Skip to content

Architecture

System architecture and design decisions for the Huh platform.

Overview

Huh is a transcription and translation platform built with: - Frontend: Angular v20 (TypeScript) - Backend: Spring Boot (Kotlin) - Database: MongoDB - Storage: MinIO (S3-compatible object storage) - Message Queue: RabbitMQ - Transcription Service: Python (OpenAI Whisper) - Translation Service: LibreTranslate

System Components

Frontend (Angular)

  • Standalone components architecture
  • RxJS for state management
  • WebSocket client for real-time updates
  • JWT token storage and management

Backend (Spring Boot)

  • REST API endpoints
  • WebSocket server for real-time updates
  • JWT authentication
  • ACL service for fine-grained permissions
  • Email notification service

Transcription Worker (Python)

  • Consumes tasks from RabbitMQ
  • Uses OpenAI Whisper for transcription
  • Stores results in MongoDB
  • Uploads files to MinIO

Infrastructure

  • MongoDB: Document storage for transcriptions, users, ACL entries
  • MinIO: Object storage for video/audio files
  • RabbitMQ: Message queue for async transcription tasks
  • LibreTranslate: Translation service API

Data Flow

Transcription Creation

  1. User uploads file via frontend
  2. Backend receives file, stores in MinIO
  3. Transcription record created in MongoDB
  4. ACL entry created (user becomes owner)
  5. Task sent to RabbitMQ
  6. Transcription worker processes task
  7. