update

.gitattributes

@@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+*.docx filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1,29 @@
+# Node.js
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+
+# Python
+__pycache__/
+*.py[cod]
+*.pyo
+*.pyd
+*.pkl
+*.pyo
+*.egg-info/
+*.egg
+*.manifest
+*.spec
+
+# Environments
+.env
+.venv/
+venv/
+ENV/
+
+# Build & cache
+dist/
+build/
+*.log

Dockerfile

@@ -0,0 +1,57 @@
+# Multi-stage Dockerfile to run both frontend (Next.js) and backend (FastAPI) in a single container
+
+# 1) Build the Next.js frontend as static export
+FROM node:20-bullseye AS frontend-builder
+WORKDIR /app/frontend
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Install deps first (better cache)
+COPY metsa-frontend/package*.json ./
+RUN npm ci
+
+# Copy source and build + export
+COPY metsa-frontend/ .
+RUN npm run build && npm run export
+
+# 2) Final runtime: Node + Python in one image
+FROM node:20-bullseye AS runtime
+WORKDIR /app
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Install Python and build tools required by some Python packages
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+       python3 python3-pip python3-venv \
+       build-essential python3-dev libffi-dev libssl-dev \
+  && rm -rf /var/lib/apt/lists/*
+
+# ---- Backend setup ----
+# Copy backend code and install Python deps into a venv
+COPY metsa-backend/ ./metsa-backend/
+RUN python3 -m venv /app/venv \
+  && . /app/venv/bin/activate \
+  && pip install --upgrade pip \
+  && pip install --no-cache-dir -r metsa-backend/requirements.txt
+
+# Ensure uploads directory exists
+RUN mkdir -p metsa-backend/uploads
+
+# ---- Frontend setup ----
+# Copy Next.js exported static site into backend-served directory
+WORKDIR /app
+COPY --from=frontend-builder /app/frontend/out ./metsa-frontend/out
+
+# ---- App startup ----
+WORKDIR /app
+COPY scripts/start.sh ./scripts/start.sh
+RUN chmod +x ./scripts/start.sh
+
+# Default port (single port)
+EXPOSE 8000
+
+# API URL used by frontend static site
+ENV NEXT_PUBLIC_API_URL="http://localhost:8000/api/v1"
+
+CMD ["/bin/bash", "/app/scripts/start.sh"]
+

Makefile

@@ -0,0 +1,37 @@
+# Cross-platform Makefile (Linux/macOS and Windows via Git Bash/WSL)
+
+.DEFAULT_GOAL := help
+
+.PHONY: help build up down logs sh clean
+
+help:
+	@echo "Available targets:"
+	@echo "  build  - Build the Docker image"
+	@echo "  up     - Start app with docker-compose (frontend + backend)"
+	@echo "  down   - Stop containers"
+	@echo "  logs   - Tail logs"
+	@echo "  sh     - Shell into running container"
+	@echo "  clean  - Remove image and dangling artifacts"
+
+build:
+	docker compose build
+
+up:
+	docker compose up -d
+
+Down:
+	docker compose down
+
+down:
+	docker compose down
+
+logs:
+	docker compose logs -f --tail=200
+
+sh:
+	docker exec -it metsa-app /bin/bash
+
+clean:
+	docker compose down -v --remove-orphans || true
+	docker image prune -f || true
+

README-Docker.md

@@ -0,0 +1,46 @@
+# Metsa App - Docker Setup
+
+This repository runs the Next.js frontend and FastAPI backend together using a single container image (with docker-compose for convenience).
+
+## Prerequisites
+- Docker 24+
+- Docker Compose plugin (`docker compose`) or Docker Desktop
+- Make (optional; Windows users can use Git Bash or WSL)
+
+## Quick start
+
+```bash
+# Build image
+make build
+# Start
+make up
+# Tail logs
+make logs
+# Stop
+make down
+```
+
+Without Make:
+```bash
+docker compose build
+docker compose up -d
+docker compose logs -f --tail=200
+```
+
+App URLs:
+- Frontend: http://localhost:3000
+- Backend:  http://localhost:8000 (FastAPI docs: http://localhost:8000/docs)
+
+## How it works
+- Multi-stage Dockerfile builds the Next.js app, then runs both the built Next app and the FastAPI server in the final runtime image.
+- A small start.sh launches the backend (Uvicorn) in background and then starts Next.js.
+- docker-compose exposes ports 3000 and 8000 and mounts `metsa-backend/uploads` so files persist across restarts.
+
+## Customizing
+- Frontend API base URL can be overridden via NEXT_PUBLIC_API_URL (defaults to http://localhost:8000/api/v1).
+- For production, set proper environment variables in docker-compose.yml and secure the backend settings.
+
+## Notes
+- This single-container approach is simple for development and small deployments. For production, consider separate services and a reverse proxy.
+- Ensure MongoDB is reachable by the backend. Update `metsa-backend/app/config.py` MONGODB_URL or use an external MongoDB service/container.
+

docker-compose.yml

@@ -0,0 +1,15 @@
+version: "3.9"
+services:
+  app:
+    build: .
+    container_name: metsa-app
+    ports:
+      - "8000:8000"
+    environment:
+      - NEXT_PUBLIC_API_URL=http://localhost:8000/api/v1
+      - PYTHONDONTWRITEBYTECODE=1
+      - PYTHONUNBUFFERED=1
+    volumes:
+      - ./metsa-backend/uploads:/app/metsa-backend/uploads
+    restart: unless-stopped
+

metsa-backend/.env.example

@@ -0,0 +1,25 @@
+# Application
+APP_NAME="Document Portal API"
+APP_VERSION="1.0.0"
+DEBUG=True
+
+# MongoDB
+MONGODB_URL=mongodb://localhost:27017
+DATABASE_NAME=document_portal
+
+# Security
+SECRET_KEY=your-secret-key-here-change-in-production
+ALGORITHM=HS256
+ACCESS_TOKEN_EXPIRE_MINUTES=1440
+
+# Email
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USER=your-email@gmail.com
+SMTP_PASSWORD=your-app-password
+EMAILS_FROM_EMAIL=noreply@metsa.com
+EMAILS_FROM_NAME=Metsa Document Portal
+
+# File Upload
+UPLOAD_DIR=uploads
+MAX_FILE_SIZE=10485760

