Environments & URLs

$ cd frontend
$ npm run dev
# Vite running on http://localhost:3000

# .env.local
# Leave VITE_API_BASE empty or unset
# httpClient will default to /api and Vite proxy to localhost:8080

export default defineConfig({
  server: {
    proxy: {
      '/api': {
        target: 'http://localhost:8080',
        changeOrigin: true,
        secure: false,
      },
    },
  },
});

$ cd inventory-service
$ mvn spring-boot:run
# Spring Boot running on http://localhost:8080

# Default dev configuration
server:
  port: 8080
  servlet:
    context-path: /

spring:
  datasource:
    url: jdbc:h2:mem:testdb
    driver-class-name: org.h2.Driver
  jpa:
    database-platform: org.hibernate.dialect.H2Dialect
    hibernate:
      ddl-auto: create-drop

app:
  demo:
    readonly: false  # Full access (no read-only mode)
  security:
    oauth2-client-id: ${OAUTH2_CLIENT_ID:dev-client-id}
    oauth2-client-secret: ${OAUTH2_CLIENT_SECRET:dev-secret}

# Terminal 1: Start backend
$ mvn spring-boot:run

# Terminal 2: Start frontend
$ npm run dev

# Terminal 3: Test endpoint
$ curl http://localhost:8080/api/auth/me -v
# Should see OPTIONS preflight + actual request

# .env.production
# Leave VITE_API_BASE unset (or set to /api)
# In production, backend is at same domain via Nginx proxy
VITE_API_BASE=/api

$ npm run build    # Outputs to dist/
$ npm run preview  # Test production build locally

# Then deploy (example: Vercel)
$ vercel deploy

# application-prod.yml (production profile)
server:
  port: 8080
  servlet:
    context-path: /
  ssl:
    enabled: false  # TLS handled by Nginx/Fly.io

spring:
  datasource:
    url: ${DB_URL}  # From Fly.io secrets
    username: ${DB_USER}
    password: ${DB_PASSWORD}
    driver-class-name: oracle.jdbc.driver.OracleDriver
  jpa:
    hibernate:
      ddl-auto: validate  # Don't modify schema in prod
  
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: ${OAUTH2_CLIENT_ID}
            client-secret: ${OAUTH2_CLIENT_SECRET}

app:
  demo:
    readonly: false
  security:
    cors-allowed-origins:
      - https://app.fly.dev
      - https://www.app.fly.dev

$ flyctl secrets set \
  DB_URL="jdbc:oracle:thin:@..." \
  DB_USER="admin" \
  DB_PASSWORD="..." \
  OAUTH2_CLIENT_ID="..." \
  OAUTH2_CLIENT_SECRET="..."

# Verify
$ flyctl secrets list

/**
 * API base URL resolution logic.
 * 
 * Priority:
 * 1. If VITE_API_BASE env var is set and non-empty → use it
 * 2. Otherwise → use '/api' (relative path, same origin)
 */
interface ViteEnv {
  VITE_API_BASE?: string;
}

const RAW_BASE = (import.meta.env as unknown as ViteEnv)?.VITE_API_BASE;

export const API_BASE: string = (() => {
  const trimmed = (RAW_BASE ?? '').trim();
  return trimmed.length > 0 ? trimmed : '/api';
})();

const httpClient = axios.create({
  baseURL: API_BASE,
  withCredentials: true,
  timeout: 30_000,
});

export default httpClient;

VITE_API_BASE = undefined
→ trimmed = ""
→ API_BASE = '/api'
→ httpClient calls http://localhost:3000/api/... 
   (Vite proxy forwards to http://localhost:8080)

VITE_API_BASE = '/api'
→ trimmed = '/api'
→ API_BASE = '/api'
→ httpClient calls /api/...
   (Browser makes same-origin request to https://app.fly.dev/api/...)
   (Nginx proxies to http://localhost:8080)

VITE_API_BASE = 'https://api.example.com'
→ trimmed = 'https://api.example.com'
→ API_BASE = 'https://api.example.com'
→ httpClient calls https://api.example.com/...
   (Cross-origin request; CORS required)

# .env.local
# DO NOT COMMIT (add to .gitignore)

# Leave unset or set to relative path
# VITE_API_BASE=/api

# Or explicit if testing against remote backend
# VITE_API_BASE=https://staging.app.com/api

# Other dev settings
VITE_LOG_LEVEL=debug
VITE_ENABLE_MOCK_DATA=false

# .env.staging
VITE_API_BASE=/api
VITE_LOG_LEVEL=info
VITE_ENABLE_MOCK_DATA=false

# .env.production
VITE_API_BASE=/api
VITE_LOG_LEVEL=warn
VITE_ENABLE_MOCK_DATA=false

# Build for development (uses .env.local)
$ npm run dev

# Build for staging
$ npx vite build --mode staging

# Build for production
$ npm run build  # Uses .env.production

$ mvn spring-boot:run
# SPRING_PROFILES_ACTIVE not set
# Uses application.yml (H2 database, demo data, etc.)

$ SPRING_PROFILES_ACTIVE=test mvn spring-boot:run
# Uses application-test.yml (TestContainers, restricted logging)

$ SPRING_PROFILES_ACTIVE=prod mvn spring-boot:run
# Uses application-prod.yml (Oracle DB, optimized logging)

#!/bin/bash
set -e

export SPRING_PROFILES_ACTIVE=prod

java -jar /app/inventory-service.jar

# 1. Download wallet from Oracle Cloud Console
# 2. Store in /oracle_wallet/Wallet_sspdb_fixed/ (in Docker)
# 3. Set DB_URL to include wallet path

export DB_URL="jdbc:oracle:thin:@dbname_high?TNS_ADMIN=/opt/oracle/wallet"

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: ${OAUTH2_CLIENT_ID:123456789.apps.googleusercontent.com}
            client-secret: ${OAUTH2_CLIENT_SECRET:GOCSPX-xxxxx}

export OAUTH2_CLIENT_ID="..."
export OAUTH2_CLIENT_SECRET="..."
mvn spring-boot:run

$ flyctl secrets set \
  OAUTH2_CLIENT_ID="production-client-id.apps.googleusercontent.com" \
  OAUTH2_CLIENT_SECRET="GOCSPX-production-secret"

server:
  servlet:
    session:
      timeout: 30m           # 30 minutes
      cookie:
        http-only: false     # Allow JS access (for dev)
        secure: false        # Allow HTTP
        same-site: lax       # Allow some cross-site

server:
  servlet:
    session:
      timeout: 24h           # 24 hours
      cookie:
        http-only: true      # JS cannot access
        secure: true         # HTTPS only
        same-site: strict    # No cross-site

fetch('/api/auth/me', { credentials: 'include' })
  .then(r => r.json())
  .then(d => console.log('Connected!', d))
  .catch(e => console.error('Failed:', e));

$ curl http://localhost:8080/api/auth/me -v
# Should see CORS headers and response

$ docker exec inventory-service curl http://localhost:8080/api/health
# Should return 200 OK with health info