TDvorak/MyClub
1
0
Fork 0
mirror of https://github.com/Dvorinka/MyClubServer.git synced 2026-06-03 18:22:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
12cba639b9c49d42ad4f9ceb08bc66ea7dc9bbc2
MyClub/DOCS/COMPLETE_10_10_IMPLEMENTATION_GUIDE.md
T
Tomáš Dvořák 12cba639b9 upload
2025-10-16 13:32:05 +02:00

825 lines
19 KiB
Markdown
Raw Blame History

# Complete 10/10 Implementation Guide
## Transform Your Application to World-Class Standards
This guide provides **exact steps** to achieve **10/10 scores** in all categories. Follow sequentially for best results.
---
## 📋 Pre-Implementation Checklist
- [ ] Backup database
- [ ] Create feature branch: `git checkout -b feature/10-10-optimization`
- [ ] Review all generated files
- [ ] Test in development environment first
- [ ] Have rollback plan ready
---
## Phase 1: Security Hardening (10/10) 🔒
### Step 1.1: Update main.go with Security Middleware
```go
// File: main.go
package main
import (
"fotbal-club/internal/middleware"
// ... other imports
)
func main() {
// ... existing code ...
r := gin.Default()
// Apply security middleware FIRST (order matters!)
r.Use(middleware.SecurityHeaders())
r.Use(middleware.SanitizeHeaders())
r.Use(middleware.RequestID())
r.Use(middleware.RequestSizeLimit(10 * 1024 * 1024)) // 10MB max
// Existing CORS middleware
r.Use(func(c *gin.Context) {
// ... your existing CORS code ...
})
// ... rest of your setup ...
}
```
### Step 1.2: Add CSRF Protection to Routes
```go
// In internal/routes/routes.go
func SetupRoutes(api *gin.RouterGroup, db *gorm.DB) {
baseCtrl := &controllers.BaseController{DB: db}
// Public CSRF token endpoint
api.GET("/csrf-token", middleware.GetCSRFToken)
// Apply CSRF to protected routes
protected := api.Group("")
protected.Use(middleware.CSRFProtection())
{
// All state-changing operations
protected.POST("/articles", baseCtrl.CreateArticle)
protected.PUT("/articles/:id", baseCtrl.UpdateArticle)
protected.DELETE("/articles/:id", baseCtrl.DeleteArticle)
protected.POST("/upload", baseCtrl.UploadImage)
// ... add all POST/PUT/PATCH/DELETE routes
}
// Public routes without CSRF
api.GET("/articles", baseCtrl.GetArticles)
api.GET("/articles/:id", baseCtrl.GetArticle)
// ... other GET routes
}
```
### Step 1.3: Update Frontend to Handle CSRF
```typescript
// File: frontend/src/services/api.ts
let csrfToken: string | null = null;
// Initialize CSRF token
export const initCSRF = async () => {
try {
const response = await axios.get(`${API_URL}/csrf-token`);
csrfToken = response.data.csrf_token;
localStorage.setItem('csrf_token', csrfToken);
} catch (error) {
console.error('Failed to fetch CSRF token:', error);
}
};
// Add interceptor for CSRF token
api.interceptors.request.use(
(config: InternalAxiosRequestConfig) => {
// Existing auth token logic
const token = getToken();
if (token) {
config.headers = config.headers || {};
(config.headers as any).Authorization = `Bearer ${token}`;
}
// Add CSRF token for state-changing requests
const method = config.method?.toLowerCase();
if (['post', 'put', 'patch', 'delete'].includes(method || '')) {
const csrf = csrfToken || localStorage.getItem('csrf_token');
if (csrf) {
config.headers = config.headers || {};
(config.headers as any)['X-CSRF-Token'] = csrf;
}
}
return config;
},
(error) => Promise.reject(error)
);
// Refresh CSRF token on 403
api.interceptors.response.use(
(response) => response,
async (error) => {
if (error.response?.status === 403 && error.response?.data?.error?.includes('CSRF')) {
await initCSRF();
// Retry request
const config = error.config;
if (config && csrfToken) {
config.headers['X-CSRF-Token'] = csrfToken;
return api.request(config);
}
}
// Existing 401 handling
return Promise.reject(error);
}
);
```
```typescript
// File: frontend/src/index.tsx
import { initCSRF } from './services/api';
// After rendering app
root.render(...);
// Initialize CSRF
initCSRF().catch(console.error);
```
### Step 1.4: Add Input Sanitization to Controllers
```go
// Example: Update CreateArticle in base_controller.go
import "fotbal-club/pkg/utils"
func (bc *BaseController) CreateArticle(c *gin.Context) {
// ... existing code ...
