""" BankBot FastAPI — production entry point. Phase 7: structured logging, metrics, security headers, rate limiting. """ import json import os import time from collections import defaultdict from fastapi import FastAPI, Request, Response from fastapi.middleware.cors import CORSMiddleware from fastapi.responses import JSONResponse from app.database.database import engine, Base import app.database.models # noqa: F401 # ─── Routers ────────────────────────────────────────────────────────────────── from app.ai.router import router as ai_router from app.websocket.router import router as ws_router from app.auth.router import router as auth_router from app.dashboard.router import router as dashboard_router from app.notifications.router import router as notifications_router from app.transactions.router import router as transactions_router # ─── Observability ──────────────────────────────────────────────────────────── from app.middleware.logging import RequestLoggingMiddleware, metrics, api_logger # ─── App ────────────────────────────────────────────────────────────────────── app = FastAPI( title="BankBot AI API", description="Production-grade AI-powered financial platform", version="2.0.0", docs_url="/docs", redoc_url="/redoc", ) # ─── CORS ───────────────────────────────────────────────────────────────────── _raw = os.environ.get("BACKEND_CORS_ORIGINS", '["http://localhost:3000","http://localhost:7860"]') try: allowed_origins = json.loads(_raw) except Exception: allowed_origins = ["http://localhost:3000", "http://localhost:7860"] # In HF Spaces, the Space URL is dynamic — allow all *.hf.space origins # by using allow_origin_regex as a fallback HF_SPACE_PATTERN = r"https://.*\.hf\.space" app.add_middleware( CORSMiddleware, allow_origins=allowed_origins, allow_origin_regex=HF_SPACE_PATTERN, allow_credentials=True, allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], allow_headers=["Authorization", "Content-Type", "X-Request-ID"], expose_headers=["X-Request-ID", "X-Process-Time"], ) # ─── Request logging ────────────────────────────────────────────────────────── app.add_middleware(RequestLoggingMiddleware) # ─── Security headers ───────────────────────────────────────────────────────── @app.middleware("http") async def security_headers(request: Request, call_next): response: Response = await call_next(request) response.headers["X-Content-Type-Options"] = "nosniff" response.headers["X-Frame-Options"] = "DENY" response.headers["X-XSS-Protection"] = "1; mode=block" response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()" return response # ─── Process-time header ────────────────────────────────────────────────────── @app.middleware("http") async def process_time_header(request: Request, call_next): t = time.time() response = await call_next(request) response.headers["X-Process-Time"] = f"{(time.time()-t)*1000:.1f}ms" return response # ─── Rate limiter ───────────────────────────────────────────────────────────── _rate_store: dict = defaultdict(list) RATE_LIMIT = 120 RATE_WINDOW = 60 @app.middleware("http") async def rate_limit(request: Request, call_next): skip = request.url.path in ("/health", "/") or \ "websocket" in request.headers.get("upgrade", "").lower() if skip: return await call_next(request) ip = request.client.host if request.client else "unknown" now = time.time() _rate_store[ip] = [t for t in _rate_store[ip] if t > now - RATE_WINDOW] if len(_rate_store[ip]) >= RATE_LIMIT: metrics.record_error(request.url.path, 429, "rate_limited") return JSONResponse( status_code=429, content={"detail": "Too many requests. Please slow down."}, headers={"Retry-After": str(RATE_WINDOW)}, ) _rate_store[ip].append(now) return await call_next(request) # ─── Startup ────────────────────────────────────────────────────────────────── @app.on_event("startup") def startup(): api_logger.info("BankBot API starting", extra={"version": "2.0.0"}) Base.metadata.create_all(bind=engine) api_logger.info("Database tables ready") # Log active backends from app.ai.ollama_integration import OPENAI_API_KEY, GROQ_API_KEY, has_active_ai_backend from app.middleware.cache import cache from app.database.database import SQLALCHEMY_DATABASE_URL ai_backend = "openai" if OPENAI_API_KEY else ("groq" if GROQ_API_KEY else "ollama") api_logger.info("Startup diagnostics", extra={ "ai_backend": ai_backend, "ai_available": has_active_ai_backend(), "db_type": "sqlite" if "sqlite" in SQLALCHEMY_DATABASE_URL else "postgresql", "cache_type": "redis" if cache.use_redis else "memory", }) # ─── Routers ────────────────────────────────────────────────────────────────── app.include_router(auth_router) app.include_router(ai_router) app.include_router(ws_router) app.include_router(dashboard_router) app.include_router(notifications_router) app.include_router(transactions_router) # ─── Core endpoints ─────────────────────────────────────────────────────────── @app.get("/", tags=["Core"]) def root(): return {"message": "BankBot AI API v2.0", "status": "operational", "docs": "/docs"} @app.get("/health", tags=["Core"]) def health(): from app.middleware.cache import cache from app.database.database import SQLALCHEMY_DATABASE_URL return { "status": "healthy", "timestamp": time.time(), "db": "sqlite" if "sqlite" in SQLALCHEMY_DATABASE_URL else "postgresql", "cache": "redis" if cache.use_redis else "memory", "uptime_s": round(time.time() - metrics.start_time, 0), } @app.get("/api/status", tags=["Core"]) def api_status(): from app.ai.ollama_integration import has_active_ai_backend, OPENAI_API_KEY, GROQ_API_KEY from app.middleware.cache import cache from app.database.database import SQLALCHEMY_DATABASE_URL ai = "openai" if OPENAI_API_KEY else ("groq" if GROQ_API_KEY else "ollama") return { "ai_backend": ai, "ai_available": has_active_ai_backend(), "db_type": "sqlite" if "sqlite" in SQLALCHEMY_DATABASE_URL else "postgresql", "cache_type": "redis" if cache.use_redis else "memory", "version": "2.0.0", } @app.get("/api/metrics", tags=["Observability"]) def get_metrics(): """ Live observability dashboard — request counts, AI latency, cache hit ratio, WebSocket stats, recent errors. """ return metrics.summary()