metsa-backend/PROJECT_DOCUMENTATION.md

@@ -0,0 +1,1695 @@
+# Project Documentation
+
+Generated from: C:\Users\Noman\Desktop\document-portal-backend
+
+---
+
+## README.md
+
+```markdown
+
+```
+
+---
+
+## app\__init__.py
+
+```python
+
+```
+
+---
+
+## app\config.py
+
+```python
+from pydantic import BaseModel
+from typing import Optional
+
+class Settings(BaseModel):
+    # Application
+    APP_NAME: str = "Document Portal API"
+    APP_VERSION: str = "1.0.0"
+    DEBUG: bool = True
+    
+    # MongoDB
+    MONGODB_URL: str = "mongodb://localhost:27017"
+    DATABASE_NAME: str = "document_portal"
+    
+    # Security
+    SECRET_KEY: str = "your-secret-key-here-change-in-production"
+    ALGORITHM: str = "HS256"
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 1440
+    
+    # Email
+    SMTP_HOST: str = "smtp.gmail.com"
+    SMTP_PORT: int = 587
+    SMTP_USER: str = ""
+    SMTP_PASSWORD: str = ""
+    EMAILS_FROM_EMAIL: Optional[str] = None
+    EMAILS_FROM_NAME: Optional[str] = None
+    
+    # File Upload
+    UPLOAD_DIR: str = "uploads"
+    MAX_FILE_SIZE: int = 10 * 1024 * 1024
+    ALLOWED_EXTENSIONS: set = {".pdf", ".doc", ".docx", ".xls", ".xlsx"}
+    
+    model_config = {"env_file": ".env"}
+
+# Create settings instance
+settings = Settings()
+```
+
+---
+
+## app\database.py
+
+```python
+from motor.motor_asyncio import AsyncIOMotorClient
+from typing import Optional
+from .config import settings
+
+class Database:
+    client: Optional[AsyncIOMotorClient] = None
+
+db = Database()
+
+async def connect_to_mongo():
+    db.client = AsyncIOMotorClient(settings.MONGODB_URL)
+
+async def close_mongo_connection():
+    if db.client:
+        db.client.close()
+
+def get_database():
+    return db.client[settings.DATABASE_NAME]
+
+```
+
+---
+
+## app\main.py
+
+```python
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from contextlib import asynccontextmanager
+import os
+
+from .config import settings
+from .database import connect_to_mongo, close_mongo_connection
+from .routers import auth, users, documents, notifications
+from .services.user import UserService
+from .schemas.user import UserCreate
+from .models.user import UserRole
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Startup
+    await connect_to_mongo()
+    
+    # Create upload directory
+    os.makedirs(settings.UPLOAD_DIR, exist_ok=True)
+    
+    # Create default admin user if not exists
+    user_service = UserService()
+    admin = await user_service.get_user_by_username("admin")
+    if not admin:
+        admin_data = UserCreate(
+            email="admin@metsa.com",
+            username="admin",
+            password="admin123",  # Change this in production!
+            role=UserRole.ADMIN
+        )
+        await user_service.create_user(admin_data, "system")
+        print("Default admin user created: username=admin, password=admin123")
+    
+    yield
+    
+    # Shutdown
+    await close_mongo_connection()
+
+app = FastAPI(
+    title=settings.APP_NAME,
+    version=settings.APP_VERSION,
+    lifespan=lifespan
+)
+
+# CORS middleware
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],  # Configure this properly in production
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Include routers
+app.include_router(auth.router, prefix="/api/v1")
+app.include_router(users.router, prefix="/api/v1")
+app.include_router(documents.router, prefix="/api/v1")
+app.include_router(notifications.router, prefix="/api/v1")
+
+@app.get("/")
+async def root():
+    return {
+        "message": "Welcome to Metsa Document Portal API",
+        "version": settings.APP_VERSION,
+        "docs": "/docs"
+    }
+
+@app.get("/health")
+async def health_check():
+    return {"status": "healthy"}
+
+```
+
+---
+
+## app\middleware\__init__.py
+
+```python
+
+```
+
+---
+
+## app\middleware\auth.py
+
+```python
+
+```
+
+---
+
+## app\models\__init__.py
+
+```python
+
+```
+
+---
+
+## app\models\document.py
+
+```python
+from typing import Optional, List, Dict
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, Field
+from bson import ObjectId
+from .user import PyObjectId
+
+class DocumentCategory(str, Enum):
+    COMMERCIAL = "commercial"
+    QUALITY = "quality"
+    SAFETY = "safety"
+    COMPLIANCE = "compliance"
+    CONTRACTS = "contracts"
+    SPECIFICATIONS = "specifications"
+    OTHER = "other"
+
+class DocumentVisibility(str, Enum):
+    PUBLIC = "public"
+    PRIVATE = "private"
+    INTERNAL = "internal"
+
+class Document(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    title: str
+    description: Optional[str] = None
+    category: DocumentCategory
+    file_path: str
+    file_name: str
+    file_size: int
+    mime_type: str
+    visibility: DocumentVisibility = DocumentVisibility.PRIVATE
+    is_viewable_only: bool = False
+    assigned_customers: List[str] = []
+    tags: List[str] = []
+    metadata: Optional[Dict] = None
+    uploaded_by: str
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+```
+
+---
+
+## app\models\notification.py
+
+```python
+from typing import Optional
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, Field
+from bson import ObjectId
+from .user import PyObjectId
+
+class NotificationType(str, Enum):
+    NEW_DOCUMENT = "new_document"
+    DOCUMENT_UPDATED = "document_updated"
+    SYSTEM = "system"
+
+class Notification(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    user_id: str
+    type: NotificationType
+    title: str
+    message: str
+    document_id: Optional[str] = None
+    is_read: bool = False
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+```
+
+---
+
+## app\models\user.py
+
+```python
+from typing import Optional, List, Dict, Any
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, EmailStr, Field, field_validator
+from pydantic.json_schema import JsonSchemaValue
+from pydantic_core import core_schema
+from bson import ObjectId
+
+class UserRole(str, Enum):
+    ADMIN = "admin"
+    EDITOR = "editor"
+    CUSTOMER = "customer"
+
+class Permission(str, Enum):
+    UPLOAD = "upload"
+    EDIT = "edit"
+    DELETE = "delete"
+    VIEW = "view"
+    MANAGE_USERS = "manage_users"
+    MANAGE_DOCUMENTS = "manage_documents"
+
+class PyObjectId(ObjectId):
+    @classmethod
+    def __get_pydantic_core_schema__(
+        cls, source_type: Any, handler
+    ) -> core_schema.CoreSchema:
+        return core_schema.json_or_python_schema(
+            json_schema=core_schema.str_schema(),
+            python_schema=core_schema.union_schema([
+                core_schema.is_instance_schema(ObjectId),
+                core_schema.chain_schema([
+                    core_schema.str_schema(),
+                    core_schema.no_info_plain_validator_function(cls.validate),
+                ])
+            ]),
+            serialization=core_schema.plain_serializer_function_ser_schema(
+                lambda x: str(x)
+            ),
+        )
+
+    @classmethod
+    def validate(cls, v):
+        if not ObjectId.is_valid(v):
+            raise ValueError("Invalid ObjectId")
+        return ObjectId(v)
+
+    @classmethod
+    def __get_pydantic_json_schema__(
+        cls, core_schema: core_schema.CoreSchema, handler
+    ) -> JsonSchemaValue:
+        return {"type": "string"}
+
+class User(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    email: EmailStr
+    username: str
+    hashed_password: str
+    role: UserRole
+    is_active: bool = True
+    is_verified: bool = False
+    permissions: List[Permission] = []
+    customer_info: Optional[Dict] = None
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+    created_by: Optional[str] = None
+    last_login: Optional[datetime] = None
+```
+
+---
+
+## app\routers\__init__.py
+
+```python
+
+```
+
+---
+
+## app\routers\auth.py
+
+```python
+from datetime import timedelta
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordRequestForm
+from ..schemas.user import Token, UserLogin
+from ..services.auth import authenticate_user, create_access_token
+from ..services.user import UserService
+from ..config import settings
+
+router = APIRouter(prefix="/auth", tags=["authentication"])
+
+@router.post("/login", response_model=Token)
+async def login(form_data: OAuth2PasswordRequestForm = Depends()):
+    user = await authenticate_user(form_data.username, form_data.password)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    
+    # Update last login
+    user_service = UserService()
+    await user_service.update_last_login(str(user.id))
+    
+    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    access_token = create_access_token(
+        data={
+            "sub": user.username,
+            "user_id": str(user.id),
+            "role": user.role
+        },
+        expires_delta=access_token_expires
+    )
+    
+    return {"access_token": access_token, "token_type": "bearer"}
+
+```
+
+---
+
+## app\routers\documents.py
+
+```python
+from typing import List, Optional
+from fastapi import APIRouter, Depends, HTTPException, status, UploadFile, File, Form
+from fastapi.responses import FileResponse
+from ..schemas.document import DocumentCreate, DocumentUpdate, DocumentResponse
+from ..models.user import User, Permission
+from ..models.document import DocumentCategory
+from ..services.document import DocumentService
+from ..utils.security import get_current_active_user
+from ..utils.permissions import is_staff, check_permission, can_access_document
+from ..config import settings
+import os
+
+router = APIRouter(prefix="/documents", tags=["documents"])
+
+@router.post("/", response_model=DocumentResponse)
+async def upload_document(
+    title: str = Form(...),
+    description: Optional[str] = Form(None),
+    category: DocumentCategory = Form(...),
+    visibility: str = Form("private"),
+    is_viewable_only: bool = Form(False),
+    assigned_customers: Optional[str] = Form(None),
+    tags: Optional[str] = Form(None),
+    file: UploadFile = File(...),
+    current_user: User = Depends(get_current_active_user)
+):
+    """Upload a new document (Staff only)"""
+    check_permission(current_user, [Permission.UPLOAD])
+    
+    document_service = DocumentService()
+    
+    # Validate file
+    if not file.filename:
+        raise HTTPException(status_code=400, detail="No file provided")
+    
+    file_extension = os.path.splitext(file.filename)[1].lower()
+    if file_extension not in settings.ALLOWED_EXTENSIONS:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File type not allowed. Allowed types: {', '.join(settings.ALLOWED_EXTENSIONS)}"
+        )
+    
+    # Read file content
+    content = await file.read()
+    if len(content) > settings.MAX_FILE_SIZE:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File too large. Maximum size: {settings.MAX_FILE_SIZE / 1024 / 1024}MB"
+        )
+    
+    # Save file
+    file_info = await document_service.save_file(content, file.filename, category)
+    
+    # Parse form data
+    document_data = DocumentCreate(
+        title=title,
+        description=description,
+        category=category,
+        visibility=visibility,
+        is_viewable_only=is_viewable_only,
+        assigned_customers=assigned_customers.split(",") if assigned_customers else [],
+        tags=tags.split(",") if tags else []
+    )
+    
+    # Create document
+    document = await document_service.create_document(
+        document_data,
+        file_info,
+        str(current_user.id)
+    )
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.get("/", response_model=List[DocumentResponse])
+async def get_documents(
+    skip: int = 0,
+    limit: int = 100,
+    category: Optional[DocumentCategory] = None,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get all documents accessible to the user"""
+    document_service = DocumentService()
+    
+    documents = await document_service.get_documents(
+        skip=skip,
+        limit=limit,
+        category=category,
+        user_id=str(current_user.id),
+        user_role=current_user.role
+    )
+    
+    return [
+        DocumentResponse(
+            id=str(doc.id),
+            title=doc.title,
+            description=doc.description,
+            category=doc.category,
+            visibility=doc.visibility,
+            is_viewable_only=doc.is_viewable_only,
+            assigned_customers=doc.assigned_customers,
+            tags=doc.tags,
+            file_name=doc.file_name,
+            file_size=doc.file_size,
+            mime_type=doc.mime_type,
+            uploaded_by=doc.uploaded_by,
+            created_at=doc.created_at,
+            updated_at=doc.updated_at
+        ) for doc in documents
+    ]
+
+@router.get("/{document_id}", response_model=DocumentResponse)
+async def get_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get document by ID"""
+    document_service = DocumentService()
+    
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    can_access_document(current_user, document)
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.get("/{document_id}/download")
+async def download_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Download document"""
+    document_service = DocumentService()
+    
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    can_access_document(current_user, document)
+    
+    if document.is_viewable_only and current_user.role == "customer":
+        raise HTTPException(status_code=403, detail="This document is view-only")
+    
+    if not os.path.exists(document.file_path):
+        raise HTTPException(status_code=404, detail="File not found")
+    
+    return FileResponse(
+        path=document.file_path,
+        filename=document.file_name,
+        media_type=document.mime_type
+    )
+
+@router.put("/{document_id}", response_model=DocumentResponse)
+async def update_document(
+    document_id: str,
+    document_update: DocumentUpdate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Update document (Staff only)"""
+    check_permission(current_user, [Permission.EDIT])
+    
+    document_service = DocumentService()
+    
+    document = await document_service.update_document(document_id, document_update)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.delete("/{document_id}")
+async def delete_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Delete document (Staff only)"""
+    check_permission(current_user, [Permission.DELETE])
+    
+    document_service = DocumentService()
+    
+    success = await document_service.delete_document(document_id)
+    if not success:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    return {"message": "Document deleted successfully"}
+```
+
+---
+
+## app\routers\notifications.py
+
+```python
+from typing import List
+from fastapi import APIRouter, Depends, HTTPException
+from ..schemas.notification import NotificationResponse
+from ..models.user import User
+from ..services.notification import NotificationService
+from ..utils.security import get_current_active_user
+
+router = APIRouter(prefix="/notifications", tags=["notifications"])
+
+@router.get("/", response_model=List[NotificationResponse])
+async def get_notifications(
+    skip: int = 0,
+    limit: int = 50,
+    unread_only: bool = False,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get user notifications"""
+    notification_service = NotificationService()
+    
+    notifications = await notification_service.get_user_notifications(
+        str(current_user.id),
+        skip=skip,
+        limit=limit,
+        unread_only=unread_only
+    )
+    
+    return [
+        NotificationResponse(
+            id=str(notif.id),
+            type=notif.type,
+            title=notif.title,
+            message=notif.message,
+            document_id=notif.document_id,
+            user_id=notif.user_id,
+            is_read=notif.is_read,
+            created_at=notif.created_at
+        ) for notif in notifications
+    ]
+
+@router.put("/{notification_id}/read")
+async def mark_notification_as_read(
+    notification_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Mark notification as read"""
+    notification_service = NotificationService()
+    
+    success = await notification_service.mark_as_read(notification_id, str(current_user.id))
+    if not success:
+        raise HTTPException(status_code=404, detail="Notification not found")
+    
+    return {"message": "Notification marked as read"}
+
+@router.put("/read-all")
+async def mark_all_notifications_as_read(
+    current_user: User = Depends(get_current_active_user)
+):
+    """Mark all notifications as read"""
+    notification_service = NotificationService()
+    
+    count = await notification_service.mark_all_as_read(str(current_user.id))
+    return {"message": f"{count} notifications marked as read"}
+
+```
+
+---
+
+## app\routers\users.py
+
+```python
+from typing import List, Optional
+from fastapi import APIRouter, Depends, HTTPException, status
+from ..schemas.user import UserCreate, UserUpdate, UserResponse
+from ..models.user import User, UserRole
+from ..services.user import UserService
+from ..utils.security import get_current_active_user
+from ..utils.permissions import is_admin
+
+router = APIRouter(prefix="/users", tags=["users"])
+
+@router.post("/", response_model=UserResponse)
+async def create_user(
+    user_data: UserCreate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Create a new user (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    try:
+        user = await user_service.create_user(user_data, str(current_user.id))
+        return UserResponse(
+            id=str(user.id),
+            email=user.email,
+            username=user.username,
+            role=user.role,
+            permissions=user.permissions,
+            customer_info=user.customer_info,
+            is_active=user.is_active,
+            is_verified=user.is_verified,
+            created_at=user.created_at,
+            updated_at=user.updated_at,
+            last_login=user.last_login
+        )
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+@router.get("/me", response_model=UserResponse)
+async def get_current_user_info(current_user: User = Depends(get_current_active_user)):
+    """Get current user information"""
+    return UserResponse(
+        id=str(current_user.id),
+        email=current_user.email,
+        username=current_user.username,
+        role=current_user.role,
+        permissions=current_user.permissions,
+        customer_info=current_user.customer_info,
+        is_active=current_user.is_active,
+        is_verified=current_user.is_verified,
+        created_at=current_user.created_at,
+        updated_at=current_user.updated_at,
+        last_login=current_user.last_login
+    )
+
+@router.get("/", response_model=List[UserResponse])
+async def get_users(
+    skip: int = 0,
+    limit: int = 100,
+    role: Optional[UserRole] = None,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get all users (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    users = await user_service.get_users(skip=skip, limit=limit, role=role)
+    return [
+        UserResponse(
+            id=str(user.id),
+            email=user.email,
+            username=user.username,
+            role=user.role,
+            permissions=user.permissions,
+            customer_info=user.customer_info,
+            is_active=user.is_active,
+            is_verified=user.is_verified,
+            created_at=user.created_at,
+            updated_at=user.updated_at,
+            last_login=user.last_login
+        ) for user in users
+    ]
+
+@router.get("/{user_id}", response_model=UserResponse)
+async def get_user(
+    user_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get user by ID (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    user = await user_service.get_user_by_id(user_id)
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return UserResponse(
+        id=str(user.id),
+        email=user.email,
+        username=user.username,
+        role=user.role,
+        permissions=user.permissions,
+        customer_info=user.customer_info,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+        last_login=user.last_login
+    )
+
+@router.put("/{user_id}", response_model=UserResponse)
+async def update_user(
+    user_id: str,
+    user_update: UserUpdate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Update user (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    user = await user_service.update_user(user_id, user_update)
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return UserResponse(
+        id=str(user.id),
+        email=user.email,
+        username=user.username,
+        role=user.role,
+        permissions=user.permissions,
+        customer_info=user.customer_info,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+        last_login=user.last_login
+    )
+
+@router.delete("/{user_id}")
+async def delete_user(
+    user_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Delete user (Admin only)"""
+    is_admin(current_user)
+    
+    if str(current_user.id) == user_id:
+        raise HTTPException(status_code=400, detail="Cannot delete yourself")
+    
+    user_service = UserService()
+    
+    success = await user_service.delete_user(user_id)
+    if not success:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return {"message": "User deleted successfully"}
+
+```
+
+---
+
+## app\schemas\__init__.py
+
+```python
+
+```
+
+---
+
+## app\schemas\document.py
+
+```python
+from typing import Optional, List
+from datetime import datetime
+from pydantic import BaseModel
+from ..models.document import DocumentCategory, DocumentVisibility
+
+class DocumentBase(BaseModel):
+    title: str
+    description: Optional[str] = None
+    category: DocumentCategory
+    visibility: DocumentVisibility = DocumentVisibility.PRIVATE
+    is_viewable_only: bool = False
+    assigned_customers: List[str] = []
+    tags: List[str] = []
+
+class DocumentCreate(DocumentBase):
+    pass
+
+class DocumentUpdate(BaseModel):
+    title: Optional[str] = None
+    description: Optional[str] = None
+    category: Optional[DocumentCategory] = None
+    visibility: Optional[DocumentVisibility] = None
+    is_viewable_only: Optional[bool] = None
+    assigned_customers: Optional[List[str]] = None
+    tags: Optional[List[str]] = None
+
+class DocumentResponse(DocumentBase):
+    id: str
+    file_name: str
+    file_size: int
+    mime_type: str
+    uploaded_by: str
+    created_at: datetime
+    updated_at: datetime
+
+```
+
+---
+
+## app\schemas\notification.py
+
+```python
+from typing import Optional
+from datetime import datetime
+from pydantic import BaseModel
+from ..models.notification import NotificationType
+
+class NotificationBase(BaseModel):
+    type: NotificationType
+    title: str
+    message: str
+    document_id: Optional[str] = None
+
+class NotificationCreate(NotificationBase):
+    user_id: str
+
+class NotificationResponse(NotificationBase):
+    id: str
+    user_id: str
+    is_read: bool
+    created_at: datetime
+
+```
+
+---
+
