Server Overview
The Enclavr backend is a Go server providing REST API, WebSocket, and WebRTC signaling.
Project Structure
server/
├── cmd/
│ └── server/ # Main entry point
├── internal/
│ ├── handlers/ # HTTP handlers
│ ├── services/ # Business logic
│ ├── models/ # Database models
│ ├── database/ # Database connections
│ ├── websocket/ # WebSocket hub
│ ├── voice/ # WebRTC signaling
│ ├── auth/ # Authentication
│ ├── config/ # Configuration
│ ├── middleware/ # HTTP middleware
│ ├── metrics/ # Prometheus metrics
│ └── grpc/ # gRPC support
└── pkg/
└── logger/ # Logging utilities
Key Features
- REST API with 220+ endpoints
- WebSocket for real-time messaging (80+ message types)
- WebRTC signaling server
- JWT authentication with token family rotation detection
- OAuth (Google, GitHub, Discord)
- OIDC support
- WebAuthn/FIDO2 passkey authentication
- 2FA with recovery codes (10 single-use codes)
- Password history (last 5) and expiry (90-day rotation)
- gRPC health check service
- API versioning middleware (v1.0, v1.1, v2.0)
- Circuit breaker pattern for external service resilience
- PostgreSQL with GORM (121 auto-migrated models, 91+ indexes)
- Redis pub/sub for horizontal WebSocket scaling
- Distributed rate limiting (sliding window, Redis-backed)
- Webhook delivery with HMAC-SHA256 signing and retry
- Email service with 7 templates
- Cache service (in-memory/Redis with TTL)
- 27 structured error codes
- Prometheus metrics
Running the Server
cd server
go run ./cmd/server
The server runs on http://localhost:8080
Server Startup
Graceful Shutdown
The server handles SIGINT and SIGTERM signals for graceful shutdown with connection draining. Active connections are allowed to complete before the server exits.
Admin Bootstrapping
On first startup, the server can create an admin account. This is controlled by:
| Variable | Description | Default |
|---|---|---|
FIRST_USER_IS_ADMIN | First registered user becomes admin | true |
ADMIN_USERNAME | Configured admin username | admin |
ADMIN_PASSWORD | Configured admin password | - |
ADMIN_EMAIL | Configured admin email | admin@enclavr.local |
WebSocket Hub Initialization
The WebSocket hub is initialized at startup. It supports both in-memory and Redis-backed operation for horizontal scaling.
Login Attempt Tracker
The login attempt tracker is initialized with 5 max attempts and a 15-minute lockout window per account.
Debug and Metrics Endpoints
| Endpoint | Description |
|---|---|
/debug/pprof/ | pprof debug endpoints (heap, goroutine, block, mutex) |
/metrics | Prometheus metrics endpoint |