β οΈ Work in Progress: This project is under heavy development. Features, APIs, and documentation are subject to change or addition without prior notice.
A modern, secure, and scalable backend system for a public citizen reporting platform. Built with Go, PostgreSQL, and Fiber framework to enable citizens to report issues and government officials to manage and respond to community concerns.
-
π Authentication & Authorization
- JWT-based authentication with access and refresh tokens
- Secure cookie-based session management for web clients
- Bearer token authentication for mobile clients
- Role-based access control (Admin, Official, Citizen)
- Password hashing with bcrypt
-
π₯ User Management
- User registration and profile management
- Email and phone verification support
- Credibility scoring system
- User status management (probation, regular, suspended)
- OAuth provider support (extensible)
- Failed login attempt tracking with account locking
- Soft delete with restoration capability
-
πΊοΈ Geographic Area Management
- PostGIS-powered geospatial data handling
- Multi-polygon boundary support for administrative areas
- Automatic center point calculation
- Area hierarchy support (provinsi, kabupaten, kecamatan)
- Spatial indexing with GIST for efficient queries
- Configurable boundary simplification (off, simple, detail)
-
π Audit Logging
- Comprehensive activity tracking
- JSONB metadata storage for flexible log data
- Entity-based logging (users, roles, areas)
- Action tracking (create, update, delete, assign, restore, login)
-
π‘οΈ Security Features
- AES-GCM encryption for sensitive data (email, phone, fullname)
- SHA-256 hashing for searchable encrypted fields
- Encrypted cookies
- Rate limiting (60 requests per minute per IP)
- CORS configuration
- TLS 1.3 0-RTT early data support
- High Performance: Built with Fiber framework for optimal performance
- Structured Logging: Zerolog integration with Axiom for centralized logging
- Database: PostgreSQL with PostGIS extension
- Type-Safe Queries: SQLC for compile-time SQL validation
- Hot Reload: Air for development with live reload
- Clean Architecture: Separation of concerns with controllers, services, and repositories
- API Versioning:
/api/v1prefix for future compatibility - Mobile API: Dedicated mobile endpoints with custom authentication
lapor_warga_be/
βββ cmd/
β βββ server/ # Application entry point
βββ internal/
β βββ controllers/ # HTTP handlers
β βββ database/
β β βββ generated/ # SQLC generated code
β β βββ migrations/ # Database migrations
β β βββ queries/ # SQL queries for SQLC
β βββ modules/ # Business logic
β β βββ areas/ # Area management
β β βββ auditlogs/ # Audit logging
β β βββ auth/ # Authentication
β β βββ user_roles/ # Role management
β β βββ users/ # User management
β βββ routes/ # Route definitions & middleware
βββ pkg/ # Shared utilities
βββ scripts/ # Helper scripts
- Go: 1.24.0 or higher
- PostgreSQL: 14+ with PostGIS extension
- golang-migrate: For database migrations
- sqlc: For generating type-safe Go code from SQL
- Air (optional): For hot reload during development
-
Clone the repository
git clone https://github.com/yourusername/lapor_warga_be.git cd lapor_warga_be -
Install dependencies
go mod download
-
Set up environment variables
Create a
.envfile in the root directory:# Server Configuration PORT=8181 APP_DOMAIN=localhost ENV_PROD=false CLIENT_DOMAIN=http://localhost:3000 # Database DATABASE_URL=postgresql://user:password@localhost:5432/lapor_warga?sslmode=disable # Security Keys (generate secure random strings) ENC_KEY=your-32-byte-encryption-key-here COOKIE_ENC_KEY=your-cookie-encryption-key # JWT Configuration JWT_EXPIRY=15 # minutes JWT_REFRESH_EXPIRY=4320 # minutes (3 days) # Mobile API MOBILE_KEY=your-mobile-api-key # Logging (Axiom) AXIOM_TOKEN=your-axiom-token AXIOM_DATASET=your-dataset-name
-
Run database migrations
chmod +x scripts/migrate.sh ./scripts/migrate.sh up
-
Generate SQLC code (if you modify SQL queries)
sqlc generate
-
Run the application
Development (with hot reload):
air
Production:
go run cmd/server/main.go
The server will start on http://localhost:8181 (or your configured PORT).