+## app\schemas\user.py
+
+```python
+from typing import Optional, List
+from datetime import datetime
+from pydantic import BaseModel, EmailStr
+from ..models.user import UserRole, Permission
+
+class UserBase(BaseModel):
+    email: EmailStr
+    username: str
+    role: UserRole
+    permissions: List[Permission] = []
+    customer_info: Optional[dict] = None
+
+class UserCreate(UserBase):
+    password: str
+
+class UserUpdate(BaseModel):
+    email: Optional[EmailStr] = None
+    username: Optional[str] = None
+    role: Optional[UserRole] = None
+    permissions: Optional[List[Permission]] = None
+    is_active: Optional[bool] = None
+    customer_info: Optional[dict] = None
+
+class UserResponse(UserBase):
+    id: str
+    is_active: bool
+    is_verified: bool
+    created_at: datetime
+    updated_at: datetime
+    last_login: Optional[datetime] = None
+
+class UserLogin(BaseModel):
+    username: str
+    password: str
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+
+class TokenData(BaseModel):
+    username: Optional[str] = None
+    user_id: Optional[str] = None
+    role: Optional[str] = None
+
+```
+
+---
+
+## app\services\__init__.py
+
+```python
+
+```
+
+---
+
+## app\services\auth.py
+
+```python
+from datetime import datetime, timedelta
+from typing import Optional
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from ..config import settings
+from ..models.user import User
+from ..database import get_database
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+def get_password_hash(password: str) -> str:
+    return pwd_context.hash(password)
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+async def authenticate_user(username: str, password: str):
+    db = get_database()
+    user_dict = await db.users.find_one({"username": username})
+    if not user_dict:
+        return False
+    user = User.model_validate(user_dict)
+    if not verify_password(password, user.hashed_password):
+        return False
+    return user
+```
+
+---
+
+## app\services\document.py
+
+```python
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+import os
+import aiofiles
+from ..database import get_database
+from ..models.document import Document
+from ..schemas.document import DocumentCreate, DocumentUpdate
+from ..config import settings
+from .notification import NotificationService
+
+class DocumentService:
+    def __init__(self):
+        self.db = get_database()
+        self.notification_service = NotificationService()
+    
+    async def create_document(self, document_data: DocumentCreate, file_info: dict, uploaded_by: str) -> Document:
+        document_dict = document_data.model_dump()
+        document_dict.update({
+            "file_path": file_info["file_path"],
+            "file_name": file_info["file_name"],
+            "file_size": file_info["file_size"],
+            "mime_type": file_info["mime_type"],
+            "uploaded_by": uploaded_by,
+            "created_at": datetime.utcnow(),
+            "updated_at": datetime.utcnow()
+        })
+        
+        result = await self.db.documents.insert_one(document_dict)
+        document_dict["_id"] = result.inserted_id
+        
+        # Send notifications to assigned customers
+        if document_data.assigned_customers:
+            for customer_id in document_data.assigned_customers:
+                await self.notification_service.create_notification(
+                    user_id=customer_id,
+                    type="new_document",
+                    title="New Document Available",
+                    message=f"A new document '{document_data.title}' has been uploaded for you.",
+                    document_id=str(result.inserted_id)
+                )
+        
+        return Document.model_validate(document_dict)
+    
+    async def get_document_by_id(self, document_id: str) -> Optional[Document]:
+        document_dict = await self.db.documents.find_one({"_id": ObjectId(document_id)})
+        return Document.model_validate(document_dict) if document_dict else None
+    
+    async def get_documents(self, skip: int = 0, limit: int = 100, 
+                          category: Optional[str] = None,
+                          user_id: Optional[str] = None,
+                          user_role: Optional[str] = None) -> List[Document]:
+        query = {}
+        
+        if category:
+            query["category"] = category
+        
+        # Filter based on user role
+        if user_role == "customer":
+            query["$or"] = [
+                {"visibility": "public"},
+                {"assigned_customers": user_id}
+            ]
+        
+        cursor = self.db.documents.find(query).skip(skip).limit(limit)
+        documents = []
+        async for document_dict in cursor:
+            documents.append(Document.model_validate(document_dict))
+        return documents
+    
+    async def update_document(self, document_id: str, document_update: DocumentUpdate) -> Optional[Document]:
+        update_data = {k: v for k, v in document_update.model_dump().items() if v is not None}
+        if update_data:
+            update_data["updated_at"] = datetime.utcnow()
+            
+            # Get old document for comparison
+            old_doc = await self.get_document_by_id(document_id)
+            
+            result = await self.db.documents.update_one(
+                {"_id": ObjectId(document_id)},
+                {"$set": update_data}
+            )
+            
+            if result.modified_count:
+                # Send notifications if assigned customers changed
+                if "assigned_customers" in update_data:
+                    new_customers = set(update_data["assigned_customers"]) - set(old_doc.assigned_customers)
+                    for customer_id in new_customers:
+                        await self.notification_service.create_notification(
+                            user_id=customer_id,
+                            type="new_document",
+                            title="Document Assigned",
+                            message=f"Document '{old_doc.title}' has been assigned to you.",
+                            document_id=document_id
+                        )
+                
+                return await self.get_document_by_id(document_id)
+        return None
+    
+    async def delete_document(self, document_id: str) -> bool:
+        # Get document to delete file
+        document = await self.get_document_by_id(document_id)
+        if document:
+            # Delete file from filesystem
+            try:
+                os.remove(document.file_path)
+            except:
+                pass
+            
+            # Delete from database
+            result = await self.db.documents.delete_one({"_id": ObjectId(document_id)})
+            return result.deleted_count > 0
+        return False
+    
+    async def save_file(self, file_content: bytes, filename: str, category: str) -> dict:
+        # Create directory if not exists
+        upload_dir = os.path.join(settings.UPLOAD_DIR, category)
+        os.makedirs(upload_dir, exist_ok=True)
+        
+        # Generate unique filename
+        timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S")
+        safe_filename = f"{timestamp}_{filename}"
+        file_path = os.path.join(upload_dir, safe_filename)
+        
+        # Save file
+        async with aiofiles.open(file_path, 'wb') as f:
+            await f.write(file_content)
+        
+        return {
+            "file_path": file_path,
+            "file_name": filename,
+            "file_size": len(file_content),
+            "mime_type": "application/octet-stream"
+        }
+```
+
+---
+
+## app\services\email.py
+
+```python
+import smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+from typing import List
+from ..config import settings
+
+async def send_email(to_email: str, subject: str, body: str, is_html: bool = False):
+    """Send email using SMTP"""
+    if not settings.SMTP_USER or not settings.SMTP_PASSWORD:
+        print(f"Email sending skipped (not configured): {subject} to {to_email}")
+        return
+    
+    msg = MIMEMultipart()
+    msg['From'] = settings.EMAILS_FROM_EMAIL or settings.SMTP_USER
+    msg['To'] = to_email
+    msg['Subject'] = subject
+    
+    msg.attach(MIMEText(body, 'html' if is_html else 'plain'))
+    
+    try:
+        server = smtplib.SMTP(settings.SMTP_HOST, settings.SMTP_PORT)
+        server.starttls()
+        server.login(settings.SMTP_USER, settings.SMTP_PASSWORD)
+        server.send_message(msg)
+        server.quit()
+    except Exception as e:
+        print(f"Failed to send email: {e}")
+
+async def send_welcome_email(email: str, username: str):
+    subject = "Welcome to Metsa Document Portal"
+    body = f"""
+    <h2>Welcome to Metsa Document Portal</h2>
+    <p>Hello {username},</p>
+    <p>Your account has been created successfully. You can now log in to access your documents.</p>
+    <p>Username: {username}</p>
+    <p>Please contact your administrator if you need to reset your password.</p>
+    <br>
+    <p>Best regards,<br>Metsa Team</p>
+    """
+    await send_email(email, subject, body, is_html=True)
+
+async def send_password_reset_email(email: str, reset_token: str):
+    subject = "Password Reset Request"
+    body = f"""
+    <h2>Password Reset Request</h2>
+    <p>You have requested to reset your password. Click the link below to reset it:</p>
+    <p><a href="http://portal.metsa.com/reset-password?token={reset_token}">Reset Password</a></p>
+    <p>This link will expire in 1 hour.</p>
+    <p>If you didn't request this, please ignore this email.</p>
+    <br>
+    <p>Best regards,<br>Metsa Team</p>
+    """
+    await send_email(email, subject, body, is_html=True)
+
+```
+
+---
+
+## app\services\notification.py
+
+```python
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+from ..database import get_database
+from ..models.notification import Notification, NotificationType
+
+class NotificationService:
+    def __init__(self):
+        self.db = get_database()
+    
+    async def create_notification(self, user_id: str, type: str, title: str, 
+                                message: str, document_id: Optional[str] = None) -> Notification:
+        notification_dict = {
+            "user_id": user_id,
+            "type": type,
+            "title": title,
+            "message": message,
+            "document_id": document_id,
+            "is_read": False,
+            "created_at": datetime.utcnow()
+        }
+        
+        result = await self.db.notifications.insert_one(notification_dict)
+        notification_dict["_id"] = result.inserted_id
+        
+        return Notification.model_validate(notification_dict)
+    
+    async def get_user_notifications(self, user_id: str, skip: int = 0, 
+                                   limit: int = 50, unread_only: bool = False) -> List[Notification]:
+        query = {"user_id": user_id}
+        if unread_only:
+            query["is_read"] = False
+        
+        cursor = self.db.notifications.find(query).sort("created_at", -1).skip(skip).limit(limit)
+        notifications = []
+        async for notification_dict in cursor:
+            notifications.append(Notification.model_validate(notification_dict))
+        return notifications
+    
+    async def mark_as_read(self, notification_id: str, user_id: str) -> bool:
+        result = await self.db.notifications.update_one(
+            {"_id": ObjectId(notification_id), "user_id": user_id},
+            {"$set": {"is_read": True}}
+        )
+        return result.modified_count > 0
+    
+    async def mark_all_as_read(self, user_id: str) -> int:
+        result = await self.db.notifications.update_many(
+            {"user_id": user_id, "is_read": False},
+            {"$set": {"is_read": True}}
+        )
+        return result.modified_count
+```
+
+---
+
+## app\services\user.py
+
+```python
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+from ..database import get_database
+from ..models.user import User, UserRole, Permission
+from ..schemas.user import UserCreate, UserUpdate
+from .auth import get_password_hash
+from .email import send_welcome_email
+
+class UserService:
+    def __init__(self):
+        self.db = get_database()
+    
+    async def create_user(self, user_data: UserCreate, created_by: str) -> User:
+        # Check if user already exists
+        existing_user = await self.db.users.find_one({
+            "$or": [
+                {"email": user_data.email},
+                {"username": user_data.username}
+            ]
+        })
+        if existing_user:
+            raise ValueError("User with this email or username already exists")
+        
+        # Create user
+        user_dict = user_data.model_dump()
+        user_dict["hashed_password"] = get_password_hash(user_dict.pop("password"))
+        user_dict["created_by"] = created_by
+        user_dict["created_at"] = datetime.utcnow()
+        user_dict["updated_at"] = datetime.utcnow()
+        
+        # Set default permissions based on role
+        if user_data.role == UserRole.ADMIN:
+            user_dict["permissions"] = [p.value for p in Permission]
+        elif user_data.role == UserRole.EDITOR:
+            user_dict["permissions"] = user_data.permissions or [Permission.VIEW, Permission.UPLOAD, Permission.EDIT]
+        else:
+            user_dict["permissions"] = [Permission.VIEW]
+        
+        result = await self.db.users.insert_one(user_dict)
+        user_dict["_id"] = result.inserted_id
+        
+        # Send welcome email
+        await send_welcome_email(user_data.email, user_data.username)
+        
+        return User.model_validate(user_dict)
+    
+    async def get_user_by_id(self, user_id: str) -> Optional[User]:
+        user_dict = await self.db.users.find_one({"_id": ObjectId(user_id)})
+        return User.model_validate(user_dict) if user_dict else None
+    
+    async def get_user_by_username(self, username: str) -> Optional[User]:
+        user_dict = await self.db.users.find_one({"username": username})
+        return User.model_validate(user_dict) if user_dict else None
+    
+    async def get_users(self, skip: int = 0, limit: int = 100, role: Optional[UserRole] = None) -> List[User]:
+        query = {}
+        if role:
+            query["role"] = role
+        
+        cursor = self.db.users.find(query).skip(skip).limit(limit)
+        users = []
+        async for user_dict in cursor:
+            users.append(User.model_validate(user_dict))
+        return users
+    
+    async def update_user(self, user_id: str, user_update: UserUpdate) -> Optional[User]:
+        update_data = {k: v for k, v in user_update.model_dump().items() if v is not None}
+        if update_data:
+            update_data["updated_at"] = datetime.utcnow()
+            result = await self.db.users.update_one(
+                {"_id": ObjectId(user_id)},
+                {"$set": update_data}
+            )
+            if result.modified_count:
+                return await self.get_user_by_id(user_id)
+        return None
+    
+    async def delete_user(self, user_id: str) -> bool:
+        result = await self.db.users.delete_one({"_id": ObjectId(user_id)})
+        return result.deleted_count > 0
+    
+    async def update_last_login(self, user_id: str):
+        await self.db.users.update_one(
+            {"_id": ObjectId(user_id)},
+            {"$set": {"last_login": datetime.utcnow()}}
+        )
+```
+
+---
+
+## app\utils\__init__.py
+
+```python
+
+```
+
+---
+
+## app\utils\permissions.py
+
+```python
+from typing import List
+from fastapi import HTTPException, status
+from ..models.user import User, UserRole, Permission
+
+def check_permission(user: User, required_permissions: List[Permission]):
+    """Check if user has required permissions"""
+    if user.role == UserRole.ADMIN:
+        return True
+    
+    user_permissions = set(user.permissions)
+    required_permissions_set = set(required_permissions)
+    
+    if not required_permissions_set.issubset(user_permissions):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+    
+    return True
+
+def is_admin(user: User):
+    """Check if user is admin"""
+    if user.role != UserRole.ADMIN:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required"
+        )
+    return True
+
+def is_staff(user: User):
+    """Check if user is admin or editor"""
+    if user.role not in [UserRole.ADMIN, UserRole.EDITOR]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Staff access required"
+        )
+    return True
+
+def can_access_document(user: User, document):
+    """Check if user can access a document"""
+    if user.role in [UserRole.ADMIN, UserRole.EDITOR]:
+        return True
+    
+    if document.visibility == "public":
+        return True
+    
+    if str(user.id) in document.assigned_customers:
+        return True
+    
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="You don't have access to this document"
+    )
+
+```
+
+---
+
+## app\utils\security.py
+
+```python
+from typing import Optional
+from datetime import datetime, timedelta
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+from ..config import settings
+from ..schemas.user import TokenData
+from ..services.user import UserService
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")  
+
+async def get_current_user(token: str = Depends(oauth2_scheme)):
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    try:
+        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+        username: str = payload.get("sub")
+        user_id: str = payload.get("user_id")
+        role: str = payload.get("role")
+        
+        if username is None or user_id is None:
+            raise credentials_exception
+        
+        token_data = TokenData(username=username, user_id=user_id, role=role)
+    except JWTError:
+        raise credentials_exception
+    
+    user_service = UserService()
+    user = await user_service.get_user_by_username(username=token_data.username)
+    
+    if user is None:
+        raise credentials_exception
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    
+    return user
+
+async def get_current_active_user(current_user = Depends(get_current_user)):
+    if not current_user.is_active:
+        raise HTTPException(status_code=400, detail="Inactive user")
+    return current_user
+```
+
+---
+
+## documentation.py
+
+```python
+import os
+import fnmatch
+from pathlib import Path
+
+def should_skip_file(filepath, filename):
+    """Check if file should be skipped based on patterns"""
+    skip_patterns = [
+        '__pycache__',
+        '*.pyc',
+        '.env*',
+        '*.log',
+        '.git*',
+        '*.tmp',
+        '*.temp',
+        'node_modules',
+        '.vscode',
+        '.idea',
+        '*.DS_Store',
+        'Thumbs.db'
+    ]
+    
+    skip_dirs = [
+        '__pycache__',
+        '.git',
+        'node_modules',
+        '.vscode',
+        '.idea',
+        'venv',
+        'env',
+        '.env'
+    ]
+    
+    # Check if any parent directory should be skipped
+    path_parts = Path(filepath).parts
+    for part in path_parts:
+        if part in skip_dirs:
+            return True
+    
+    # Check if filename matches skip patterns
+    for pattern in skip_patterns:
+        if fnmatch.fnmatch(filename, pattern):
+            return True
+    
+    return False
+
+def get_file_content(filepath):
+    """Read file content safely"""
+    try:
+        with open(filepath, 'r', encoding='utf-8') as file:
+            return file.read()
+    except UnicodeDecodeError:
+        try:
+            with open(filepath, 'r', encoding='latin-1') as file:
+                return file.read()
+        except Exception as e:
+            return f"Error reading file: {str(e)}"
+    except Exception as e:
+        return f"Error reading file: {str(e)}"
+
+def generate_documentation(root_path='.', output_file='PROJECT_DOCUMENTATION.md'):
+    """Generate complete project documentation"""
+    
+    documentation = []
+    documentation.append("# Project Documentation\n")
+    documentation.append(f"Generated from: {os.path.abspath(root_path)}\n")
+    documentation.append("---\n")
+    
+    # Get all Python files
+    python_files = []
+    
+    for root, dirs, files in os.walk(root_path):
+        # Remove directories that should be skipped
+        dirs[:] = [d for d in dirs if not should_skip_file(os.path.join(root, d), d)]
+        
+        for file in files:
+            filepath = os.path.join(root, file)
+            
+            # Skip system files and focus on Python files
+            if should_skip_file(filepath, file):
+                continue
+                
+            # Only include Python files and important config files
+            if file.endswith('.py') or file in ['requirements.txt', 'README.md', '.env.example']:
+                python_files.append(filepath)
+    
+    # Sort files for consistent output
+    python_files.sort()
+    
+    # Generate documentation for each file
+    for filepath in python_files:
+        relative_path = os.path.relpath(filepath, root_path)
+        
+        # Add file header
+        documentation.append(f"## {relative_path}\n")
+        
+        # Get file content
+        content = get_file_content(filepath)
+        
+        # Add code block with syntax highlighting
+        if filepath.endswith('.py'):
+            documentation.append("```python")
+        elif filepath.endswith('.md'):
+            documentation.append("```markdown")
+        elif filepath.endswith('.txt'):
+            documentation.append("```text")
+        else:
+            documentation.append("```")
+        
+        documentation.append(content)
+        documentation.append("```\n")
+        documentation.append("---\n")
+    
+    # Write documentation to file
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write('\n'.join(documentation))
+    
+    print(f"Documentation generated successfully: {output_file}")
+    print(f"Total files documented: {len(python_files)}")
+
+def main():
+    """Main function to run the documentation generator"""
+    # You can modify these paths as needed
+    project_root = "."  # Current directory
+    output_filename = "PROJECT_DOCUMENTATION.md"
+    
+    print("Starting documentation generation...")
+    print(f"Project root: {os.path.abspath(project_root)}")
+    print(f"Output file: {output_filename}")
+    print("=" * 50)
+    
+    generate_documentation(project_root, output_filename)
+    
+    print("=" * 50)
+    print("Documentation generation completed!")
+
+if __name__ == "__main__":
+    main()
+```
+
+---
+
+## requirements.txt
+
+```text
+fastapi==0.104.1
+uvicorn==0.24.0
+pymongo==4.5.0
+motor==3.3.2
+python-jose[cryptography]==3.3.0
+passlib[bcrypt]==1.7.4
+python-multipart==0.0.6
+python-dotenv==1.0.0
+pydantic==2.4.2
+pydantic[email]==2.4.2
+pydantic-settings==2.0.3
+aiofiles==23.2.1
+python-dateutil==2.8.2
+```
+
+---

