# Deployment Guide — Restaurant Digital Platform

This guide covers everything needed to deploy the platform in a production environment.

---

## Prerequisites

| Requirement | Version | Notes |
|---|---|---|
| Node.js | 20.x LTS | [nodejs.org](https://nodejs.org) |
| MySQL | 8.x | Via XAMPP or standalone |
| npm | 10.x | Bundled with Node.js 20 |

### MySQL options

**Option A — XAMPP (recommended for shared hosting / local production)**

1. Download and install [XAMPP](https://www.apachefriends.org/).
2. Start the **MySQL** module from the XAMPP Control Panel.
3. MySQL will be available on `localhost:3306` with user `root` and no password by default.
4. For production, create a dedicated database user (see Database Setup below).

**Option B — Standalone MySQL 8**

1. Install MySQL 8 from [mysql.com](https://dev.mysql.com/downloads/mysql/).
2. Secure the installation: `mysql_secure_installation`.
3. Note the root password you set during installation.

---

## Database Setup

### 1. Create the database and a dedicated user

Connect to MySQL as root:

```bash
mysql -u root -p
```

Run the following SQL:

```sql
CREATE DATABASE restaurant_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'restaurant_user'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_HERE';
GRANT ALL PRIVILEGES ON restaurant_db.* TO 'restaurant_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;
```

Replace `STRONG_PASSWORD_HERE` with a secure password and record it — you will need it in the backend `.env`.

### 2. Run migrations

From the `backend/` directory:

```bash
npx sequelize-cli db:migrate
```

This creates all required tables (`categories`, `menu_items`, `orders`, `order_items`, `admins`).

### 3. Run seeders

```bash
npx sequelize-cli db:seed:all
```

This inserts the default admin account, starter categories, and sample menu items.

> **Note:** Change the default admin password immediately after first login.

---

## Backend Setup

### 1. Install dependencies

```bash
cd backend
npm install --omit=dev
```

### 2. Configure environment variables

```bash
cp .env.production.example .env
```

Open `.env` and fill in every value:

| Variable | Description |
|---|---|
| `PORT` | Port the API server listens on (default `4000`) |
| `NODE_ENV` | Must be `production` |
| `DB_HOST` | MySQL host (usually `localhost`) |
| `DB_PORT` | MySQL port (default `3306`) |
| `DB_NAME` | Database name created above |
| `DB_USER` | Database user created above |
| `DB_PASSWORD` | Database user password |
| `JWT_SECRET` | Random 64-character hex string (see below) |
| `JWT_EXPIRES_IN` | Token lifetime, e.g. `8h` |
| `BCRYPT_COST` | bcrypt cost factor — minimum `12` for production |
| `CORS_ORIGIN` | Your production frontend URL (must use HTTPS) |

**Generating a secure JWT secret:**

```bash
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
```

Copy the output into `JWT_SECRET`.

### 3. Start the server

```bash
node server.js
```

For process management in production, use a process manager such as [PM2](https://pm2.keymetrics.io/):

```bash
npm install -g pm2
pm2 start server.js --name restaurant-api
pm2 save
pm2 startup
```

---

## Frontend Setup

### 1. Install dependencies

```bash
cd frontend
npm install --omit=dev
```

### 2. Configure environment variables

```bash
cp .env.production.example .env.production.local
```

Open `.env.production.local` and fill in every value:

| Variable | Description |
|---|---|
| `NEXT_PUBLIC_API_URL` | Full HTTPS URL of the backend API, e.g. `https://api.yourdomain.com/api/v1` |
| `NEXT_PUBLIC_WA_NUMBER` | WhatsApp business number — digits only, no `+`, spaces, or dashes |

### 3. Build the application

```bash
npm run build
```

### 4. Start the production server

```bash
npm start
```

The frontend will be available on port `3000` by default. Use a reverse proxy (see HTTPS section below) to serve it on port `443`.

---

## HTTPS Requirement (Requirement 11.5)

**The platform must be served over HTTPS in production.** This is a hard requirement — browsers block mixed content, and the JWT tokens used for admin authentication must be transmitted over an encrypted connection.

### Setting up HTTPS with a reverse proxy

The recommended approach is to place a reverse proxy (Nginx or Apache) in front of both the frontend and backend, and terminate TLS at the proxy.

**Example Nginx configuration:**

```nginx
# Frontend
server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate     /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

# Backend API
server {
    listen 443 ssl;
    server_name api.yourdomain.com;

    ssl_certificate     /etc/letsencrypt/live/api.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:4000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name yourdomain.com api.yourdomain.com;
    return 301 https://$host$request_uri;
}
```

**Obtaining a free TLS certificate with Let's Encrypt:**

```bash
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d api.yourdomain.com
```

Certbot will automatically renew certificates before they expire.

---

## Environment Variables Reference

### Backend (`backend/.env`)

| Variable | Required | Example | Description |
|---|---|---|---|
| `PORT` | Yes | `4000` | API server port |
| `NODE_ENV` | Yes | `production` | Runtime environment |
| `DB_HOST` | Yes | `localhost` | MySQL host |
| `DB_PORT` | Yes | `3306` | MySQL port |
| `DB_NAME` | Yes | `restaurant_db` | Database name |
| `DB_USER` | Yes | `restaurant_user` | Database user |
| `DB_PASSWORD` | Yes | *(secret)* | Database password |
| `JWT_SECRET` | Yes | *(64-char hex)* | JWT signing secret — keep this secret |
| `JWT_EXPIRES_IN` | Yes | `8h` | JWT token lifetime |
| `BCRYPT_COST` | Yes | `12` | bcrypt hashing cost factor |
| `CORS_ORIGIN` | Yes | `https://yourdomain.com` | Allowed frontend origin |

### Frontend (`frontend/.env.production.local`)

| Variable | Required | Example | Description |
|---|---|---|---|
| `NEXT_PUBLIC_API_URL` | Yes | `https://api.yourdomain.com/api/v1` | Backend API base URL |
| `NEXT_PUBLIC_WA_NUMBER` | Yes | `27821234567` | WhatsApp business number (digits only) |

---

## Security Checklist

Before going live, verify the following:

- [ ] `NODE_ENV` is set to `production` in the backend `.env`
- [ ] `JWT_SECRET` is a randomly generated 64-character hex string (not the placeholder)
- [ ] Database password is strong and not the default
- [ ] HTTPS is configured and HTTP redirects to HTTPS
- [ ] `CORS_ORIGIN` is set to your exact production frontend domain
- [ ] Default admin password has been changed after first login
- [ ] `.env` files are listed in `.gitignore` and not committed to version control