A production-grade FastAPI backend for comprehensive productivity tracking with enterprise-level authentication, authorization, and RBAC (Role-Based Access Control).
The Productivity Tracker is designed to evolve from a foundational RBAC system into a full-featured, AI-powered productivity platform. Our roadmap follows a logical progression:
Phase 1 (v1.0-1.6): Security, validation, and core productivity tracking Phase 2 (v2.0-2.3): Enterprise features, performance, and observability Phase 3 (v3.0+): AI integration, accessibility, and platform extensibility
Each version builds upon the previous with no breaking changes within major versions, ensuring stability while continuously improving quality, security, scalability, and user experience.
📖 See our complete vision: Version Roadmap
🎯 Version: 1.0.0-beta - Foundation Release
Release Name: Foundation - First Beta Release Date: January 2025 API Version: v1
✅ Implemented Features:
- ✅ JWT-based authentication with Argon2 password hashing
- ✅ Complete RBAC system (users, roles, permissions)
- ✅ Organization, department, and team management
- ✅ Comprehensive API documentation (OpenAPI/Swagger)
- ✅ Production-grade error handling and logging
- ✅ Database migrations with Alembic
- ✅ Health check endpoints
- ✅ API versioning infrastructure
🔜 Next Release: v1.1.0 - Security & Validation Enhancement (Q1 2026)
- Rate limiting and account lockout
- Enhanced password policies
- Audit logging system
- Increased test coverage (85%+)
Current coverage:
-
Authentication & Authorization
- JWT-based authentication with access and refresh tokens
- Cookie-based session management
- Password hashing with Argon2
- Role-Based Access Control (RBAC)
- Permission management system
-
Organization Management
- Multi-organization support
- Department hierarchy management
- Team creation and member management
- User assignment to organizations/departments/teams
-
API Features
- RESTful API design with versioning support
- Automatic OpenAPI/Swagger documentation
- Request/response validation with Pydantic
- User-friendly error handling with proper context
- Request logging with user tracking
- Consistent error response format
-
Database
- PostgreSQL with SQLAlchemy ORM
- Alembic migrations
- Soft delete support
- Repository pattern for data access
-
Security
- Security headers middleware
- CORS configuration
- Input validation
- SQL injection protection
- Secret detection in pre-commit hooks
-
Code Quality
- Pre-commit hooks with multiple checks
- Black code formatting
- Ruff linting
- mypy type checking
- Bandit security scanning
- Comprehensive test coverage
Our product evolution follows a strategic, logical progression from core functionality to enterprise-grade features and beyond. Each version is carefully designed to build upon the previous while maintaining backward compatibility within major versions.
📖 Complete Roadmap: See docs/VERSION_ROADMAP.md for detailed version planning
v1.0.0-beta (Current) - Foundation ✅
- Core RBAC, authentication, organization management
v1.1.0 (Q1 2026) - Security & Validation Enhancement
- Rate limiting, audit logging, enhanced security
v1.2.0 (Q2 2026) - Productivity Tracking Core
- Time tracking, task management, projects
v1.3.0 (Q3 2026) - Analytics & Reporting
- Dashboards, reports, performance metrics
v1.4.0 (Q4 2026) - Collaboration & Communication
- Comments, notifications, file attachments
v1.5.0 (Q1 2027) - Performance & Scalability
- Caching, bulk operations, database optimization
v1.6.0 (Q2 2027) - Integration & Extensibility
- Webhooks, third-party integrations, plugin framework
v2.0.0 (Q3 2027) - Enterprise Features
- Multi-region, SSO/SAML, GDPR compliance, enhanced security
v2.1.0 (Q4 2027) - AI & Machine Learning
- AI-powered productivity insights, automation, predictions
v2.2.0 (Q1 2028) - Accessibility & Internationalization
- Multi-language, WCAG compliance, global reach
v2.3.0 (Q2 2028) - Advanced Quality & Observability
- Distributed tracing, 95%+ test coverage, SRE practices
v3.0.0 (Future) - Platform Evolution
- Low-code workflows, marketplace, next-gen features
We prioritize production-grade quality across all dimensions:
- 🔐 Security: Continuous security improvements, regular audits, OWASP compliance
- 📊 Quality: Increasing test coverage (80% → 95%), automated quality checks
- ⚡ Performance: Optimized response times, caching, scalability features
- 🌍 Accessibility: WCAG compliance, internationalization, inclusive design
- 🤝 Collaboration: Team features, real-time updates, communication tools
- 🔍 Observability: Logging, monitoring, tracing, alerting
- 📈 Scalability: Multi-region support, performance optimization, load handling
Quality Gates: Each release must pass strict criteria for code quality, security, performance, and documentation before deployment.
Versioning Strategy: We follow Semantic Versioning 2.0.0 - see docs/VERSIONING_STRATEGY.md
- Python 3.12+
- PostgreSQL 14+
- Poetry (Python package manager)
git clone <repository-url>
cd productivity-tracker-backendmake setupOr manually:
poetry install
poetry run pre-commit installcp .env.example .envEdit .env and update the values:
DATABASE_URL=postgresql://user:password@localhost:5432/productivity_tracker
SECRET_KEY=your-secret-key-here
DEBUG=Truemake upgradeOr:
poetry run alembic upgrade headpoetry run prd_tracker create-super-userpoetry run python productivity_tracker/scripts/seed_rbac.pyThis creates default roles (admin, user, viewer) and permissions.
make runOr:
poetry run uvicorn productivity_tracker.main:app --reload --host 0.0.0.0 --port 3456The API will be available at:
- API: http://localhost:8500
- Swagger UI: http://localhost:8500/docs
- ReDoc: http://localhost:8500/redoc
The API uses semantic versioning with the following structure:
- Current Version: v1.0 (Production Ready)
- API Base Path:
/api/v1.1/or/api/v1/(major version alias) - Feature Flags: Controlled via version-specific feature toggles
Version Status:
- ✅ v1.0 - Active (Core RBAC, Organizations, Teams, Departments)
- 🚧 v1.1 - In Development (Audit Logging, Bulk Operations, Search)
- 📋 v1.2 - Planned (Advanced Permissions, Notifications)
- 🔮 v2.0 - Future (Projects, Tasks, Time Tracking)
# Run tests
make test
# Run tests with coverage report
make test-covComprehensive guides are available in the docs/ folder:
- Error Handling Guide - Learn about the error handling system, custom exceptions, and user-friendly error messages
- RBAC Guide - Complete guide to Role-Based Access Control, permissions, and security best practices
All errors return consistent, user-friendly messages without exposing technical details:
{
"error": "INVALID_CREDENTIALS",
"message": "Invalid email or password. Please check your credentials and try again."
}See the Error Handling Guide for complete documentation.
Fine-grained access control through a Users → Roles → Permissions model:
- Users can have multiple roles
- Roles contain multiple permissions
- Permissions follow the format
resource:action(e.g.,users:delete)
See the RBAC Guide for complete documentation.
make help # Show all available commands
make dev-install # Install all dependencies including dev tools
make format # Format code with Black and isort
make lint # Run linters (Ruff, mypy, bandit)
make test # Run tests
make test-cov # Run tests with coverage
make run # Run development server
make migrate # Create a new migration
make upgrade # Apply migrations
make downgrade # Rollback last migration
make clean # Clean cache files
make pre-commit # Run pre-commit hooks on all files
make check # Run lint + testThis project uses:
- Black for code formatting
- isort for import sorting
- Ruff for linting
- mypy for type checking
Format your code before committing:
make formatPre-commit hooks automatically run on git commit to:
- Format code with Black
- Sort imports with isort
- Lint with Ruff
- Check types with mypy
- Scan for security issues with Bandit
- Detect secrets
- Check YAML/JSON syntax
- Remove trailing whitespace
Run hooks manually:
make pre-commitmake migrate
# Or with message:
poetry run alembic revision --autogenerate -m "your migration message"make upgrademake downgradePOST /auth/register- Register a new userPOST /auth/login- Login and receive access tokenPOST /auth/logout- Logout and clear tokenPOST /auth/refresh- Refresh access tokenGET /auth/me- Get current user infoPUT /auth/me- Update current userPUT /auth/me/password- Change password
GET /auth/users- List all usersGET /auth/users/{user_id}- Get user by IDPUT /auth/users/{user_id}- Update userDELETE /auth/users/{user_id}- Delete userPOST /auth/users/{user_id}/activate- Activate userPOST /auth/users/{user_id}/deactivate- Deactivate userPOST /auth/users/{user_id}/roles- Assign roles to user
POST /organizations- Create organizationGET /organizations- List all organizationsGET /organizations/{org_id}- Get organization by IDGET /organizations/current- Get current user's organizationPUT /organizations/{org_id}- Update organizationDELETE /organizations/{org_id}- Delete organizationPOST /organizations/{org_id}/members/{user_id}- Add member to organizationDELETE /organizations/{org_id}/members/{user_id}- Remove member from organizationGET /organizations/{org_id}/members- Get organization members
POST /departments- Create departmentGET /departments- List all departmentsGET /departments/{dept_id}- Get department by IDGET /departments/organization/{org_id}- Get departments by organizationPUT /departments/{dept_id}- Update departmentDELETE /departments/{dept_id}- Delete department