metsa-backend/app/config.py

@@ -0,0 +1,36 @@
+from pydantic import BaseModel
+from typing import Optional
+
+class Settings(BaseModel):
+    # Application
+    APP_NAME: str = "Document Portal API"
+    APP_VERSION: str = "1.0.0"
+    DEBUG: bool = True
+    BASE_URL: str = "http://localhost:8000"
+    
+    # MongoDB
+    MONGODB_URL: str = "mongodb://localhost:27017"
+    DATABASE_NAME: str = "document_portal"
+    
+    # Security
+    SECRET_KEY: str = "your-secret-key-here-change-in-production"
+    ALGORITHM: str = "HS256"
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 1440
+    
+    # Email
+    SMTP_HOST: str = "smtp.gmail.com"
+    SMTP_PORT: int = 587
+    SMTP_USER: str = ""
+    SMTP_PASSWORD: str = ""
+    EMAILS_FROM_EMAIL: Optional[str] = None
+    EMAILS_FROM_NAME: Optional[str] = None
+    
+    # File Upload
+    UPLOAD_DIR: str = "uploads"
+    MAX_FILE_SIZE: int = 10 * 1024 * 1024
+    ALLOWED_EXTENSIONS: set = {".pdf", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx"}
+    
+    model_config = {"env_file": ".env"}
+
+# Create settings instance
+settings = Settings()

metsa-backend/app/database.py

@@ -0,0 +1,18 @@
+from motor.motor_asyncio import AsyncIOMotorClient
+from typing import Optional
+from .config import settings
+
+class Database:
+    client: Optional[AsyncIOMotorClient] = None
+
+db = Database()
+
+async def connect_to_mongo():
+    db.client = AsyncIOMotorClient(settings.MONGODB_URL)
+
+async def close_mongo_connection():
+    if db.client:
+        db.client.close()
+
+def get_database():
+    return db.client[settings.DATABASE_NAME]

metsa-backend/app/main.py

@@ -0,0 +1,107 @@
+from fastapi import FastAPI, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import FileResponse
+from contextlib import asynccontextmanager
+from pathlib import Path
+import os
+
+from .config import settings
+from .database import connect_to_mongo, close_mongo_connection
+from .routers import auth, users, documents, notifications
+from .services.user import UserService
+from .schemas.user import UserCreate, UserUpdate
+from .models.user import UserRole
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Startup
+    await connect_to_mongo()
+
+    # Create upload directory
+    os.makedirs(settings.UPLOAD_DIR, exist_ok=True)
+
+    # Create default admin user if not exists
+    user_service = UserService()
+    admin = await user_service.get_user_by_username("admin")
+    if not admin:
+        admin_data = UserCreate(
+            email="admin@metsa.com",
+            username="admin",
+            password="admin123",  # Change this in production!
+            role=UserRole.ADMIN
+        )
+        await user_service.create_user(admin_data, "system")
+        print("Default admin user created: username=admin, password=admin123")
+    else:
+        # Ensure existing admin account has admin role and is active
+        if getattr(admin, 'role', None) != UserRole.ADMIN or not getattr(admin, 'is_active', True):
+            await user_service.update_user(
+                str(admin.id),
+                UserUpdate(role=UserRole.ADMIN, **({"is_active": True}))
+            )
+            print("Ensured default admin user has ADMIN role and is active")
+
+    yield
+
+    # Shutdown
+    await close_mongo_connection()
+
+app = FastAPI(
+    title=settings.APP_NAME,
+    version=settings.APP_VERSION,
+    lifespan=lifespan
+)
+
+# CORS middleware
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],  # Configure this properly in production
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Include routers
+app.include_router(auth.router, prefix="/api/v1")
+app.include_router(users.router, prefix="/api/v1")
+app.include_router(documents.router, prefix="/api/v1")
+app.include_router(notifications.router, prefix="/api/v1")
+
+@app.get("/")
+async def root():
+    return {
+        "message": "Welcome to Metsa Document Portal API",
+        "version": settings.APP_VERSION,
+        "docs": "/docs"
+    }
+
+# Serve Next.js static export (built assets)
+FRONTEND_DIR = Path(__file__).resolve().parents[2] / "metsa-frontend" / "out"
+INDEX_FILE = FRONTEND_DIR / "index.html"
+
+@app.get("/{full_path:path}")
+async def serve_frontend(full_path: str):
+    # API routes are already handled by routers with /api/v1 prefix
+    # This catches everything else and serves static files from Next.js export
+    target = (FRONTEND_DIR / full_path).resolve()
+    try:
+      # Prevent path traversal
+      target.relative_to(FRONTEND_DIR)
+    except Exception:
+      raise HTTPException(status_code=404, detail="Not Found")
+
+    if target.is_dir():
+        index_in_dir = target / "index.html"
+        if index_in_dir.exists():
+            return FileResponse(index_in_dir)
+    if target.exists() and target.is_file():
+        return FileResponse(target)
+    # Fallback to top-level index.html for SPA routes
+    if INDEX_FILE.exists():
+        return FileResponse(INDEX_FILE)
+    raise HTTPException(status_code=404, detail="Frontend not built")
+
+
+@app.get("/health")
+async def health_check():
+    return {"status": "healthy"}

metsa-backend/app/models/document.py

@@ -0,0 +1,40 @@
+from typing import Optional, List, Dict
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, Field
+from bson import ObjectId
+from .user import PyObjectId
+
+class DocumentCategory(str, Enum):
+    COMMERCIAL = "commercial"
+    QUALITY = "quality"
+    SAFETY = "safety"
+    COMPLIANCE = "compliance"
+    CONTRACTS = "contracts"
+    SPECIFICATIONS = "specifications"
+    OTHER = "other"
+
+class DocumentVisibility(str, Enum):
+    PUBLIC = "public"
+    PRIVATE = "private"
+    INTERNAL = "internal"
+
+class Document(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    title: str
+    description: Optional[str] = None
+    category: DocumentCategory
+    file_path: str
+    file_name: str
+    file_size: int
+    mime_type: str
+    visibility: DocumentVisibility = DocumentVisibility.PRIVATE
+    is_viewable_only: bool = False
+    assigned_customers: List[str] = []
+    tags: List[str] = []
+    metadata: Optional[Dict] = None
+    uploaded_by: str
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)

metsa-backend/app/models/notification.py

@@ -0,0 +1,23 @@
+from typing import Optional
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, Field
+from bson import ObjectId
+from .user import PyObjectId
+
+class NotificationType(str, Enum):
+    NEW_DOCUMENT = "new_document"
+    DOCUMENT_UPDATED = "document_updated"
+    SYSTEM = "system"
+
+class Notification(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    user_id: str
+    type: NotificationType
+    title: str
+    message: str
+    document_id: Optional[str] = None
+    is_read: bool = False
+    created_at: datetime = Field(default_factory=datetime.utcnow)

metsa-backend/app/models/user.py

@@ -0,0 +1,68 @@
+from typing import Optional, List, Dict, Any
+from datetime import datetime
+from enum import Enum
+from pydantic import BaseModel, EmailStr, Field, field_validator
+from pydantic.json_schema import JsonSchemaValue
+from pydantic_core import core_schema
+from bson import ObjectId
+
+class UserRole(str, Enum):
+    ADMIN = "admin"
+    EDITOR = "editor"
+    CUSTOMER = "customer"
+
+class Permission(str, Enum):
+    UPLOAD = "upload"
+    EDIT = "edit"
+    DELETE = "delete"
+    VIEW = "view"
+    MANAGE_USERS = "manage_users"
+    MANAGE_DOCUMENTS = "manage_documents"
+
+class PyObjectId(ObjectId):
+    @classmethod
+    def __get_pydantic_core_schema__(
+        cls, source_type: Any, handler
+    ) -> core_schema.CoreSchema:
+        return core_schema.json_or_python_schema(
+            json_schema=core_schema.str_schema(),
+            python_schema=core_schema.union_schema([
+                core_schema.is_instance_schema(ObjectId),
+                core_schema.chain_schema([
+                    core_schema.str_schema(),
+                    core_schema.no_info_plain_validator_function(cls.validate),
+                ])
+            ]),
+            serialization=core_schema.plain_serializer_function_ser_schema(
+                lambda x: str(x)
+            ),
+        )
+
+    @classmethod
+    def validate(cls, v):
+        if not ObjectId.is_valid(v):
+            raise ValueError("Invalid ObjectId")
+        return ObjectId(v)
+
+    @classmethod
+    def __get_pydantic_json_schema__(
+        cls, core_schema: core_schema.CoreSchema, handler
+    ) -> JsonSchemaValue:
+        return {"type": "string"}
+
+class User(BaseModel):
+    model_config = {"arbitrary_types_allowed": True, "populate_by_name": True}
+    
+    id: PyObjectId = Field(default_factory=PyObjectId, alias="_id")
+    email: EmailStr
+    username: str
+    hashed_password: str
+    role: UserRole
+    is_active: bool = True
+    is_verified: bool = False
+    permissions: List[Permission] = []
+    customer_info: Optional[Dict] = None
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+    created_by: Optional[str] = None
+    last_login: Optional[datetime] = None

metsa-backend/app/routers/auth.py

@@ -0,0 +1,65 @@
+from datetime import timedelta
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordRequestForm
+from ..schemas.user import Token, UserLogin, PasswordChange
+from ..services.auth import authenticate_user, create_access_token
+from ..services.user import UserService
+from ..models.user import User
+from ..utils.security import get_current_active_user
+from ..config import settings
+
+router = APIRouter(prefix="/auth", tags=["authentication"])
+
+@router.post("/login", response_model=Token)
+async def login(form_data: OAuth2PasswordRequestForm = Depends()):
+    user = await authenticate_user(form_data.username, form_data.password)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    
+    # Update last login
+    user_service = UserService()
+    await user_service.update_last_login(str(user.id))
+    
+    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    access_token = create_access_token(
+        data={
+            "sub": user.username,
+            "user_id": str(user.id),
+            "role": user.role
+        },
+        expires_delta=access_token_expires
+    )
+    
+    return {"access_token": access_token, "token_type": "bearer"}
+
+@router.post("/change-password")
+async def change_password(
+    password_data: PasswordChange,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Change user password"""
+    user_service = UserService()
+
+    success = await user_service.change_password(
+        str(current_user.id),
+        password_data.current_password,
+        password_data.new_password
+    )
+
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Current password is incorrect"
+        )
+
+    return {"message": "Password changed successfully"}

metsa-backend/app/routers/documents.py

@@ -0,0 +1,396 @@
+from typing import List, Optional
+from fastapi import APIRouter, Depends, HTTPException, status, UploadFile, File, Form
+from fastapi.responses import FileResponse
+from ..schemas.document import DocumentCreate, DocumentUpdate, DocumentResponse
+from ..models.user import User, Permission, UserRole
+from ..models.document import DocumentCategory, DocumentVisibility
+from ..services.document import DocumentService
+from ..utils.security import get_current_active_user
+from ..utils.permissions import is_staff, check_permission, can_access_document
+from ..config import settings
+import os
+import mimetypes
+
+router = APIRouter(prefix="/documents", tags=["documents"])
+
+@router.post("/", response_model=DocumentResponse)
+async def upload_document(
+    title: str = Form(...),
+    description: Optional[str] = Form(None),
+    category: DocumentCategory = Form(...),
+    visibility: DocumentVisibility = Form(DocumentVisibility.PRIVATE),
+    is_viewable_only: bool = Form(False),
+    assigned_customers: Optional[str] = Form(None),
+    tags: Optional[str] = Form(None),
+    file: UploadFile = File(...),
+    current_user: User = Depends(get_current_active_user)
+):
+    """Upload a new document (Staff only)"""
+    check_permission(current_user, [Permission.UPLOAD])
+    
+    document_service = DocumentService()
+    
+    # Validate file
+    if not file.filename:
+        raise HTTPException(status_code=400, detail="No file provided")
+    
+    file_extension = os.path.splitext(file.filename)[1].lower()
+    if file_extension not in settings.ALLOWED_EXTENSIONS:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File type not allowed. Allowed types: {', '.join(settings.ALLOWED_EXTENSIONS)}"
+        )
+    
+    # Read file content
+    content = await file.read()
+    if len(content) > settings.MAX_FILE_SIZE:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File too large. Maximum size: {settings.MAX_FILE_SIZE / 1024 / 1024}MB"
+        )
+    
+    # Save file
+    file_info = await document_service.save_file(content, file.filename, category)
+    
+    # Parse form data
+    document_data = DocumentCreate(
+        title=title,
+        description=description,
+        category=category,
+        visibility=visibility,
+        is_viewable_only=is_viewable_only,
+        assigned_customers=assigned_customers.split(",") if assigned_customers else [],
+        tags=tags.split(",") if tags else []
+    )
+    
+    # Create document
+    document = await document_service.create_document(
+        document_data,
+        file_info,
+        str(current_user.id)
+    )
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.post("/customer-upload", response_model=DocumentResponse)
+async def customer_upload_document(
+    title: str = Form(...),
+    description: Optional[str] = Form(None),
+    category: DocumentCategory = Form(...),
+    tags: Optional[str] = Form(None),
+    file: UploadFile = File(...),
+    current_user: User = Depends(get_current_active_user)
+):
+    """Upload a new document (Customer submission for review)"""
+    # Only allow customers to use this endpoint
+    if current_user.role != UserRole.CUSTOMER:
+        raise HTTPException(
+            status_code=403,
+            detail="This endpoint is for customer submissions only"
+        )
+
+    document_service = DocumentService()
+
+    # Validate file
+    if not file.filename:
+        raise HTTPException(status_code=400, detail="No file provided")
+
+    file_extension = os.path.splitext(file.filename)[1].lower()
+    if file_extension not in settings.ALLOWED_EXTENSIONS:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File type not allowed. Allowed types: {', '.join(settings.ALLOWED_EXTENSIONS)}"
+        )
+
+    # Read file content
+    content = await file.read()
+    if len(content) > settings.MAX_FILE_SIZE:
+        raise HTTPException(
+            status_code=400,
+            detail=f"File too large. Maximum size: {settings.MAX_FILE_SIZE / 1024 / 1024}MB"
+        )
+
+    # Save file
+    file_info = await document_service.save_file(content, file.filename, category)
+
+    # Parse form data - customer uploads are always private and require review
+    document_data = DocumentCreate(
+        title=title,
+        description=description,
+        category=category,
+        visibility=DocumentVisibility.PRIVATE,  # Always private for customer uploads
+        is_viewable_only=False,
+        assigned_customers=[],  # No assignments for customer uploads
+        tags=tags.split(",") if tags else []
+    )
+
+    # Create document
+    document = await document_service.create_document(
+        document_data,
+        file_info,
+        str(current_user.id)
+    )
+
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.get("/", response_model=List[DocumentResponse])
+async def get_documents(
+    skip: int = 0,
+    limit: int = 100,
+    category: Optional[DocumentCategory] = None,
+    visibility: Optional[DocumentVisibility] = None,
+    search: Optional[str] = None,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get all documents accessible to the user"""
+    document_service = DocumentService()
+
+    documents = await document_service.get_documents(
+        skip=skip,
+        limit=limit,
+        category=category,
+        visibility=visibility,
+        search=search,
+        user_id=str(current_user.id),
+        user_role=current_user.role
+    )
+    
+    return [
+        DocumentResponse(
+            id=str(doc.id),
+            title=doc.title,
+            description=doc.description,
+            category=doc.category,
+            visibility=doc.visibility,
+            is_viewable_only=doc.is_viewable_only,
+            assigned_customers=doc.assigned_customers,
+            tags=doc.tags,
+            file_name=doc.file_name,
+            file_size=doc.file_size,
+            mime_type=doc.mime_type,
+            uploaded_by=doc.uploaded_by,
+            created_at=doc.created_at,
+            updated_at=doc.updated_at
+        ) for doc in documents
+    ]
+
+@router.get("/{document_id}", response_model=DocumentResponse)
+async def get_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get document by ID"""
+    document_service = DocumentService()
+    
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    can_access_document(current_user, document)
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.get("/{document_id}/preview")
+async def preview_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Preview document (view-only, always allowed)"""
+    document_service = DocumentService()
+
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+
+    can_access_document(current_user, document)
+
+    if not os.path.exists(document.file_path):
+        raise HTTPException(status_code=404, detail="File not found")
+
+    # Ensure correct MIME type; fallback to guessed type if missing
+    media_type = document.mime_type or mimetypes.guess_type(document.file_name)[0] or "application/octet-stream"
+    return FileResponse(
+        path=document.file_path,
+        media_type=media_type,
+        headers={"Content-Disposition": "inline"}
+    )
+
+@router.get("/{document_id}/public-url")
+async def get_document_public_url(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get a public URL for the document (for Office Online Viewer).
+    Only available for documents with PUBLIC visibility and when BASE_URL is not localhost.
+    """
+    document_service = DocumentService()
+
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+
+    can_access_document(current_user, document)
+
+    # Only allow public URL for PUBLIC visibility documents
+    if document.visibility != DocumentVisibility.PUBLIC:
+        raise HTTPException(status_code=403, detail="Document must be PUBLIC to generate a public URL")
+
+    # Disallow localhost/private base URLs which Office Online Viewer cannot reach
+    base_url = settings.BASE_URL or ""
+    if any(host in base_url for host in ["localhost", "127.0.0.1", "0.0.0.0"]):
+        raise HTTPException(status_code=400, detail="BASE_URL must be a publicly accessible HTTPS URL for Office Viewer")
+
+    # Generate public URL endpoint
+    public_url = f"{base_url.rstrip('/')}/api/v1/documents/{document_id}/public-preview"
+
+    return {"url": public_url}
+
+@router.get("/{document_id}/public-preview")
+async def public_preview_document(document_id: str):
+    """Public preview endpoint for Office Online Viewer (no authentication required)"""
+    document_service = DocumentService()
+
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+
+    # Only allow public access to documents with PUBLIC visibility
+    if document.visibility != DocumentVisibility.PUBLIC:
+        raise HTTPException(status_code=403, detail="Document is not publicly accessible")
+
+    if not os.path.exists(document.file_path):
+        raise HTTPException(status_code=404, detail="File not found")
+
+    # Ensure correct MIME type; fallback to guessed type if missing
+    media_type = document.mime_type or mimetypes.guess_type(document.file_name)[0] or "application/octet-stream"
+    return FileResponse(
+        path=document.file_path,
+        media_type=media_type,
+        headers={
+            "Content-Disposition": "inline",
+            "Access-Control-Allow-Origin": "*",  # Allow CORS for Office Online Viewer
+            "Access-Control-Allow-Methods": "GET",
+            "Access-Control-Allow-Headers": "*"
+        }
+    )
+
+@router.get("/{document_id}/download")
+async def download_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Download document (blocked for view-only documents)"""
+    document_service = DocumentService()
+
+    document = await document_service.get_document_by_id(document_id)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+
+    can_access_document(current_user, document)
+
+    # Block download for view-only documents when accessed by customers
+    if document.is_viewable_only and current_user.role == UserRole.CUSTOMER:
+        raise HTTPException(status_code=403, detail="This document is view-only and cannot be downloaded")
+
+    if not os.path.exists(document.file_path):
+        raise HTTPException(status_code=404, detail="File not found")
+
+    return FileResponse(
+        path=document.file_path,
+        filename=document.file_name,
+        media_type=document.mime_type,
+        headers={"Content-Disposition": f"attachment; filename={document.file_name}"}  # Force download
+    )
+
+@router.put("/{document_id}", response_model=DocumentResponse)
+async def update_document(
+    document_id: str,
+    document_update: DocumentUpdate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Update document (Staff only)"""
+    check_permission(current_user, [Permission.EDIT])
+    
+    document_service = DocumentService()
+    
+    document = await document_service.update_document(document_id, document_update)
+    if not document:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    return DocumentResponse(
+        id=str(document.id),
+        title=document.title,
+        description=document.description,
+        category=document.category,
+        visibility=document.visibility,
+        is_viewable_only=document.is_viewable_only,
+        assigned_customers=document.assigned_customers,
+        tags=document.tags,
+        file_name=document.file_name,
+        file_size=document.file_size,
+        mime_type=document.mime_type,
+        uploaded_by=document.uploaded_by,
+        created_at=document.created_at,
+        updated_at=document.updated_at
+    )
+
+@router.delete("/{document_id}")
+async def delete_document(
+    document_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Delete document (Staff only)"""
+    check_permission(current_user, [Permission.DELETE])
+    
+    document_service = DocumentService()
+    
+    success = await document_service.delete_document(document_id)
+    if not success:
+        raise HTTPException(status_code=404, detail="Document not found")
+    
+    return {"message": "Document deleted successfully"}

metsa-backend/app/routers/notifications.py

@@ -0,0 +1,62 @@
+from typing import List
+from fastapi import APIRouter, Depends, HTTPException
+from ..schemas.notification import NotificationResponse
+from ..models.user import User
+from ..services.notification import NotificationService
+from ..utils.security import get_current_active_user
+
+router = APIRouter(prefix="/notifications", tags=["notifications"])
+
+@router.get("/", response_model=List[NotificationResponse])
+async def get_notifications(
+    skip: int = 0,
+    limit: int = 50,
+    unread_only: bool = False,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get user notifications"""
+    notification_service = NotificationService()
+    
+    notifications = await notification_service.get_user_notifications(
+        str(current_user.id),
+        skip=skip,
+        limit=limit,
+        unread_only=unread_only
+    )
+    
+    return [
+        NotificationResponse(
+            id=str(notif.id),
+            type=notif.type,
+            title=notif.title,
+            message=notif.message,
+            document_id=notif.document_id,
+            user_id=notif.user_id,
+            is_read=notif.is_read,
+            created_at=notif.created_at
+        ) for notif in notifications
+    ]
+
+@router.put("/{notification_id}/read")
+async def mark_notification_as_read(
+    notification_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Mark notification as read"""
+    notification_service = NotificationService()
+    
+    success = await notification_service.mark_as_read(notification_id, str(current_user.id))
+    if not success:
+        raise HTTPException(status_code=404, detail="Notification not found")
+    
+    return {"message": "Notification marked as read"}
+
+@router.put("/read-all")
+async def mark_all_notifications_as_read(
+    current_user: User = Depends(get_current_active_user)
+):
+    """Mark all notifications as read"""
+    notification_service = NotificationService()
+    
+    count = await notification_service.mark_all_as_read(str(current_user.id))
+    return {"message": f"{count} notifications marked as read"}

metsa-backend/app/routers/users.py

@@ -0,0 +1,159 @@
+from typing import List, Optional
+from fastapi import APIRouter, Depends, HTTPException, status
+from ..schemas.user import UserCreate, UserUpdate, UserResponse
+from ..models.user import User, UserRole
+from ..services.user import UserService
+from ..utils.security import get_current_active_user
+from ..utils.permissions import is_admin
+
+router = APIRouter(prefix="/users", tags=["users"])
+
+@router.post("/", response_model=UserResponse)
+async def create_user(
+    user_data: UserCreate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Create a new user (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    try:
+        user = await user_service.create_user(user_data, str(current_user.id))
+        return UserResponse(
+            id=str(user.id),
+            email=user.email,
+            username=user.username,
+            role=user.role,
+            permissions=user.permissions,
+            customer_info=user.customer_info,
+            is_active=user.is_active,
+            is_verified=user.is_verified,
+            created_at=user.created_at,
+            updated_at=user.updated_at,
+            last_login=user.last_login
+        )
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+@router.get("/me", response_model=UserResponse)
+async def get_current_user_info(current_user: User = Depends(get_current_active_user)):
+    """Get current user information"""
+    return UserResponse(
+        id=str(current_user.id),
+        email=current_user.email,
+        username=current_user.username,
+        role=current_user.role,
+        permissions=current_user.permissions,
+        customer_info=current_user.customer_info,
+        is_active=current_user.is_active,
+        is_verified=current_user.is_verified,
+        created_at=current_user.created_at,
+        updated_at=current_user.updated_at,
+        last_login=current_user.last_login
+    )
+
+@router.get("/", response_model=List[UserResponse])
+async def get_users(
+    skip: int = 0,
+    limit: int = 100,
+    role: Optional[UserRole] = None,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get all users (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    users = await user_service.get_users(skip=skip, limit=limit, role=role)
+    return [
+        UserResponse(
+            id=str(user.id),
+            email=user.email,
+            username=user.username,
+            role=user.role,
+            permissions=user.permissions,
+            customer_info=user.customer_info,
+            is_active=user.is_active,
+            is_verified=user.is_verified,
+            created_at=user.created_at,
+            updated_at=user.updated_at,
+            last_login=user.last_login
+        ) for user in users
+    ]
+
+@router.get("/{user_id}", response_model=UserResponse)
+async def get_user(
+    user_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Get user by ID (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    user = await user_service.get_user_by_id(user_id)
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return UserResponse(
+        id=str(user.id),
+        email=user.email,
+        username=user.username,
+        role=user.role,
+        permissions=user.permissions,
+        customer_info=user.customer_info,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+        last_login=user.last_login
+    )
+
+@router.put("/{user_id}", response_model=UserResponse)
+async def update_user(
+    user_id: str,
+    user_update: UserUpdate,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Update user (Admin only)"""
+    is_admin(current_user)
+    
+    user_service = UserService()
+    
+    user = await user_service.update_user(user_id, user_update)
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return UserResponse(
+        id=str(user.id),
+        email=user.email,
+        username=user.username,
+        role=user.role,
+        permissions=user.permissions,
+        customer_info=user.customer_info,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+        last_login=user.last_login
+    )
+
+@router.delete("/{user_id}")
+async def delete_user(
+    user_id: str,
+    current_user: User = Depends(get_current_active_user)
+):
+    """Delete user (Admin only)"""
+    is_admin(current_user)
+    
+    if str(current_user.id) == user_id:
+        raise HTTPException(status_code=400, detail="Cannot delete yourself")
+    
+    user_service = UserService()
+    
+    success = await user_service.delete_user(user_id)
+    if not success:
+        raise HTTPException(status_code=404, detail="User not found")
+    
+    return {"message": "User deleted successfully"}

metsa-backend/app/schemas/document.py

@@ -0,0 +1,34 @@
+from typing import Optional, List
+from datetime import datetime
+from pydantic import BaseModel
+from ..models.document import DocumentCategory, DocumentVisibility
+
+class DocumentBase(BaseModel):
+    title: str
+    description: Optional[str] = None
+    category: DocumentCategory
+    visibility: DocumentVisibility = DocumentVisibility.PRIVATE
+    is_viewable_only: bool = False
+    assigned_customers: List[str] = []
+    tags: List[str] = []
+
+class DocumentCreate(DocumentBase):
+    pass
+
+class DocumentUpdate(BaseModel):
+    title: Optional[str] = None
+    description: Optional[str] = None
+    category: Optional[DocumentCategory] = None
+    visibility: Optional[DocumentVisibility] = None
+    is_viewable_only: Optional[bool] = None
+    assigned_customers: Optional[List[str]] = None
+    tags: Optional[List[str]] = None
+
+class DocumentResponse(DocumentBase):
+    id: str
+    file_name: str
+    file_size: int
+    mime_type: str
+    uploaded_by: str
+    created_at: datetime
+    updated_at: datetime

