10 KiB
10 KiB
Arquitetura Completa - Aggios
🏗️ Diagrama de Arquitetura
┌─────────────────────────────────────────────────────────────────┐
│ INTERNET / CLIENTES │
│ (Web Browsers, Mobile Apps, Third-party Integrations) │
└────────────────────────┬────────────────────────────────────────┘
│
▼
┌────────────────────────────────────┐
│ TRAEFIK (Reverse Proxy) │
│ - Load Balancing │
│ - SSL/TLS (Let's Encrypt) │
│ - Domain Routing │
│ - Rate Limiting │
└────────────────────────────────────┘
│
┌───────────────┼───────────────┐
│ │ │
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│Frontend│ │Frontend│ │Backend │
│Inst. │ │Dash │ │API (Go)│
│(Next) │ │(Next) │ │ │
└────────┘ └────────┘ └────────┘
│
┌─────────────────────────┼─────────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ PostgreSQL │ │ Redis │ │ MinIO │
│ (Banco) │ │ (Cache) │ │ (Storage) │
│ │ │ │ │ │
│ - Users │ │ - Sessions │ │ - Documentos │
│ - Tenants │ │ - Cache │ │ - Images │
│ - Data │ │ - Rate Limit │ │ - Backups │
└──────────────┘ └──────────────┘ └──────────────┘
🔄 Fluxo de Requisições
1. Acesso Web (Navegador)
Navegador (usuario.aggios.app)
↓
Traefik (DNS: usuario.aggios.app)
↓
Frontend Next.js
↓ (fetch /api/*)
Traefik
↓
Backend API Go
↓
PostgreSQL/Redis/MinIO
2. Acesso Multi-Tenant
Cliente de Agência A (acme.aggios.app)
↓
Traefik (wildcard *.aggios.app)
↓
Backend API (extrai tenant_id do JWT)
↓
Query com filtro: WHERE tenant_id = 'acme'
↓
PostgreSQL (isolamento garantido)
3. Fluxo de Autenticação
1. POST /api/auth/login
→ Validar email/password
→ Gerar JWT com tenant_id
→ Salvar refresh_token em Redis
2. Requisição autenticada
→ Bearer {JWT}
→ Middleware valida JWT
→ Extrai user_id, email, tenant_id
→ Passa ao handler
3. Acesso a recurso
→ Backend filtra: SELECT * FROM users WHERE tenant_id = ? AND ...
→ Garante isolamento de dados
📊 Estrutura de Dados (PostgreSQL)
-- Tenants (Multi-tenant)
tenants
├── id (UUID)
├── name
├── domain
├── subdomain
├── is_active
├── created_at
└── updated_at
-- Usuários (isolados por tenant)
users
├── id (UUID)
├── email (UNIQUE)
├── password_hash
├── first_name
├── last_name
├── tenant_id (FK → tenants)
├── is_active
├── created_at
└── updated_at
-- Refresh Tokens (sessões)
refresh_tokens
├── id (UUID)
├── user_id (FK → users)
├── token_hash
├── expires_at
└── created_at
-- Índices para performance
├── users.email
├── users.tenant_id
├── tenants.domain
├── tenants.subdomain
└── refresh_tokens.expires_at
🔐 Modelo de Segurança
JWT Token Structure
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"user_id": "123e4567-e89b-12d3-a456-426614174000",
"email": "user@example.com",
"tenant_id": "acme",
"exp": 1733462400,
"iat": 1733376000,
"jti": "unique-token-id"
}
Signature:
HMACSHA256(base64(header) + "." + base64(payload), JWT_SECRET)
Camadas de Segurança
1. TRANSPORT (Traefik)
├── HTTPS/TLS (Let's Encrypt)
├── HSTS Headers
└── Rate Limiting
2. APPLICATION (Backend)
├── JWT Validation
├── CORS Checking
├── Input Validation
├── Password Hashing (Argon2)
└── SQL Injection Prevention
3. DATABASE (PostgreSQL)
├── Prepared Statements
├── Row-level Security (RLS)
├── Encrypted Passwords
└── Audit Logging
4. DATA (Storage)
├── Tenant Isolation
├── Access Control
├── Encryption at rest (MinIO)
└── Versioning
🌍 Multi-Tenant Architecture
Routing Pattern
Domain Pattern: {subdomain}.aggios.app
Examples:
- api.aggios.app → General API
- acme.aggios.app → Tenant ACME
- empresa1.aggios.app → Tenant Empresa1
- usuario2.aggios.app → Tenant Usuario2
Traefik Rule:
HostRegexp(`{subdomain:[a-z0-9-]+}\.aggios\.app`)
Data Isolation
Level 1: Network
├── Traefik routes by subdomain
└── Passes to single backend instance
Level 2: Application
├── JWT contains tenant_id
├── Every query filtered by tenant_id
└── Cross-tenant access impossible
Level 3: Database
├── Indexes on (tenant_id, field)
├── Foreign key constraints
└── Audit trail per tenant
Level 4: Storage
├── MinIO bucket: aggios/{tenant_id}/*
├── Separate namespaces
└── Access control per tenant
📦 Docker Stack (Compose)
Services:
├── Traefik (1 instance)
│ ├── Port: 80, 443
│ ├── Dashboard: :8080
│ └── Provider: Docker
│
├── Backend (1+ instances)
│ ├── Port: 8080
│ ├── Replicas: configurable
│ └── Load balanced by Traefik
│
├── PostgreSQL (1 primary + optional replicas)
│ ├── Port: 5432
│ ├── Persistence: volume
│ └── Health check: enabled
│
├── Redis (1 instance)
│ ├── Port: 6379
│ ├── Persistence: optional (RDB/AOF)
│ └── Password: required
│
├── MinIO (1+ instances)
│ ├── API: 9000
│ ├── Console: 9001
│ ├── Replicas: configurable
│ └── Persistence: volume
│
├── Frontend Institucional (Next.js)
│ └── Port: 3000
│
└── Frontend Dashboard (Next.js)
└── Port: 3000
🔄 Scaling Strategy
Horizontal Scaling
Fase 1 (Development)
├── 1x Backend
├── 1x PostgreSQL
├── 1x Redis
└── 1x MinIO
Fase 2 (Small Production)
├── 2x Backend (load balanced)
├── 1x PostgreSQL + 1x Read Replica
├── 1x Redis (ou Redis Cluster)
└── 1x MinIO (ou MinIO Cluster)
Fase 3 (Large Production)
├── 3-5x Backend
├── 1x PostgreSQL (primary) + 2x Replicas
├── Redis Cluster (3+ nodes)
├── MinIO Cluster (4+ nodes)
└── Kubernetes (optional)
📱 API Clients
Web (JavaScript/TypeScript)
// fetch com JWT
const response = await fetch('/api/users/me', {
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
}
});
Mobile (React Native / Flutter)
// Não diferente de web
// Salvar tokens em AsyncStorage/SecureStorage
// Usar interceptors para auto-refresh
Third-party Integration
# Via API Key ou OAuth2
curl -X GET https://api.aggios.app/api/data \
-H "Authorization: Bearer {api_key}" \
-H "X-API-Version: v1"
🚀 Pipeline de Deploy
1. Git Push
↓
2. CI/CD (GitHub Actions / GitLab CI)
├── Build Backend
├── Run Tests
├── Build Docker Image
└── Push to Registry
↓
3. Deploy (Docker Compose / Kubernetes)
├── Pull Image
├── Run Migrations
├── Health Check
└── Traffic Switch
↓
4. Monitoring
├── Logs (ELK / Datadog)
├── Metrics (Prometheus)
├── Errors (Sentry)
└── Alerts
📈 Monitoring & Observability
Logs
├── Traefik Access Logs
├── Backend Application Logs
├── PostgreSQL Slow Queries
└── MinIO Request Logs
↓
ELK / Datadog / CloudWatch
Metrics
├── Request Rate / Latency
├── DB Connection Pool
├── Redis Memory / Ops
├── MinIO Throughput
└── Docker Container Stats
↓
Prometheus / Grafana
Tracing (Distributed)
├── Request ID propagation
├── Service-to-service calls
└── Database queries
↓
Jaeger / OpenTelemetry
Errors
├── Panics
├── Validation Errors
├── DB Errors
└── 5xx Responses
↓
Sentry / Rollbar
🔧 Manutenção
Backups
PostgreSQL
├── Full backup (diário)
├── Incremental (a cada 6h)
└── WAL archiving
MinIO
├── Bucket replication
├── Cross-region backup
└── Versioning enabled
Redis
├── RDB snapshots (diário)
└── AOF opcional
Updates
1. Traefik
└── In-place upgrade (zero-downtime)
2. Backend
├── Blue-green deployment
├── Canary releases
└── Automatic rollback
3. PostgreSQL
├── Replica first
├── Failover test
└── Maintenance window
4. Redis
└── Cluster rebalance (zero-downtime)
5. MinIO
└── Rolling update
Diagrama criado: Dezembro 2025 Versão: 1.0.0