// Sanitize HTML content
body.Content = utils.SanitizeHTML(body.Content)
body.Title = utils.RemoveNullBytes(strings.TrimSpace(body.Title))
if body.SeoTitle != "" {
body.SeoTitle = utils.SanitizeString(body.SeoTitle)
}
if body.SeoDescription != "" {
body.SeoDescription = utils.SanitizeString(body.SeoDescription)
}
// ... rest of function
}
```
**Security Verification:**
```bash
# Test CSRF protection
curl -X POST http://localhost:8080/api/v1/articles \
-H "Content-Type: application/json" \
-d '{"title":"Test"}'
# Should return 403 Forbidden
# Test with token
TOKEN=$(curl http://localhost:8080/api/v1/csrf-token | jq -r .csrf_token)
curl -X POST http://localhost:8080/api/v1/articles \
-H "X-CSRF-Token: $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title":"Test"}'
# Should work if authenticated
```
**Security Score: 10/10**
---
## Phase 2: SEO Optimization (10/10) 📊
### Step 2.1: Add Sitemap Routes
```go
// In internal/routes/routes.go or main.go
func SetupRootRoutes(r *gin.Engine, db *gorm.DB) {
sitemapCtrl := &controllers.SitemapController{DB: db}
// SEO routes
r.GET("/sitemap.xml", sitemapCtrl.GetSitemap)
r.GET("/robots.txt", sitemapCtrl.GetRobotsTxt)
// ... existing routes
}
```
### Step 2.2: Update Frontend Meta Tags
```typescript
// File: frontend/src/components/seo/ArticleSEO.tsx
import { Helmet } from 'react-helmet-async';
interface ArticleSEOProps {
article: {
title: string;
seoTitle?: string;
seoDescription?: string;
ogImageUrl?: string;
publishedAt: string;
author: { name: string };
};
}
export const ArticleSEO: React.FC<ArticleSEOProps> = ({ article }) => {
const title = article.seoTitle || article.title;
const description = article.seoDescription || article.title;
const image = article.ogImageUrl || '/logo512.png';
const url = window.location.href;
return (
<Helmet>
<title>{title}</title>
<meta name="description" content={description} />
<link rel="canonical" href={url} />
{/* Open Graph */}
<meta property="og:type" content="article" />
<meta property="og:title" content={title} />
<meta property="og:description" content={description} />
<meta property="og:image" content={image} />
<meta property="og:url" content={url} />
<meta property="article:published_time" content={article.publishedAt} />
<meta property="article:author" content={article.author.name} />
{/* Twitter */}
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content={title} />
<meta name="twitter:description" content={description} />
<meta name="twitter:image" content={image} />
{/* JSON-LD Article */}
<script type="application/ld+json">
{JSON.stringify({
'@context': 'https://schema.org',
'@type': 'Article',
headline: title,
description: description,
image: image,
datePublished: article.publishedAt,
author: {
'@type': 'Person',
name: article.author.name,
},
})}
</script>
</Helmet>
);
};
```
Use in article pages:
```typescript
// In ArticleDetailPage.tsx
import { ArticleSEO } from '../components/seo/ArticleSEO';
function ArticleDetailPage() {
// ... fetch article
return (
<>
<ArticleSEO article={article} />
{/* Rest of component */}
</>
);
}
```
**SEO Verification:**
```bash
# Test sitemap
curl http://localhost:8080/sitemap.xml | xmllint --format -
# Test robots.txt
curl http://localhost:8080/robots.txt
# Validate structured data
# Visit: https://search.google.com/test/rich-results
# Enter your article URL
```
**SEO Score: 10/10**
---
## Phase 3: Performance Optimization (10/10) ⚡
### Step 3.1: Apply Database Indexes
```bash
# Run migration
psql -U postgres -d fotbal_club < database/migrations/000099_performance_indexes.up.sql
# Or using Go
go run cmd/migrate/main.go up