metsa-backend/app/schemas/notification.py

@@ -0,0 +1,19 @@
+from typing import Optional
+from datetime import datetime
+from pydantic import BaseModel
+from ..models.notification import NotificationType
+
+class NotificationBase(BaseModel):
+    type: NotificationType
+    title: str
+    message: str
+    document_id: Optional[str] = None
+
+class NotificationCreate(NotificationBase):
+    user_id: str
+
+class NotificationResponse(NotificationBase):
+    id: str
+    user_id: str
+    is_read: bool
+    created_at: datetime

metsa-backend/app/schemas/user.py

@@ -0,0 +1,47 @@
+from typing import Optional, List
+from datetime import datetime
+from pydantic import BaseModel, EmailStr
+from ..models.user import UserRole, Permission
+
+class UserBase(BaseModel):
+    email: EmailStr
+    username: str
+    role: UserRole
+    permissions: List[Permission] = []
+    customer_info: Optional[dict] = None
+
+class UserCreate(UserBase):
+    password: str
+
+class UserUpdate(BaseModel):
+    email: Optional[EmailStr] = None
+    username: Optional[str] = None
+    role: Optional[UserRole] = None
+    permissions: Optional[List[Permission]] = None
+    is_active: Optional[bool] = None
+    customer_info: Optional[dict] = None
+
+class UserResponse(UserBase):
+    id: str
+    is_active: bool
+    is_verified: bool
+    created_at: datetime
+    updated_at: datetime
+    last_login: Optional[datetime] = None
+
+class UserLogin(BaseModel):
+    username: str
+    password: str
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+
+class TokenData(BaseModel):
+    username: Optional[str] = None
+    user_id: Optional[str] = None
+    role: Optional[str] = None
+
+class PasswordChange(BaseModel):
+    current_password: str
+    new_password: str

metsa-backend/app/services/auth.py

@@ -0,0 +1,35 @@
+from datetime import datetime, timedelta
+from typing import Optional
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from ..config import settings
+from ..models.user import User
+from ..database import get_database
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+def get_password_hash(password: str) -> str:
+    return pwd_context.hash(password)
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+async def authenticate_user(username: str, password: str):
+    db = get_database()
+    user_dict = await db.users.find_one({"username": username})
+    if not user_dict:
+        return False
+    user = User.model_validate(user_dict)
+    if not verify_password(password, user.hashed_password):
+        return False
+    return user

metsa-backend/app/services/document.py

@@ -0,0 +1,158 @@
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+import os
+import mimetypes
+import aiofiles
+from ..database import get_database
+from ..models.document import Document, DocumentVisibility, DocumentCategory
+from ..models.user import UserRole
+from ..schemas.document import DocumentCreate, DocumentUpdate
+from ..config import settings
+from .notification import NotificationService
+
+class DocumentService:
+    def __init__(self):
+        self.db = get_database()
+        self.notification_service = NotificationService()
+
+    async def create_document(self, document_data: DocumentCreate, file_info: dict, uploaded_by: str) -> Document:
+        document_dict = document_data.model_dump()
+        document_dict.update({
+            "file_path": file_info["file_path"],
+            "file_name": file_info["file_name"],
+            "file_size": file_info["file_size"],
+            "mime_type": file_info["mime_type"],
+            "uploaded_by": uploaded_by,
+            "created_at": datetime.utcnow(),
+            "updated_at": datetime.utcnow()
+        })
+
+        result = await self.db.documents.insert_one(document_dict)
+        document_dict["_id"] = result.inserted_id
+
+        # Send notifications to assigned customers
+        if document_data.assigned_customers:
+            for customer_id in document_data.assigned_customers:
+                await self.notification_service.create_notification(
+                    user_id=customer_id,
+                    type="new_document",
+                    title="New Document Available",
+                    message=f"A new document '{document_data.title}' has been uploaded for you.",
+                    document_id=str(result.inserted_id)
+                )
+
+        return Document.model_validate(document_dict)
+
+    async def get_document_by_id(self, document_id: str) -> Optional[Document]:
+        document_dict = await self.db.documents.find_one({"_id": ObjectId(document_id)})
+        return Document.model_validate(document_dict) if document_dict else None
+
+    async def get_documents(self, skip: int = 0, limit: int = 100,
+                          category: Optional[DocumentCategory] = None,
+                          visibility: Optional[DocumentVisibility] = None,
+                          search: Optional[str] = None,
+                          user_id: Optional[str] = None,
+                          user_role: Optional[UserRole] = None) -> List[Document]:
+        query: dict = {}
+
+        if category:
+            query["category"] = category.value if isinstance(category, DocumentCategory) else category
+        if visibility:
+            query["visibility"] = visibility.value if isinstance(visibility, DocumentVisibility) else visibility
+        if search:
+            query["$or"] = [
+                {"title": {"$regex": search, "$options": "i"}},
+                {"description": {"$regex": search, "$options": "i"}},
+                {"tags": {"$elemMatch": {"$regex": search, "$options": "i"}}}
+            ]
+
+        # Filter based on user role
+        if user_role == UserRole.CUSTOMER:
+            user_access = {
+                "$or": [
+                    {"visibility": DocumentVisibility.PUBLIC.value},
+                    {"assigned_customers": user_id}
+                ]
+            }
+            if "$or" in query:
+                query = {"$and": [user_access, {"$or": query["$or"]}]}
+            else:
+                query.update(user_access)
+
+        cursor = self.db.documents.find(query).skip(skip).limit(limit)
+        documents = []
+        async for document_dict in cursor:
+            documents.append(Document.model_validate(document_dict))
+        return documents
+
+    async def update_document(self, document_id: str, document_update: DocumentUpdate) -> Optional[Document]:
+        update_data = {k: v for k, v in document_update.model_dump().items() if v is not None}
+        if update_data:
+            update_data["updated_at"] = datetime.utcnow()
+
+            # Get old document for comparison
+            old_doc = await self.get_document_by_id(document_id)
+
+            result = await self.db.documents.update_one(
+                {"_id": ObjectId(document_id)},
+                {"$set": update_data}
+            )
+
+            if result.modified_count:
+                # Send notifications if assigned customers changed
+                if "assigned_customers" in update_data:
+                    new_customers = set(update_data["assigned_customers"]) - set(old_doc.assigned_customers)
+                    for customer_id in new_customers:
+                        await self.notification_service.create_notification(
+                            user_id=customer_id,
+                            type="new_document",
+                            title="Document Assigned",
+                            message=f"Document '{old_doc.title}' has been assigned to you.",
+                            document_id=document_id
+                        )
+
+                return await self.get_document_by_id(document_id)
+        return None
+
+    async def delete_document(self, document_id: str) -> bool:
+        # Get document to delete file
+        document = await self.get_document_by_id(document_id)
+        if document:
+            # Delete file from filesystem
+            try:
+                os.remove(document.file_path)
+            except:
+                pass
+
+            # Delete from database
+            result = await self.db.documents.delete_one({"_id": ObjectId(document_id)})
+            return result.deleted_count > 0
+        return False
+
+    async def save_file(self, file_content: bytes, filename: str, category: DocumentCategory | str) -> dict:
+        # Normalize category to its string value
+        category_value = category.value if isinstance(category, DocumentCategory) else category
+
+        # Create directory if not exists
+        upload_dir = os.path.join(settings.UPLOAD_DIR, category_value)
+        os.makedirs(upload_dir, exist_ok=True)
+
+        # Generate unique filename
+        timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S")
+        safe_filename = f"{timestamp}_{filename}"
+        file_path = os.path.join(upload_dir, safe_filename)
+
+        # Save file
+        async with aiofiles.open(file_path, 'wb') as f:
+            await f.write(file_content)
+
+        # Try to detect a better MIME type from the filename extension
+        guessed_mime, _ = mimetypes.guess_type(filename)
+        mime_type = guessed_mime or "application/octet-stream"
+        return {
+            "file_path": file_path,
+            "file_name": filename,
+            "file_size": len(file_content),
+            "mime_type": mime_type
+        }

metsa-backend/app/services/email.py

@@ -0,0 +1,53 @@
+import smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+from typing import List
+from ..config import settings
+
+async def send_email(to_email: str, subject: str, body: str, is_html: bool = False):
+    """Send email using SMTP"""
+    if not settings.SMTP_USER or not settings.SMTP_PASSWORD:
+        print(f"Email sending skipped (not configured): {subject} to {to_email}")
+        return
+    
+    msg = MIMEMultipart()
+    msg['From'] = settings.EMAILS_FROM_EMAIL or settings.SMTP_USER
+    msg['To'] = to_email
+    msg['Subject'] = subject
+    
+    msg.attach(MIMEText(body, 'html' if is_html else 'plain'))
+    
+    try:
+        server = smtplib.SMTP(settings.SMTP_HOST, settings.SMTP_PORT)
+        server.starttls()
+        server.login(settings.SMTP_USER, settings.SMTP_PASSWORD)
+        server.send_message(msg)
+        server.quit()
+    except Exception as e:
+        print(f"Failed to send email: {e}")
+
+async def send_welcome_email(email: str, username: str):
+    subject = "Welcome to Metsa Document Portal"
+    body = f"""
+    <h2>Welcome to Metsa Document Portal</h2>
+    <p>Hello {username},</p>
+    <p>Your account has been created successfully. You can now log in to access your documents.</p>
+    <p>Username: {username}</p>
+    <p>Please contact your administrator if you need to reset your password.</p>
+    <br>
+    <p>Best regards,<br>Metsa Team</p>
+    """
+    await send_email(email, subject, body, is_html=True)
+
+async def send_password_reset_email(email: str, reset_token: str):
+    subject = "Password Reset Request"
+    body = f"""
+    <h2>Password Reset Request</h2>
+    <p>You have requested to reset your password. Click the link below to reset it:</p>
+    <p><a href="http://portal.metsa.com/reset-password?token={reset_token}">Reset Password</a></p>
+    <p>This link will expire in 1 hour.</p>
+    <p>If you didn't request this, please ignore this email.</p>
+    <br>
+    <p>Best regards,<br>Metsa Team</p>
+    """
+    await send_email(email, subject, body, is_html=True)

metsa-backend/app/services/notification.py

@@ -0,0 +1,52 @@
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+from ..database import get_database
+from ..models.notification import Notification, NotificationType
+
+class NotificationService:
+    def __init__(self):
+        self.db = get_database()
+    
+    async def create_notification(self, user_id: str, type: str, title: str, 
+                                message: str, document_id: Optional[str] = None) -> Notification:
+        notification_dict = {
+            "user_id": user_id,
+            "type": type,
+            "title": title,
+            "message": message,
+            "document_id": document_id,
+            "is_read": False,
+            "created_at": datetime.utcnow()
+        }
+        
+        result = await self.db.notifications.insert_one(notification_dict)
+        notification_dict["_id"] = result.inserted_id
+        
+        return Notification.model_validate(notification_dict)
+    
+    async def get_user_notifications(self, user_id: str, skip: int = 0, 
+                                   limit: int = 50, unread_only: bool = False) -> List[Notification]:
+        query = {"user_id": user_id}
+        if unread_only:
+            query["is_read"] = False
+        
+        cursor = self.db.notifications.find(query).sort("created_at", -1).skip(skip).limit(limit)
+        notifications = []
+        async for notification_dict in cursor:
+            notifications.append(Notification.model_validate(notification_dict))
+        return notifications
+    
+    async def mark_as_read(self, notification_id: str, user_id: str) -> bool:
+        result = await self.db.notifications.update_one(
+            {"_id": ObjectId(notification_id), "user_id": user_id},
+            {"$set": {"is_read": True}}
+        )
+        return result.modified_count > 0
+    
+    async def mark_all_as_read(self, user_id: str) -> int:
+        result = await self.db.notifications.update_many(
+            {"user_id": user_id, "is_read": False},
+            {"$set": {"is_read": True}}
+        )
+        return result.modified_count

