Merge branch 'main' into readme

# Conflicts:
#	README.md

Author: beniamin-szilagyi

.gitignore

@@ -81,3 +81,5 @@ fasten.db-wal
 
 backend/resources/related_versions.json
 frontend/documentation.json
+
+certs/

README.md

@@ -103,7 +103,7 @@ Next, run the following commands from the Windows command line or Mac/Linux term
 
 ### 🧪 Develop
 
-Use local development settings for testing and iteration. 
+Use local development settings for testing and iteration.
 
 > ℹ️ **Observation:** Requires a local clone of the repository.
 
@@ -132,7 +132,65 @@ docker run --rm \
 -v ./cache:/opt/fasten/cache \
 ghcr.io/fastenhealth/fasten-onprem:main
 ```
+Next, open a browser to `https://localhost:9090`
 
+### <a name="using-https"></a>🔒 Using HTTPS and Trusting the Self-Signed Certificate
+
+By default, Fasten On-Prem runs with HTTPS enabled to ensure your data is secure. It uses a self-signed **TLS** certificate, which offers the same level of encryption as a commercially issued certificate. The first time you connect, your browser will display a security warning because it doesn't yet trust the certificate's issuer. The steps below will guide you through the simple, one-time process of telling your browser to trust the certificate, ensuring a secure connection without future warnings. Please note that the generated certificates can be replaced at any time with your own valid TLS certificates.
+
+#### How it Works: The Chain of Trust
+
+To establish a secure connection, your browser needs to trust the server's TLS certificate. Here’s how the process works in Fasten On-Prem:
+
+1.  **Root Certificate Authority (CA):** When the application first starts, it generates its own self-contained Certificate Authority, called `"Fasten Health CA"`. Think of this as the highest level of trust. The public part of this CA is the `rootCA.pem` file.
+2.  **Server Certificate:** The application then uses the `"Fasten Health CA"` to issue and sign a specific certificate for the web server (e.g., for `localhost`).
+3.  **Browser Verification:** When you connect to the server, it presents the server certificate to your browser. Your browser checks who signed it and sees it was `"Fasten Health CA"`. The browser then asks, "Do I trust the 'Fasten Health CA'?"
+
+Initially, the answer is no, which is why you see a security warning. By following the steps below to import the `rootCA.pem` file, you are telling your browser or operating system to trust our self-generated CA. Once the CA is trusted, any certificates it signs—including the server certificate—will also be trusted, and the connection will be secure without any warnings.
+
+#### 1. Locate the Root CA Certificate
+
+When you run the application using the production Docker Compose file (`docker-compose-prod.yml`), it automatically generates a `rootCA.pem` file. This file is located in the `certs` directory on your host machine.
+
+-   **Certificate Path:** `certs/rootCA.pem`
+
+#### 2. Import the Certificate
+
+You will need to import this certificate into your operating system's or browser's trust store. Here are general instructions for different platforms:
+
+**macOS**
+
+1.  Open the **Keychain Access** application.
+2.  Select the **System** keychain.
+3.  Go to **File > Import Items** and select the `certs/rootCA.pem` file.
+4.  Find the "Fasten Health CA" certificate in the list, double-click it, and under the **Trust** section, set "When using this certificate" to **Always Trust**.
+
+**Windows**
+
+1.  Double-click the `certs/rootCA.pem` file.
+2.  Click **Install Certificate...** and choose **Local Machine**.
+3.  Select **Place all certificates in the following store**, click **Browse**, and choose **Trusted Root Certification Authorities**.
+4.  Complete the wizard to finish the import process.
+
+**Linux (Ubuntu/Debian)**
+
+1.  Copy the certificate to the trusted certificates directory:
+    ```bash
+    sudo cp certs/rootCA.pem /usr/local/share/ca-certificates/fasten-health-ca.crt
+    ```
+2.  Update the system's certificate store:
+    ```bash
+    sudo update-ca-certificates
+    ```
+
+**Firefox**
+
+Firefox has its own trust store. To import the certificate:
+
+1.  Go to **Settings > Privacy & Security**.
+2.  Scroll down to **Certificates** and click **View Certificates...**.
+3.  In the **Authorities** tab, click **Import...** and select the `certs/rootCA.pem` file.
+4.  Check the box for **Trust this CA to identify websites** and click **OK**.
 
 ### Companion Mobile App
 
@@ -152,7 +210,7 @@ In partnership with [Life Value](https://lifevalue.com), we develop an **open-so
 
 ### Start Fasten (discovarable on your local network)
 
-For your **Fasten** instance to work together with **HealthWallet.me** (the companion mobile app), you need to run the `set_env.sh` script before starting Docker Compose. 
+For your **Fasten** instance to work together with **HealthWallet.me** (the companion mobile app), you need to run the `set_env.sh` script before starting Docker Compose.
 
