# Burn Register — Deployment Notes

National Burn Register (NBIS Nigeria). Two repositories:

- **Backend** (this repo): `git@gitlab.com:blouza-tech/burn-register-backend.git` — Laravel 12 API
- **Frontend**: `git@gitlab.com:blouza-tech/burn-register-frontend.git` — Vite + React SPA

## Staging environment (live)

| | |
|---|---|
| Host | `45.13.59.80` (Ubuntu 24.04, shared Apache box) |
| Frontend | https://burnregister.blouzatechdev.ng → `/var/www/burn-register-frontend/dist` |
| API | https://burnregisterapi.blouzatechdev.ng → `/var/www/burn-register-backend/public` |
| Runtime | PHP **8.2**-FPM (`/run/php/php8.2-fpm.sock`), served by Apache vhosts |
| Database | MySQL `burn_register`, app user `burnregister` (creds in server `.env`, not committed) |
| TLS | Let's Encrypt (certbot `--apache`), auto-renew; HTTP→HTTPS 301 |
| Demo logins | `admin@burnwell.ng`, `lead@burnwell.ng`, `expert@burnwell.ng` / `password123` |

### Deploy / update (backend)
```sh
cd /var/www/burn-register-backend
git pull origin main
php8.2 /usr/local/bin/composer install --no-dev --optimize-autoloader
php8.2 artisan migrate --force
sudo chown -R www-data:www-data storage bootstrap/cache
```

### Deploy / update (frontend)
```sh
cd /var/www/burn-register-frontend
git pull origin main
npm ci
VITE_API_URL=https://burnregisterapi.blouzatechdev.ng/api npm run build
```
`VITE_API_URL` is baked into the bundle at build time (default fallback is `http://localhost:8000/api`).

## Key decisions, fixes & assumptions

1. **PHP runtime / dependency relock.** The committed `composer.lock` resolved against PHP 8.4 (pulled Symfony 8, which requires PHP ≥ 8.4). The only Apache FPM runtime on the server is PHP 8.2, and PHP 8.4 has no FPM pool there. The lock was regenerated for PHP 8.2 (`composer update`, Symfony → 7.4; Laravel 12 fully supports Symfony 7) and committed.
2. **MySQL 64-char identifier limit.** Migration `..._000014_create_pre_existing_conditions_table` relied on an auto-generated FK name (`burn_case_pre_existing_condition_pre_existing_condition_id_foreign`, 66 chars) that exceeds MySQL's 64-char limit. Fixed with explicit short FK names. This was latent because development used SQLite (no such limit). **If you develop against SQLite, validate migrations against MySQL before deploy.**
3. **Database engine.** Staging uses MySQL (PHP 8.2 here has `pdo_mysql` but **no** `pdo_sqlite`). `.env` is configured for MySQL.
4. **No app changes beyond the two fixes above**; frontend code is unmodified.

## ⚠️ Security items to address before production

- **`GET /api/setup-database`** (in `routes/api.php`) is **public, unauthenticated**, and runs `migrate` + `db:seed` and creates facility users with a hard-coded password (`Password123`). Remove or protect this route before production.
- Rotate/replace the demo users and their `password123` credentials for any non-staging use.
- `server_details.txt` (plaintext server/DB passwords) is intentionally **excluded** from the frontend repo via `.gitignore` — keep it out of version control.

## Operational note

Apache had been **down server-wide** since the 06:24 reboot on 2026-06-23 (transient `:80` bind conflict at boot, `AH00072: could not bind to address`). The port was free by deploy time; `systemctl start apache2` restored all sites. If Apache fails to start after a reboot, check for a lingering process holding `:80` before assuming a config error (`apache2ctl configtest` was clean).