Add PostgreSQL support and improve database initialization

- Add PostgreSQL as default database option alongside SQLite
- Create separate production docker-compose files for PostgreSQL and SQLite
- Fix PostgreSQL schema initialization race condition
- Add input validation for client IDs, usernames, UUIDs, and auth codes
- Update Docker Compose to use bind mounts instead of named volumes
- Add .env.postgres file support for Docker Compose PostgreSQL service
- Refactor database layer to support both SQLite and PostgreSQL with unified async API
- Update all database operations to be async
- Add proper schema initialization waiting mechanism
- Update monitoring configuration paths
- Improve environment variable documentation

Author: ZoneMix

.env.example

@@ -172,6 +172,39 @@ ALLOWED_ORIGINS=http://localhost:3000,http://localhost:5678
 # Default: info
 LOG_LEVEL=info
 
+# =============================================================================
+# DATABASE CONFIGURATION (Authentication DB)
+# =============================================================================
+# PostgreSQL is the default database (provides password authentication).
+# SQLite is available as an alternative for simple deployments.
+# =============================================================================
+
+# Database type: 'postgres' (default) or 'sqlite'
+# Default: postgres
+# DB_TYPE=postgres
+
+# PostgreSQL connection - use EITHER POSTGRES_URL OR individual components below
+# Option 1: Connection URL (all in one)
+# Format: postgresql://user:password@host:port/database
+# Optional: Only set if you prefer using a connection URL
+# POSTGRES_URL=postgresql://actual_api:password@localhost:5432/actual_api_auth
+
+# Option 2: Individual connection components (recommended - easier to manage)
+# These will be automatically combined into a connection URL if POSTGRES_URL is not set
+# IMPORTANT: Use 'localhost' when running locally, 'postgres' when running in Docker Compose
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
+POSTGRES_DB=actual_api_auth
+POSTGRES_USER=actual_api
+POSTGRES_PASSWORD=your_postgres_password
+
+# Note: When using Docker Compose, POSTGRES_HOST will be overridden to 'postgres' automatically
+# For local development (npm start), use 'localhost' in your .env file
+
+# To use SQLite instead, set:
+# DB_TYPE=sqlite
+# (No additional configuration needed for SQLite)
+
 # =============================================================================
 # REDIS CONFIGURATION (Optional)
 # =============================================================================
@@ -188,6 +221,7 @@ LOG_LEVEL=info
 
 # Redis connection details (alternative to REDIS_URL)
 # Optional: Only set if using Redis for rate limiting
+# IMPORTANT: Use 'localhost' when running locally, 'redis' when running in Docker Compose
 # REDIS_HOST=localhost
 # REDIS_PORT=6379
 # REDIS_PASSWORD=your_redis_password
@@ -215,6 +249,10 @@ LOG_LEVEL=info
 #   - N8N_CLIENT_SECRET (32+ chars)
 #   - N8N_OAUTH2_CALLBACK_URL
 # 
+# OPTIONAL FOR DATABASE (PostgreSQL):
+#   - DB_TYPE='postgres' (if not set, defaults to 'sqlite')
+#   - POSTGRES_URL or all of: POSTGRES_HOST, POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD
+# 
 # SECURITY CHECKLIST:
 #   □ All secrets are unique and randomly generated
 #   □ Secrets are at least 32 characters long

README.md

@@ -153,10 +153,18 @@ This project uses **dotenvx** to encrypt environment files in production.
 
 ### Production Deployment
 
-**Docker Compose** (recommended):
+**Docker Compose with PostgreSQL** (recommended for production):
 ```bash
 export DOTENV_PRIVATE_KEY="$(grep DOTENV_PRIVATE_KEY .env.keys | cut -d '=' -f2 | tail -n1)"
-docker compose up -d --build
+# Create .env.postgres file with: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB
+docker compose -f docker-compose.prod.postgres.yml up -d --build
+```
+
+**Docker Compose with SQLite** (simpler, single-container):
+```bash
+export DOTENV_PRIVATE_KEY="$(grep DOTENV_PRIVATE_KEY .env.keys | cut -d '=' -f2 | tail -n1)"
+# Set DB_TYPE=sqlite in your .env file
+docker compose -f docker-compose.prod.sqlite.yml up -d --build
 ```
 
 **Docker Image**:

docker-compose.dev.yml

@@ -1,31 +1,30 @@
 services:
-  actual-api-wrapper:
+  actual-rest-api-dev:
     build:
       context: .
       dockerfile: Dockerfile.dev
-    image: actual-api-wrapper-dev
-    container_name: actual-api-wrapper-dev
+    image: actual-rest-api-dev
+    container_name: actual-rest-api-dev
     ports:
       - "3000:3000"
     volumes:
-      - ./data/dev/actual-api-wrapper:/app/.actual-cache
+      - ./data/dev/actual-rest-api:/app/.actual-cache
       - ./.env.local:/app/.env:ro
     working_dir: /app
     command: >
       sh -c "dotenvx run -- npm start"
     environment:
-      # Redis connection (optional - will use memory store if not set)
-      REDIS_HOST: redis
-      REDIS_PORT: 6379
-      REDIS_PASSWORD: ${REDIS_PASSWORD:-}  # Optional: Set if Redis password is configured
-      # Or use REDIS_URL instead: redis://redis:6379 or redis://password@redis:6379
-      # Log level: Set to 'warn' or 'error' to reduce log verbosity
-      # LOG_LEVEL: ${LOG_LEVEL:-info}
+      NODE_ENV: development
+      DB_TYPE: postgres
+      REDIS_HOST: redis-dev
+      POSTGRES_HOST: postgres-dev
     depends_on:
-      actual-server:
+      actual-server-dev:
         condition: service_healthy
         restart: true
-      redis:
+      redis-dev:
+        condition: service_healthy
+      postgres-dev:
         condition: service_healthy
     healthcheck:
       test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1"]
@@ -40,13 +39,13 @@ services:
         max-file: "3"
         compress: "true"
 
-  redis:
+  redis-dev:
     image: redis:7-alpine
-    container_name: actual-api-redis-dev
+    container_name: actual-rest-api-redis-dev
     ports:
       - "6379:6379"
     volumes:
-      - redis-data-dev:/data
+      - ./data/dev/redis:/data
     # Redis runs without password by default in dev (can be set via REDIS_PASSWORD env var)
     # For production, always set a password
     command: redis-server --appendonly yes
@@ -66,7 +65,7 @@ services:
         max-file: "2"
         compress: "true"
 
-  n8n:
+  n8n-dev:
     image: n8nio/n8n:latest
     container_name: n8n-dev
     ports:
@@ -80,15 +79,15 @@ services:
       # For local development of the Actual Budget REST API n8n node
       - ./n8n-nodes-actual-budget-rest-api:/home/node/.n8n/custom/node_modules/n8n-nodes-actual-budget-rest-api
     depends_on:
-      - actual-api-wrapper
+      - actual-rest-api-dev
     logging:
       driver: "json-file"
       options:
         max-size: "10m"
         max-file: "3"
         compress: "true"
 
-  actual-server:
+  actual-server-dev:
     container_name: actual-server-dev
     image: docker.io/actualbudget/actual-server:latest
     ports:
@@ -111,23 +110,23 @@ services:
         max-file: "2"
         compress: "true"
 
-  prometheus:
+  prometheus-dev:
     image: prom/prometheus:latest
     container_name: prometheus-dev
     ports:
       - "9090:9090"
     volumes:
-      - ./data/dev/prometheus:/etc/prometheus
-      - prometheus-data-dev:/prometheus
+      - ./data/dev/prometheus:/prometheus
+      - ./monitoring/prometheus.yml:/prometheus/prometheus.yml
     command:
-      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--config.file=/prometheus/prometheus.yml'
       - '--storage.tsdb.path=/prometheus'
       - '--web.console.libraries=/usr/share/prometheus/console_libraries'
       - '--web.console.templates=/usr/share/prometheus/consoles'
       - '--storage.tsdb.retention.time=30d'
       - '--web.enable-lifecycle'
     depends_on:
-      - actual-api-wrapper
+      - actual-rest-api-dev
     restart: unless-stopped
     logging:
       driver: "json-file"
@@ -136,7 +135,7 @@ services:
         max-file: "2"
         compress: "true"
 
-  grafana:
+  grafana-dev:
     image: grafana/grafana:latest
     container_name: grafana-dev
     ports:
@@ -147,20 +146,35 @@ services:
       - GF_USERS_ALLOW_SIGN_UP=false
       - GF_SERVER_ROOT_URL=http://localhost:3001
     volumes:
-      - grafana-data-dev:/var/lib/grafana
-      - ./data/dev/grafana/provisioning:/etc/grafana/provisioning
-      - ./data/dev/grafana/dashboards:/var/lib/grafana/dashboards
+      - ./data/dev/grafana/data:/var/lib/grafana
+      - ./monitoring/grafana/provisioning:/etc/grafana/provisioning
+      - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards
     depends_on:
-      - prometheus
+      - prometheus-dev
+    restart: unless-stopped
+
+  postgres-dev:
+    image: postgres:16-alpine
+    container_name: postgres-dev
+    ports:
+      - "5432:5432"
+    environment:
+      # Fallback defaults if .env.postgres doesn't exist
+      POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-dev_password}
+      POSTGRES_DB: ${POSTGRES_DB:-postgres}
+    volumes:
+      - ./data/dev/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-postgres}"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
     restart: unless-stopped
     logging:
       driver: "json-file"
       options:
-        max-size: "10m"
+        max-size: "5m"
         max-file: "2"
         compress: "true"
-
-volumes:
-  redis-data-dev:
-  prometheus-data-dev:
-  grafana-data-dev:

docker-compose.prod.postgres.yml

@@ -0,0 +1,85 @@
+services:
+  actual-api-rest-api:
+    build: .  # Builds Dockerfile (copies from ./src)
+    image: actual-api-rest-api  # Tagged for reuse
+    container_name: actual-api-rest-api
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./data/prod/actual-api:/app/.actual-cache  # Persistent encrypted DB
+    working_dir: /app
+    command: >
+      sh -c "dotenvx run -- npm start"
+    environment:
+      DOTENV_PRIVATE_KEY: ${DOTENV_PRIVATE_KEY}  # Master key from host .env or secrets
+      # Redis connection (optional - will use memory store if not set)
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      REDIS_PASSWORD: ${REDIS_PASSWORD:-}  # Optional: Set if Redis password is configured
+      # Or use REDIS_URL instead: redis://redis:6379 or redis://password@redis:6379
+      # Database connection (PostgreSQL)
+      DB_TYPE: postgres
+      # Override POSTGRES_HOST for Docker Compose (use service name 'postgres' instead of 'localhost')
+      POSTGRES_HOST: postgres
+    depends_on:
+      redis:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+  redis:
+    image: redis:7-alpine
+    container_name: actual-rest-api-redis
+    ports:
+      - "6379:6379"
+    volumes:
+      - ./data/prod/redis:/data
+    # Redis password (set REDIS_PASSWORD env var for production)
+    # In production, always use a strong password
+    command: >
+      sh -c "if [ -n \"$$REDIS_PASSWORD\" ]; then
+        redis-server --appendonly yes --requirepass \"$$REDIS_PASSWORD\"
+      else
+        redis-server --appendonly yes
+      fi"
+    environment:
+      - REDIS_PASSWORD=${REDIS_PASSWORD:-}
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
+    restart: unless-stopped
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: actual-rest-api-postgres
+    ports:
+      - "5432:5432"
+    env_file:
+      # Use separate .env.postgres file since Docker Compose can't read encrypted dotenvx files
+      # Create .env.postgres with: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB
+      - .env.postgres
+      - .env.postgres.local  # Optional: local overrides (gitignored)
+    environment:
+      # Fallback defaults if .env.postgres doesn't exist
+      POSTGRES_USER: ${POSTGRES_USER:-actual_api}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB:-actual_api_auth}
+    volumes:
+      - ./data/prod/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-actual_api}"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
+    restart: unless-stopped
+

docker-compose.yml docker-compose.prod.sqlite.ymldocker-compose.yml renamed to docker-compose.prod.sqlite.yml

@@ -1,12 +1,12 @@
 services:
-  actual-api-wrapper:
+  actual-rest-api:
     build: .  # Builds Dockerfile (copies from ./src)
-    image: actual-api-wrapper  # Tagged for reuse
-    container_name: actual-api-wrapper
+    image: actual-rest-api  # Tagged for reuse
+    container_name: actual-rest-api
     ports:
       - "3000:3000"
     volumes:
-      - ./data/actual-api:/app/.actual-cache  # Persistent encrypted DB
+      - ./data/prod/actual-api:/app/.actual-cache  # Persistent encrypted DB and SQLite auth.db
     working_dir: /app
     command: >
       sh -c "dotenvx run -- npm start"
@@ -17,6 +17,9 @@ services:
       REDIS_PORT: 6379
       REDIS_PASSWORD: ${REDIS_PASSWORD:-}  # Optional: Set if Redis password is configured
       # Or use REDIS_URL instead: redis://redis:6379 or redis://password@redis:6379
+      # Database connection (SQLite)
+      DB_TYPE: sqlite
+      # SQLite database will be stored in DATA_DIR/auth.db (default: /app/.actual-cache/auth.db)
     depends_on:
       redis:
         condition: service_healthy
@@ -29,11 +32,11 @@ services:
 
   redis:
     image: redis:7-alpine
-    container_name: actual-api-redis
+    container_name: actual-rest-api-redis
     ports:
       - "6379:6379"
     volumes:
-      - redis-data:/data
+      - ./data/prod/redis:/data
     # Redis password (set REDIS_PASSWORD env var for production)
     # In production, always use a strong password
     command: >
@@ -52,6 +55,3 @@ services:
       start_period: 10s
     restart: unless-stopped
 
-volumes:
-  auth-data:
-  redis-data:

monitoring/README.md

@@ -173,3 +173,4 @@ For production deployments:
 - [Grafana Documentation](https://grafana.com/docs/grafana/latest/)
 - [PromQL Query Language](https://prometheus.io/docs/prometheus/latest/querying/basics/)
 
+

monitoring/grafana/dashboards/actual-budget-api-dashboard.json

@@ -884,3 +884,4 @@
     "version": 1
   }
 
+