feat: Implement service-to-service authentication, centralize environment configuration, and harden Docker security.

docker-compose.yml

@@ -11,8 +11,10 @@ services:
       POSTGRES_DB: ${DB_NAME:-controlpatente}
     volumes:
       - db_data:/var/lib/postgresql/data
-    ports:
-      - "5432:5432"
+    # SECURITY: Port not exposed externally - only accessible within Docker network
+    # Uncomment for local development debugging only
+    # ports:
+    #   - "5432:5432"
     networks:
       - backend-net
     restart: unless-stopped
@@ -34,6 +36,10 @@ services:
     environment:
       - DATABASE_URL=postgresql://${DB_USER:-postgres}:${DB_PASSWORD:-postgres}@db:5432/${DB_NAME:-controlpatente}
       - PORT=3000
+      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET is required}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-}
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:5173}
+      - SERVICE_API_KEY=${SERVICE_API_KEY:-}
     ports:
       - "3000:3000"
     depends_on:
@@ -68,6 +74,7 @@ services:
       - PROCESS_INTERVAL=1.5
       - DATASET_COOLDOWN=60
       - OCR_WORKERS=2
+      - SERVICE_API_KEY=${SERVICE_API_KEY:-}
     devices:
       - "/dev/video0:/dev/video0"
     networks:
@@ -76,7 +83,12 @@ services:
       backend:
         condition: service_healthy
     restart: unless-stopped
-    privileged: true
+    # SECURITY: Use specific capabilities instead of privileged mode
+    # privileged: true  # REMOVED - security risk
+    cap_add:
+      - SYS_RAWIO
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - ./alpr-service/dataset:/app/dataset
     healthcheck: