dticket.tootaio.com/README.md

# Dinner Ticket System

Nuxt 4 app with:

- Public dinner ticket booking page
- Staff login with password and passkey support
- PostgreSQL-backed users and passkeys
- Redis-backed sessions and WebAuthn challenge storage
- Seeded `xiaomai` super-admin account
- Super-admin user creation and password reset flow
- First-login enforcement: temporary password change plus passkey enrollment

## Environment

Create `.env` from `.env.example` and set:

```bash
NUXT_DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:5432/dinner_ticket_system
NUXT_REDIS_URL=redis://127.0.0.1:6379
NUXT_PUBLIC_APP_URL=http://localhost:20013
```

`NUXT_PUBLIC_APP_URL` should be your final HTTPS origin in production. Passkeys rely on the RP origin being stable and correct.

## Setup

Install dependencies:

```bash
pnpm install
```

## Development

Start the app:

```bash
pnpm dev
```

The backend bootstraps its schema automatically on startup and seeds this initial super-admin account if it does not already exist:

- Username: `xiaomai`
- Temporary password: `123456`

On first login, the user is forced to change that temporary password and register a passkey before accessing the protected area.

## Production

Build:

```bash
pnpm build
```

Preview the built server:

```bash
node .output/server/index.mjs
```

## Docker

The repo now includes a production-ready container stack:

- [Dockerfile](/mnt/d/SourceCode/tootaio/dinner-ticket-system/Dockerfile)
- [docker-compose.yml](/mnt/d/SourceCode/tootaio/dinner-ticket-system/docker-compose.yml)
- [docker-compose.dev.yml](/mnt/d/SourceCode/tootaio/dinner-ticket-system/docker-compose.dev.yml)
- [.dockerignore](/mnt/d/SourceCode/tootaio/dinner-ticket-system/.dockerignore)

Bring up the full environment:

```bash
docker compose up --build
```

This starts:

- Nuxt/Nitro app on `http://localhost:20013`
- PostgreSQL only on the internal Docker network
- Redis only on the internal Docker network

The app container waits on PostgreSQL and Redis health checks, and exposes:

- `GET /api/health` for container/runtime health

Stop the stack:

```bash
docker compose down
```

Stop and remove persisted database/cache volumes:

```bash
docker compose down -v
```

For passkey testing in Docker, set `NUXT_PUBLIC_APP_URL` to the exact origin you open in the browser. In production, this should be your final HTTPS URL.

### Docker Development With Hot Reload

Use the dev override when you want live reload instead of rebuilding the image after every code change:

```bash
docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
```

This keeps PostgreSQL and Redis in Docker, but runs the app container in Nuxt dev mode with:

- the project directory bind-mounted into `/app`
- a persistent `/app/node_modules` volume so dependencies stay inside Docker
- an automatic `pnpm install --frozen-lockfile` during app container startup
- polling-based file watching for reliable reloads on mounted filesystems

After the first start, code changes on the host should reload automatically without rebuilding the image.

When you change dependencies, restart the app container so it reruns `pnpm install` against the current lockfile:

```bash
docker compose -f docker-compose.yml -f docker-compose.dev.yml restart app
```

## Protected Areas

- `/login`
- `/security`
- `/management/users`

## User Flows

- Password login with Redis-backed session cookie
- Passkey login using WebAuthn discoverable credentials
- Super admin creates users with default password `123456`
- Users must change password and set a passkey after first login
- Users can change their own password from Security
- Super admin can reset a user's password back to `123456`

## Verification

The codebase currently verifies cleanly with:

```bash
pnpm build
```