qr-code-api/README.md

# QR Code API (Node.js)

Simple micro app that returns a QR code image from an API call.

## Setup

```bash
npm install
```

## Run

```bash
npm run dev
# or
npm start
```

Default URL: `http://localhost:3000`

## Endpoints

- `GET /health`
- `GET /api/qr?text=Hello%20World`
- `POST /api/qr` with JSON body

### GET example

```bash
curl "http://localhost:3000/api/qr?text=Hello%20World&size=400" --output qr.png
```

### POST example

```bash
curl -X POST "http://localhost:3000/api/qr" \
  -H "Content-Type: application/json" \
  -d '{"text":"https://crewsportswear.app","size":500,"margin":2}' \
  --output qr.png
```

## Optional parameters

- `size` (number, default `512`, min `128`, max `2048`)
- `margin` (number, default `2`, min `0`, max `10`)
- `dark` (hex color, default `#000000`)
- `light` (hex color, default `#FFFFFF`)

## Docker

### Local Docker run

```bash
docker compose -f docker-compose.local.yml up -d --build
```

Local URL: `http://localhost:3000`

### Production (Traefik)

```bash
docker compose -f docker-compose.prod.yml up -d --build
```

Traefik host rule: `qr.crewsportswear.app`

Notes:

- Uses external Docker networks: `traefik-public` and `crew-app-net`
- Internal service port is `3000`
- TLS uses Traefik Let's Encrypt via `tls.certresolver=le`
- Includes HTTP -> HTTPS redirect via Traefik labels

## Restrict QR generation by IP

The `/api/qr` endpoints support IP allowlisting via environment variable.

- `ALLOWED_QR_IPS`: comma-separated list of allowed client IPs
- `TRUST_PROXY`: keep this `true` behind Traefik so client IP is read from forwarded headers

Example `.env` values for production:

```env
ALLOWED_QR_IPS=203.0.113.10,198.51.100.22
TRUST_PROXY=true
```

If `ALLOWED_QR_IPS` is empty, IP filtering is disabled.