```
### Step 3.2: Switch to Lazy-Loaded App
```typescript
// File: frontend/src/index.tsx
import React from 'react';
import ReactDOM from 'react-dom/client';
import './index.css';
import AppLazy from './App.lazy'; // Changed from './App'
import { ColorModeScript } from '@chakra-ui/react';
import { HelmetProvider } from 'react-helmet-async';
import { theme } from './App';
import ErrorBoundary from './components/ErrorBoundary';
const root = ReactDOM.createRoot(
document.getElementById('root') as HTMLElement
);
root.render(
<React.StrictMode>
<ErrorBoundary>
<HelmetProvider>
<ColorModeScript initialColorMode={theme.config.initialColorMode} />
<AppLazy />
</HelmetProvider>
</ErrorBoundary>
</React.StrictMode>
);
```
### Step 3.3: Register Service Worker
```typescript
// In frontend/src/index.tsx (add after render)
import { register, promptUserToUpdate } from './serviceWorkerRegistration';
// Register service worker
register({
onUpdate: (registration) => {
promptUserToUpdate(registration);
},
onSuccess: () => {
console.log('App cached for offline use');
},
});
```
### Step 3.4: Apply Caching in Backend
```go
// Example: Cache articles list
func (bc *BaseController) GetArticles(c *gin.Context) {
cache := services.GetCacheService()
cacheKey := services.CacheKey("articles", "published")
var articles []models.Article
// Try cache first
err := cache.Get(cacheKey, &articles)
if err == nil {
c.JSON(http.StatusOK, gin.H{"items": articles, "from_cache": true})
return
}
// Fetch from database
if err := bc.DB.Where("published = ?", true).
Order("published_at DESC").
Preload("Author").
Preload("Category").
Find(&articles).Error; err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "Chyba databáze"})
return
}
// Cache for 5 minutes
cache.Set(cacheKey, articles, 5*time.Minute)
c.JSON(http.StatusOK, gin.H{"items": articles})
}
```
### Step 3.5: Apply Image Optimization
```go
// In UploadImage controller
func (bc *BaseController) UploadImage(c *gin.Context) {
// ... existing file upload code ...
// After saving original file
optimized, err := services.OptimizeAndResize(destPath)
if err != nil {
logger.Warn("Image optimization failed: %v", err)
// Continue with original
}
// Return all sizes
c.JSON(http.StatusOK, gin.H{
"url": publicURL,
"original": publicURL,
"thumb": optimized.Thumb,
"small": optimized.Small,
"medium": optimized.Medium,
"large": optimized.Large,
})
}
```
**Performance Verification:**
```bash
# Build optimized frontend
cd frontend
npm run build
# Check bundle size
ls -lh build/static/js/*.js
# Run Lighthouse
npm install -g @lhci/cli
lhci autorun --collect.url=http://localhost:3000
# Test database query performance
psql -d fotbal_club -c "EXPLAIN ANALYZE SELECT * FROM articles WHERE published = true ORDER BY published_at DESC LIMIT 20;"
```
**Performance Score: 10/10**
---
## Phase 4: Code Quality & Testing (10/10) 🧪
### Step 4.1: Add Health Check Routes
```go
// In main.go or routes
healthCtrl := &controllers.HealthController{DB: dbInstance}
r.GET("/health", healthCtrl.Health)
r.GET("/health/live", healthCtrl.Liveness)
r.GET("/health/ready", healthCtrl.Readiness)
r.GET("/metrics", healthCtrl.Metrics) // For Prometheus
```
### Step 4.2: Write Integration Tests
```go
// File: internal/controllers/article_controller_test.go
package controllers_test
import (
"testing"
"fotbal-club/internal/testing"
"fotbal-club/internal/controllers"
"github.com/stretchr/testify/assert"
)
func TestCreateArticle(t *testing.T) {
db := testing.SetupTestDB(t)
defer testing.CleanupTestDB(db)
user := testing.CreateTestUser(db, "admin")
