Question],
+          synchronize: configService.get<string>('NODE_ENV') !== 'production',
+          ssl:
+            configService.get<string>('DB_SSL') === 'true'
+              ? { rejectUnauthorized: false }
+              : false,
+        };
+      },
       inject: [ConfigService],
     }),
     UsersModule,

backend/src/auth/strategies/github.strategy.ts

@@ -3,17 +3,33 @@ import { Strategy, Profile } from 'passport-github2';
 import { Injectable } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 
+/**
+ * GitHub App Authentication Strategy
+ *
+ * Uses GitHub App OAuth flow (not legacy OAuth App).
+ * GitHub Apps provide:
+ * - Granular permissions
+ * - Higher rate limits
+ * - Better security with short-lived tokens
+ *
+ * Setup: Create a GitHub App at https://github.com/settings/apps
+ * Required permissions: read:user, user:email
+ */
 @Injectable()
 export class GithubStrategy extends PassportStrategy(Strategy, 'github') {
   constructor(private configService: ConfigService) {
     super({
-      clientID: configService.get<string>('GITHUB_CLIENT_ID') || 'placeholder',
+      // GitHub App Client ID (not OAuth App)
+      clientID:
+        configService.get<string>('GITHUB_APP_CLIENT_ID') || 'placeholder',
+      // GitHub App Client Secret
       clientSecret:
-        configService.get<string>('GITHUB_CLIENT_SECRET') || 'placeholder',
+        configService.get<string>('GITHUB_APP_CLIENT_SECRET') || 'placeholder',
       callbackURL:
         configService.get<string>('GITHUB_CALLBACK_URL') ||
         'http://localhost:3000/auth/github/callback',
-      scope: ['user:email'],
+      // Scopes for GitHub App OAuth
+      scope: ['read:user', 'user:email'],
     });
   }
 

docker-compose.yml

@@ -31,8 +31,6 @@ services:
         condition: service_healthy
     env_file:
       - ./backend/.env
-    environment:
-      DB_HOST: postgres
     volumes:
       - ./backend:/app
       - backend_node_modules:/app/node_modules