POST /teams- Create teamGET /teams- List all teamsGET /teams/{team_id}- Get team by IDGET /teams/department/{dept_id}- Get teams by departmentPUT /teams/{team_id}- Update teamDELETE /teams/{team_id}- Delete teamPOST /teams/{team_id}/members- Add member to teamDELETE /teams/{team_id}/members- Remove member from teamGET /teams/{team_id}/members- Get team members
POST /roles/- Create roleGET /roles/- List all rolesGET /roles/{role_id}- Get role by IDGET /roles/name/{role_name}- Get role by namePUT /roles/{role_id}- Update roleDELETE /roles/{role_id}- Delete rolePOST /roles/{role_id}/permissions- Assign permissions to roleDELETE /roles/{role_id}/permissions/{permission_id}- Remove permission from role
POST /permissions/- Create permissionGET /permissions/- List all permissionsGET /permissions/{permission_id}- Get permission by IDPUT /permissions/{permission_id}- Update permissionDELETE /permissions/{permission_id}- Delete permission
GET /health- Health check endpoint
The API currently provides 75+ endpoints across 8 main modules:
| Module | Endpoints | Description |
|---|---|---|
| Authentication | 14 | User registration, login, profile management |
| Organizations | 8 | Multi-org support, member management |
| Departments | 6 | Department hierarchy within organizations |
| Teams | 7 | Team creation, member assignment |
| Roles | 8 | Role-based access control |
| Permissions | 5 | Granular permission management |
| Admin | 3 | Administrative utilities |
| Health | 1 | System monitoring |
Total Coverage:
- ✅ Complete CRUD operations for all entities
- ✅ Relationship management between entities
- ✅ Soft delete support across all models
- ✅ Pagination on all list endpoints
- ✅ Filtering by parent entities (org → dept → team)
- ✅ Member counting and statistics
productivity-tracker-backend/
├── productivity_tracker/
│ ├── api/ # API routes
│ │ ├── auth.py # Authentication endpoints
│ │ ├── organizations.py # Organization management
│ │ ├── departments.py # Department management
│ │ ├── teams.py # Team management
│ │ ├── roles.py # Role management
│ │ ├── permissions.py # Permission management
│ │ ├── admin.py # Admin utilities
│ │ ├── setup.py # API setup
│ │ └── health.py # Health check
│ ├── core/ # Core functionality
│ │ ├── database.py # Database connection
│ │ ├── security.py # Security utilities
│ │ ├── dependencies.py # FastAPI dependencies
│ │ ├── middleware.py # Custom middleware
│ │ ├── settings.py # Configuration
│ │ ├── exceptions.py # Custom exceptions
│ │ ├── exception_filter.py # Global exception handling
│ │ ├── logging_config.py # Logging setup
│ │ └── setup.py # Core setup
│ ├── database/
│ │ └── entities/ # SQLAlchemy models
│ │ ├── base.py # Base entity
│ │ ├── user.py # User model
│ │ ├── role.py # Role & Permission models
│ │ ├── organization.py # Organization model
│ │ ├── department.py # Department model
│ │ └── team.py # Team model
│ ├── models/ # Pydantic schemas
│ │ ├── auth.py # Auth-related schemas
│ │ └── organization.py # Organization schemas
│ ├── repositories/ # Data access layer
│ │ ├── base.py # Base repository
│ │ ├── user_repository.py
│ │ ├── role_repository.py
│ │ ├── permission_repository.py
│ │ ├── organization_repository.py
│ │ ├── department_repository.py
│ │ └── team_repository.py
│ ├── services/ # Business logic
│ │ ├── user_service.py
│ │ ├── role_service.py
│ │ ├── permission_service.py
│ │ ├── organization_service.py
│ │ ├── department_service.py
│ │ └── team_service.py
│ ├── versioning/ # API versioning
│ │ ├── versioning.py # Version definitions
│ │ ├── utils.py # Versioning utilities
│ │ └── version.py # Version helpers
│ ├── scripts/ # Utility scripts
│ │ ├── create_super_user.py
│ │ └── seed_rbac.py
│ ├── cli.py # CLI commands
│ └── main.py # FastAPI application
├── migrations/ # Alembic migrations
├── tests/ # Test files
├── logs/ # Application logs
├── .env.example # Environment template
├── .pre-commit-config.yaml # Pre-commit configuration
├── pyproject.toml # Project dependencies & config
├── Makefile # Development commands
└── README.md
- Passwords are hashed using Argon2
- JWT tokens for stateless authentication
- HTTP-only cookies for token storage
- CORS configuration for cross-origin requests
- Security headers middleware
- Input validation with Pydantic
- SQL injection protection via SQLAlchemy ORM
- Secret detection in pre-commit hooks
Logs are written to:
- Console: Colored output for development
- logs/app.log: All application logs (rotating, 10MB max)
- logs/error.log: Error logs only (daily rotation, 30 days)
Log format includes:
- Timestamp
- Log level
- Module name
- Request method and path
- User information (if authenticated)
- Response status and duration
- Create a feature branch
- Make your changes
- Run
make checkto ensure all tests pass - Commit your changes (pre-commit hooks will run automatically)
- Push and create a pull request
This project is licensed under the MIT License. See the LICENSE file for details.