# Dinner Ticket System

Nuxt 4 app with:

- Public dinner ticket booking page
- Staff login with password and passkey support
- PostgreSQL-backed users and passkeys
- Redis-backed sessions and WebAuthn challenge storage
- Seeded `xiaomai` super-admin account
- Super-admin user creation and password reset flow
- First-login enforcement: temporary password change plus passkey enrollment

## Environment

Create `.env` from `.env.example` and set:

```bash
NUXT_DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/dinner_ticket_system
NUXT_REDIS_URL=redis://127.0.0.1:6379
NUXT_PUBLIC_APP_URL=http://localhost:20013
```

`NUXT_PUBLIC_APP_URL` should be your final HTTPS origin in production. Passkeys rely on the RP origin being stable and correct.

## Setup

Install dependencies:

```bash
pnpm install
```

## Development

Start the app:

```bash
pnpm dev
```

The backend bootstraps its schema automatically on startup and seeds this initial super-admin account if it does not already exist:

- Username: `xiaomai`
- Temporary password: `123456`

On first login, the user is forced to change that temporary password and register a passkey before accessing the protected area.

## Production

Build:

```bash
pnpm build
```

Preview the built server:

```bash
node .output/server/index.mjs
```

## Docker

The repo now includes a production-ready container stack:

- [Dockerfile](/mnt/d/SourceCode/tootaio/dinner-ticket-system/Dockerfile)
- [docker-compose.yml](/mnt/d/SourceCode/tootaio/dinner-ticket-system/docker-compose.yml)
- [.dockerignore](/mnt/d/SourceCode/tootaio/dinner-ticket-system/.dockerignore)

Bring up the full environment:

```bash
docker compose up --build
```

This starts:

- Nuxt/Nitro app on `http://localhost:20013`
- PostgreSQL only on the internal Docker network
- Redis only on the internal Docker network

The app container waits on PostgreSQL and Redis health checks, and exposes:

- `GET /api/health` for container/runtime health

Stop the stack:

```bash
docker compose down
```

Stop and remove persisted database/cache volumes:

```bash
docker compose down -v
```

For passkey testing in Docker, set `NUXT_PUBLIC_APP_URL` to the exact origin you open in the browser. In production, this should be your final HTTPS URL.

## Protected Areas

- `/login`
- `/security`
- `/management/users`

## User Flows

- Password login with Redis-backed session cookie
- Passkey login using WebAuthn discoverable credentials
- Super admin creates users with default password `123456`
- Users must change password and set a passkey after first login
- Users can change their own password from Security
- Super admin can reset a user's password back to `123456`

## Verification

The codebase currently verifies cleanly with:

```bash
pnpm build
```