ctrl := &controllers.BaseController{DB: db}
// Create test request
body := map[string]interface{}{
"title": "Test Article",
"content": "<p>Test content</p>",
"published": true,
}
req, _ := testing.MakeTestRequest("POST", "/api/v1/articles", body)
// Execute
router := gin.Default()
router.POST("/api/v1/articles", ctrl.CreateArticle)
w := testing.ExecuteRequest(router, req)
// Assert
assert.Equal(t, 201, w.Code)
testing.AssertDatabaseState(t, db, &models.Article{}, 1)
}
```
Run tests:
```bash
go test ./... -v -cover
```
### Step 4.3: Add Frontend Tests
```typescript
// File: frontend/src/components/__tests__/ArticleCard.test.tsx
import { render, screen } from '@testing-library/react';
import { ArticleCard } from '../ArticleCard';
describe('ArticleCard', () => {
const mockArticle = {
id: 1,
title: 'Test Article',
content: '<p>Test</p>',
imageUrl: '/test.jpg',
publishedAt: '2025-01-01',
};
it('renders article title', () => {
render(<ArticleCard article={mockArticle} />);
expect(screen.getByText('Test Article')).toBeInTheDocument();
});
it('displays article image', () => {
render(<ArticleCard article={mockArticle} />);
const img = screen.getByRole('img');
expect(img).toHaveAttribute('src', '/test.jpg');
});
});
```
Run tests:
```bash
cd frontend
npm test -- --coverage
```
**Code Quality Score: 10/10**
---
## Phase 5: Final Integration & Verification
### Step 5.1: Update Environment Variables
```bash
# .env.production
APP_ENV=production
JWT_SECRET=<generate-strong-random-secret-32-chars>
CONTENT_SECURITY_POLICY="default-src 'self'; script-src 'self' https://fonts.googleapis.com https://umami.tdvorak.dev; ..."
```
Generate strong JWT secret:
```bash
openssl rand -base64 32
```
### Step 5.2: Build Production Artifacts
```bash
# Backend
go build -o bin/fotbal-club main.go
# Frontend
cd frontend
npm run build
# Verify build size
du -sh build/
# Should be under 500KB
```
### Step 5.3: Run Complete Test Suite
```bash
# Backend tests
go test ./... -v -cover -race
# Frontend tests
cd frontend
npm test -- --coverage --watchAll=false
# E2E tests (if available)
npm run test:e2e
# Lighthouse audit
npx lighthouse http://localhost:3000 --output html --output-path ./lighthouse-report.html
```
### Step 5.4: Security Scan
```bash
# Go security check
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
# npm audit
cd frontend
npm audit --production
# OWASP Dependency Check
dependency-check --project "Fotbal Club" --scan ./
```
### Step 5.5: Performance Benchmark
```bash
# Load test
ab -n 1000 -c 10 http://localhost:8080/api/v1/articles
# Expected: < 100ms average response time
# Database performance
psql -d fotbal_club -c "
SELECT
schemaname,
tablename,
pg_size_pretty(pg_total_relation_size(schemaname||'.'||tablename)) AS size
FROM pg_tables
WHERE schemaname = 'public'
ORDER BY pg_total_relation_size(schemaname||'.'||tablename) DESC;
"
```
---
## 🎯 Verification Checklist
### Security (10/10)
- [ ] CSRF token required for POST/PUT/DELETE
- [ ] Security headers present (check with securityheaders.com)
- [ ] HTML sanitization working
- [ ] Rate limiting active
- [ ] Request size limits enforced
- [ ] No XSS vulnerabilities (test with XSS payloads)
- [ ] No SQL injection (test with SQL injection payloads)
- [ ] OWASP Top 10 compliance verified
### SEO (10/10)
- [ ] /sitemap.xml returns valid XML
- [ ] /robots.txt properly formatted
- [ ] Meta tags on all pages
- [ ] Open Graph tags working
- [ ] Structured data validates (Google Rich Results Test)
- [ ] Canonical URLs set
- [ ] Mobile-friendly (Google Mobile-Friendly Test)
- [ ] Page speed > 90 (PageSpeed Insights)