metsa-backend/app/services/user.py

@@ -0,0 +1,110 @@
+from typing import List, Optional
+from bson import ObjectId
+from datetime import datetime
+from ..database import get_database
+from ..models.user import User, UserRole, Permission
+from ..schemas.user import UserCreate, UserUpdate
+from .auth import get_password_hash, verify_password
+from .email import send_welcome_email
+
+class UserService:
+    def __init__(self):
+        self.db = get_database()
+    
+    async def create_user(self, user_data: UserCreate, created_by: str) -> User:
+        # Check if user already exists
+        existing_user = await self.db.users.find_one({
+            "$or": [
+                {"email": user_data.email},
+                {"username": user_data.username}
+            ]
+        })
+        if existing_user:
+            raise ValueError("User with this email or username already exists")
+        
+        # Create user
+        user_dict = user_data.model_dump()
+        user_dict["hashed_password"] = get_password_hash(user_dict.pop("password"))
+        user_dict["created_by"] = created_by
+        user_dict["created_at"] = datetime.utcnow()
+        user_dict["updated_at"] = datetime.utcnow()
+        
+        # Set default permissions based on role
+        if user_data.role == UserRole.ADMIN:
+            user_dict["permissions"] = [p.value for p in Permission]
+        elif user_data.role == UserRole.EDITOR:
+            user_dict["permissions"] = user_data.permissions or [Permission.VIEW, Permission.UPLOAD, Permission.EDIT]
+        else:
+            user_dict["permissions"] = [Permission.VIEW]
+        
+        result = await self.db.users.insert_one(user_dict)
+        user_dict["_id"] = result.inserted_id
+        
+        # Send welcome email
+        await send_welcome_email(user_data.email, user_data.username)
+        
+        return User.model_validate(user_dict)
+    
+    async def get_user_by_id(self, user_id: str) -> Optional[User]:
+        user_dict = await self.db.users.find_one({"_id": ObjectId(user_id)})
+        return User.model_validate(user_dict) if user_dict else None
+    
+    async def get_user_by_username(self, username: str) -> Optional[User]:
+        user_dict = await self.db.users.find_one({"username": username})
+        return User.model_validate(user_dict) if user_dict else None
+    
+    async def get_users(self, skip: int = 0, limit: int = 100, role: Optional[UserRole] = None) -> List[User]:
+        query = {}
+        if role:
+            query["role"] = role
+        
+        cursor = self.db.users.find(query).skip(skip).limit(limit)
+        users = []
+        async for user_dict in cursor:
+            users.append(User.model_validate(user_dict))
+        return users
+    
+    async def update_user(self, user_id: str, user_update: UserUpdate) -> Optional[User]:
+        update_data = {k: v for k, v in user_update.model_dump().items() if v is not None}
+        if update_data:
+            update_data["updated_at"] = datetime.utcnow()
+            result = await self.db.users.update_one(
+                {"_id": ObjectId(user_id)},
+                {"$set": update_data}
+            )
+            if result.modified_count:
+                return await self.get_user_by_id(user_id)
+        return None
+    
+    async def delete_user(self, user_id: str) -> bool:
+        result = await self.db.users.delete_one({"_id": ObjectId(user_id)})
+        return result.deleted_count > 0
+    
+    async def update_last_login(self, user_id: str):
+        await self.db.users.update_one(
+            {"_id": ObjectId(user_id)},
+            {"$set": {"last_login": datetime.utcnow()}}
+        )
+
+    async def change_password(self, user_id: str, current_password: str, new_password: str) -> bool:
+        """Change user password after verifying current password"""
+        # Get user
+        user = await self.get_user_by_id(user_id)
+        if not user:
+            return False
+
+        # Verify current password
+        if not verify_password(current_password, user.hashed_password):
+            return False
+
+        # Update password
+        new_hashed_password = get_password_hash(new_password)
+        result = await self.db.users.update_one(
+            {"_id": ObjectId(user_id)},
+            {"$set": {
+                "hashed_password": new_hashed_password,
+                "updated_at": datetime.utcnow()
+            }}
+        )
+
+        return result.modified_count > 0

metsa-backend/app/utils/permissions.py

@@ -0,0 +1,54 @@
+from typing import List
+from fastapi import HTTPException, status
+from ..models.user import User, UserRole, Permission
+from ..models.document import DocumentVisibility
+
+def check_permission(user: User, required_permissions: List[Permission]):
+    """Check if user has required permissions"""
+    if user.role == UserRole.ADMIN:
+        return True
+
+    user_permissions = set(user.permissions)
+    required_permissions_set = set(required_permissions)
+
+    if not required_permissions_set.issubset(user_permissions):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+
+    return True
+
+def is_admin(user: User):
+    """Check if user is admin"""
+    if user.role != UserRole.ADMIN:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required"
+        )
+    return True
+
+def is_staff(user: User):
+    """Check if user is admin or editor"""
+    if user.role not in [UserRole.ADMIN, UserRole.EDITOR]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Staff access required"
+        )
+    return True
+
+def can_access_document(user: User, document):
+    """Check if user can access a document"""
+    if user.role in [UserRole.ADMIN, UserRole.EDITOR]:
+        return True
+
+    if document.visibility == DocumentVisibility.PUBLIC:
+        return True
+
+    if str(user.id) in document.assigned_customers:
+        return True
+
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="You don't have access to this document"
+    )

metsa-backend/app/utils/security.py

@@ -0,0 +1,49 @@
+from typing import Optional
+from datetime import datetime, timedelta
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+from ..config import settings
+from ..schemas.user import TokenData
+from ..services.user import UserService
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")  
+
+async def get_current_user(token: str = Depends(oauth2_scheme)):
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    try:
+        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+        username: str = payload.get("sub")
+        user_id: str = payload.get("user_id")
+        role: str = payload.get("role")
+        
+        if username is None or user_id is None:
+            raise credentials_exception
+        
+        token_data = TokenData(username=username, user_id=user_id, role=role)
+    except JWTError:
+        raise credentials_exception
+    
+    user_service = UserService()
+    user = await user_service.get_user_by_username(username=token_data.username)
+    
+    if user is None:
+        raise credentials_exception
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    
+    return user
+
+async def get_current_active_user(current_user = Depends(get_current_user)):
+    if not current_user.is_active:
+        raise HTTPException(status_code=400, detail="Inactive user")
+    return current_user

metsa-backend/documentation.py

@@ -0,0 +1,137 @@
+import os
+import fnmatch
+from pathlib import Path
+
+def should_skip_file(filepath, filename):
+    """Check if file should be skipped based on patterns"""
+    skip_patterns = [
+        '__pycache__',
+        '*.pyc',
+        '.env*',
+        '*.log',
+        '.git*',
+        '*.tmp',
+        '*.temp',
+        'node_modules',
+        '.vscode',
+        '.idea',
+        '*.DS_Store',
+        'Thumbs.db'
+    ]
+    
+    skip_dirs = [
+        '__pycache__',
+        '.git',
+        'node_modules',
+        '.vscode',
+        '.idea',
+        'venv',
+        'env',
+        '.env'
+    ]
+    
+    # Check if any parent directory should be skipped
+    path_parts = Path(filepath).parts
+    for part in path_parts:
+        if part in skip_dirs:
+            return True
+    
+    # Check if filename matches skip patterns
+    for pattern in skip_patterns:
+        if fnmatch.fnmatch(filename, pattern):
+            return True
+    
+    return False
+
+def get_file_content(filepath):
+    """Read file content safely"""
+    try:
+        with open(filepath, 'r', encoding='utf-8') as file:
+            return file.read()
+    except UnicodeDecodeError:
+        try:
+            with open(filepath, 'r', encoding='latin-1') as file:
+                return file.read()
+        except Exception as e:
+            return f"Error reading file: {str(e)}"
+    except Exception as e:
+        return f"Error reading file: {str(e)}"
+
+def generate_documentation(root_path='.', output_file='PROJECT_DOCUMENTATION.md'):
+    """Generate complete project documentation"""
+    
+    documentation = []
+    documentation.append("# Project Documentation\n")
+    documentation.append(f"Generated from: {os.path.abspath(root_path)}\n")
+    documentation.append("---\n")
+    
+    # Get all Python files
+    python_files = []
+    
+    for root, dirs, files in os.walk(root_path):
+        # Remove directories that should be skipped
+        dirs[:] = [d for d in dirs if not should_skip_file(os.path.join(root, d), d)]
+        
+        for file in files:
+            filepath = os.path.join(root, file)
+            
+            # Skip system files and focus on Python files
+            if should_skip_file(filepath, file):
+                continue
+                
+            # Only include Python files and important config files
+            if file.endswith('.py') or file in ['requirements.txt', 'README.md', '.env.example']:
+                python_files.append(filepath)
+    
+    # Sort files for consistent output
+    python_files.sort()
+    
+    # Generate documentation for each file
+    for filepath in python_files:
+        relative_path = os.path.relpath(filepath, root_path)
+        
+        # Add file header
+        documentation.append(f"## {relative_path}\n")
+        
+        # Get file content
+        content = get_file_content(filepath)
+        
+        # Add code block with syntax highlighting
+        if filepath.endswith('.py'):
+            documentation.append("```python")
+        elif filepath.endswith('.md'):
+            documentation.append("```markdown")
+        elif filepath.endswith('.txt'):
+            documentation.append("```text")
+        else:
+            documentation.append("```")
+        
+        documentation.append(content)
+        documentation.append("```\n")
+        documentation.append("---\n")
+    
+    # Write documentation to file
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write('\n'.join(documentation))
+    
+    print(f"Documentation generated successfully: {output_file}")
+    print(f"Total files documented: {len(python_files)}")
+
+def main():
+    """Main function to run the documentation generator"""
+    # You can modify these paths as needed
+    project_root = "."  # Current directory
+    output_filename = "PROJECT_DOCUMENTATION.md"
+    
+    print("Starting documentation generation...")
+    print(f"Project root: {os.path.abspath(project_root)}")
+    print(f"Output file: {output_filename}")
+    print("=" * 50)
+    
+    generate_documentation(project_root, output_filename)
+    
+    print("=" * 50)
+    print("Documentation generation completed!")
+
+if __name__ == "__main__":
+    main()

metsa-backend/requirements.txt

@@ -0,0 +1,13 @@
+fastapi==0.104.1
+uvicorn==0.24.0
+pymongo==4.5.0
+motor==3.3.2
+python-jose[cryptography]==3.3.0
+passlib[bcrypt]==1.7.4
+python-multipart==0.0.6
+python-dotenv==1.0.0
+pydantic==2.4.2
+pydantic[email]==2.4.2
+pydantic-settings==2.0.3
+aiofiles==23.2.1
+python-dateutil==2.8.2

metsa-backend/uploads/commercial/20250818_165924_Predicting Chronic Heart Failure After Myocardial Infarction Using Machine Learning Techniques (updated).docx

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8820c1d54c416d640cbdc3df0ff0ba986e5843f9e3ae4125ca997def01e22e92
+size 1033249

metsa-backend/uploads/compliance/20250718_181330_c4611_sample_explain.pdf

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2353deadc9fa87817413b239841a373fb51de8b74a75d3c8c863de735ca0b4a0
+size 88226

metsa-backend/uploads/other/20250818_190139_MidTerm Exam Schedule Fall-2024.pdf

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1fce9887bc4c3aef4d1ed8d1fe0a86535d0c4cc7fb4d00ea55c0bbda62649eb
+size 399628

metsa-backend/uploads/other/20250818_210114_FYP_Report_Updated (1).docx

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b6a6a7deae9e2d09cf68bb1f2859cb2cfc77512cbe5f72c1395894b6125af687
+size 204944

metsa-backend/uploads/other/20250818_210611_Paper+5+598+25-4-24-P-27-32.pdf

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ecb0fab640f1469ead487048768a725a514ae3ae70051829fa5c973b3bde38ef
+size 457320

metsa-frontend

@@ -0,0 +1 @@
+Subproject commit 9ed117f3565f5bfb126c45f9bfe3f04e76d16152

scripts/build_frontend.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd /app/metsa-frontend
+export NEXT_TELEMETRY_DISABLED=1
+npm ci
+npm run build
+npm run export
+

scripts/start.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Activate Python venv
+source /app/venv/bin/activate
+
+# Run backend (FastAPI) in background on :8000
+# Note: Using 0.0.0.0 so it's reachable from the frontend container process
+cd /app/metsa-backend
+uvicorn app.main:app --host 0.0.0.0 --port 8000 &
+BACK_PID=$!
+cd /app
+
+echo "Backend started with PID ${BACK_PID}"
+
+# We now serve the frontend statically from FastAPI (same port). Nothing else to run here.
+wait ${BACK_PID}
+