POST /api/v1/auth/login- User login (web)POST /api/v1/auth/refresh- Refresh access tokenGET /api/v1/auth/session- Get current session info
GET /api/v1/users/me- Get current user profilePATCH /api/v1/users/me- Update current user profileGET /api/v1/users/list- List all users (Admin only)POST /api/v1/users/create- Create new user (Admin only)GET /api/v1/users/search- Search users (Admin only)GET /api/v1/users/:id- Get user by ID (Admin only)PATCH /api/v1/users/:id- Update user (Admin only)DELETE /api/v1/users/:id- Soft delete user (Admin only)POST /api/v1/users/restore/:id- Restore deleted user (Admin only)
GET /api/v1/roles/list- List all roles (Admin only)POST /api/v1/roles/create- Create new role (Admin only)POST /api/v1/roles/assign/:id- Assign role to user (Admin only)GET /api/v1/roles/id/:id- Get role by ID (Admin only)GET /api/v1/roles/name/:name- Get role by name (Admin only)PUT /api/v1/roles/:id- Update role (Admin only)DELETE /api/v1/roles/:id- Delete role (Admin only)
POST /api/v1/areas/create- Create new area (Admin only)GET /api/v1/areas/list- List all areas with paginationGET /api/v1/areas/boundary/:id- Get area boundary geometryPATCH /api/v1/areas/toggle-status/:id- Toggle area active status (Admin only)
GET /api/v1/logs/list- List audit logs (Admin only)
POST /api/v1/m/auth/login- Mobile loginPOST /api/v1/m/auth/refresh- Mobile token refresh
GET /health- Server health and monitoring dashboard
Create a new migration:
migrate create -ext sql -dir internal/database/migrations -seq migration_nameApply migrations:
./scripts/migrate.sh upRollback last migration:
./scripts/migrate.sh downGo to specific version:
./scripts/migrate.sh goto <version>Force version (use with caution):
./scripts/migrate.sh force <version>After modifying SQL queries in internal/database/queries/, regenerate Go code:
sqlc generate- Controllers: Handle HTTP requests and responses
- Services: Contain business logic
- Repositories: Database access layer
- Middleware: JWT authentication, role-based access, rate limiting
- Migrations: Database schema versioning
- Queries: Type-safe SQL queries with SQLC
- Sensitive fields (email, phone, fullname) are encrypted using AES-GCM
- Hash fields enable searching without decryption using SHA-256
- Passwords are hashed with bcrypt (cost factor: 12)
- JWT tokens with configurable expiration
- Refresh tokens for extended sessions
- Cookie-based authentication for web clients
- Bearer token authentication for mobile clients
- 60 requests per minute per IP address
- Sliding window algorithm
- Configurable per-route limits
The application uses Asia/Jakarta (WIB) timezone for all timestamps and logging.
- Health endpoint:
/healthprovides server metrics - Structured logging: JSON logs with Zerolog
- Centralized logging: Axiom integration for log aggregation
- Request logging: Automatic logging of all HTTP requests
- Fiber v2: Fast HTTP framework
- pgx/v5: PostgreSQL driver
- SQLC: Type-safe SQL code generation
- Viper: Configuration management
- JWT: JSON Web Token implementation
- bcrypt: Password hashing
- AES-GCM: Data encryption
- validator/v10: Input validation
- PostGIS: PostgreSQL spatial extension
- paulmach/orb: Geometry handling in Go
- Zerolog: Structured logging
- Axiom: Log aggregation and analytics
This project is currently under heavy development. Contribution guidelines will be added soon.
For issues and questions, please open an issue on GitHub.
Note: This is a backend API service. It requires a frontend application and/or mobile app to provide a complete user experience.