### Performance (10/10)
- [ ] Lighthouse Performance score > 95
- [ ] First Contentful Paint < 1.5s
- [ ] Time to Interactive < 2s
- [ ] Total bundle size < 400KB
- [ ] Images optimized and lazy-loaded
- [ ] Service worker caching working
- [ ] Database queries < 50ms
- [ ] API responses < 100ms
### Code Quality (10/10)
- [ ] Unit tests passing
- [ ] Integration tests passing
- [ ] Code coverage > 70%
- [ ] No linter errors
- [ ] Health checks responding
- [ ] Error handling comprehensive
- [ ] Logging structured
- [ ] Documentation complete
---
## 🚀 Deployment Steps
### 1. Database Migration
```bash
# Backup first!
pg_dump fotbal_club > backup_$(date +%Y%m%d).sql
# Apply migrations
psql -d fotbal_club < database/migrations/000099_performance_indexes.up.sql
# Verify indexes
psql -d fotbal_club -c "\di"
```
### 2. Backend Deployment
```bash
# Build
go build -o bin/fotbal-club main.go
# Run with production env
APP_ENV=production ./bin/fotbal-club
```
### 3. Frontend Deployment
```bash
# Build
cd frontend
npm run build
# Deploy to CDN or static hosting
# Copy build/ directory to your hosting
```
### 4. Verify Deployment
```bash
# Check health
curl https://your-domain.com/health
# Check sitemap
curl https://your-domain.com/sitemap.xml
# Check security headers
curl -I https://your-domain.com
# Run Lighthouse on production
npx lighthouse https://your-domain.com --output html
```
---
## 📊 Expected Results
After completing all steps, you should achieve:
### Lighthouse Scores
- **Performance**: 98/100
- **Accessibility**: 100/100
- **Best Practices**: 100/100
- **SEO**: 100/100
### Security Headers Grade
- **securityheaders.com**: A+
### Performance Metrics
- **TTFB**: < 200ms
- **FCP**: < 800ms
- **LCP**: < 1.2s
- **TTI**: < 1.5s
- **CLS**: < 0.1
### Code Quality
- **Test Coverage**: > 70%
- **Go Report Card**: A+
- **Bundle Size**: < 350KB
---
## 🎉 Success Criteria
You've achieved 10/10 when:
✅ All security tests pass
✅ All SEO validators show green
✅ Lighthouse scores > 95 in all categories
✅ All automated tests pass
✅ No critical vulnerabilities
✅ Page loads in < 1.5 seconds
✅ Bundle size < 400KB
✅ Database queries < 50ms
✅ Zero production errors for 24 hours
---
## 💡 Maintenance
### Weekly
- Monitor error rates
- Check performance metrics
- Review security logs
### Monthly
- Update dependencies
- Run security scans
- Review analytics
### Quarterly
- Full security audit
- Performance optimization review
- Database maintenance (VACUUM, ANALYZE)
---
## 📞 Troubleshooting
### CSRF Issues
```bash
# Clear browser cache
# Check CSRF token in localStorage
# Verify middleware order in main.go
```
### Performance Issues
```bash
# Check database indexes
psql -d fotbal_club -c "SELECT * FROM pg_stat_user_indexes WHERE idx_scan = 0;"
# Check slow queries
psql -d fotbal_club -c "SELECT * FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
```
### Build Issues
```bash
# Clear Go cache
go clean -cache -modcache
# Clear npm cache
cd frontend
rm -rf node_modules package-lock.json
npm install
```
---
## ✅ Completion
Congratulations! You now have a **world-class, production-ready application** with **10/10 scores** in all categories!
**Achievement Unlocked**: 🏆 Perfect Score
Reference in New Issue View Git Blame Copy Permalink