 This script configures the necessary `HOSTNAME` and `IP` values in a `.env` file, which allows Fasten to generate a QR code that HealthWallet can scan to establish the initial connection and begin syncing your health data.
 
@@ -174,9 +232,9 @@ Launch the application. Please choose a location where `docker-compose.yml` and
     ```
 
 - **Commands Breakdown**
-   - Downloads necessary files (**docker-compose.yml** and **set_env.sh**)
-   - The environment script automatically assigns your local IP so **Fasten** can be available on **your local network**
-   - Starts the Fasten application (**docker-compose up -d**)
+    - Downloads necessary files (**docker-compose.yml** and **set_env.sh**)
+    - The environment script automatically assigns your local IP so **Fasten** can be available on **your local network**
+    - Starts the Fasten application (**docker-compose up -d**)
 
 
 <details>
@@ -203,13 +261,7 @@ If you prefer not to run the `set_env.sh` script, you can configure the `.env` f
 
 </details>
 
-### Logging In
-
-Before you can use the Fasten BETA, you'll need to [Create an Account](http://localhost:9090/web/auth/signup).
 
-It can be as simple as
-- **Username:** `testuser`
-- **Password:** `testuser`
 
 
 ## Usage

backend/cmd/fasten/fasten.go

@@ -76,7 +76,6 @@ func main() {
 				Name:  "start",
 				Usage: "Start the fasten server",
 				Action: func(c *cli.Context) error {
-					//fmt.Fprintln(c.App.Writer, c.Command.Usage)
 					if c.IsSet("config") {
 						err = appconfig.ReadConfig(c.String("config")) // Find and read the config file
 						if err != nil {                                // Handle errors reading the config file

backend/pkg/config/config.go

@@ -25,6 +25,8 @@ func (c *configuration) Init() error {
 	c.SetDefault("web.listen.host", "0.0.0.0")
 	c.SetDefault("web.listen.basepath", "")
 	c.SetDefault("web.listen.https.enabled", false)
+	c.SetDefault("web.listen.https.certDir", "certs")
+	c.SetDefault("web.listen.https.sharedDir", "certs/shared")
 
 	// allow unsafe endpoints should never be enabled in Production.
 	// It enables direct API access to healthcare providers without authentication.
@@ -33,6 +35,7 @@ func (c *configuration) Init() error {
 	c.SetDefault("web.src.frontend.path", "/opt/fasten/web")
 	c.SetDefault("database.type", "sqlite")
 	c.SetDefault("database.location", "/opt/fasten/db/fasten.db")
+	c.SetDefault("database.encryption.enabled", false)
 	//c.SetDefault("database.encryption.key", "") //encryption key must be set by the user.
 	c.SetDefault("cache.location", "/opt/fasten/cache/")
 

backend/pkg/database/factory.go

@@ -11,7 +11,7 @@ import (
 func NewRepository(appConfig config.Interface, globalLogger logrus.FieldLogger, eventBus event_bus.Interface) (DatabaseRepository, error) {
 	switch pkg.DatabaseRepositoryType(appConfig.GetString("database.type")) {
 	case pkg.DatabaseRepositoryTypeSqlite:
-		return newSqliteRepository(appConfig, globalLogger, eventBus)
+		return newSqliteRepository(appConfig, globalLogger, eventBus, appConfig.GetBool("database.validation_mode"))
 	case pkg.DatabaseRepositoryTypePostgres:
 		return newPostgresRepository(appConfig, globalLogger, eventBus)
 	default:

backend/pkg/database/gorm_repository_graph_test.go

@@ -62,6 +62,8 @@ func (suite *RepositoryGraphTestSuite) TestGetFlattenedResourceGraph() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 
@@ -130,6 +132,8 @@ func (suite *RepositoryGraphTestSuite) TestGetFlattenedResourceGraph_NDJson() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 

backend/pkg/database/gorm_repository_query_sql_test.go

@@ -46,6 +46,8 @@ func (suite *RepositorySqlTestSuite) BeforeTest(suiteName, testName string) {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 	suite.TestRepository = dbRepo

backend/pkg/database/gorm_repository_query_test.go

@@ -267,6 +267,8 @@ func (suite *RepositoryTestSuite) TestQueryResources_SQL() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("INFO").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err)
 	userModel := &models.User{

backend/pkg/database/gorm_repository_related_test.go

@@ -42,6 +42,8 @@ func (suite *RepositoryRelatedTestSuite) SetupTest() {
 	fakeConfig.EXPECT().GetString("database.type").Return("sqlite").AnyTimes()
 	fakeConfig.EXPECT().IsSet("database.encryption.key").Return(false).AnyTimes()
 	fakeConfig.EXPECT().GetString("log.level").Return("DEBUG").AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.validation_mode").Return(false).AnyTimes()
+	fakeConfig.EXPECT().GetBool("database.encryption.enabled").Return(false).AnyTimes()
 
 	dbRepo, err := NewRepository(fakeConfig, logrus.WithField("test", suite.T().Name()), event_bus.NewNoopEventBusServer())
 	require.NoError(suite.T(), err, "Failed to create repository")

backend/pkg/database/gorm_repository_settings_test.go

@@ -40,6 +40,7 @@ func (suite *RepositorySettingsTestSuite) BeforeTest(suiteName, testName string)
 	testConfig, err := config.Create()
 	require.NoError(suite.T(), err)
 	testConfig.SetDefault("database.location", suite.TestDatabase.Name())
+	testConfig.SetDefault("database.encryption.enabled", false)
 	testConfig.SetDefault("log.level", "INFO")
 	suite.TestConfig = testConfig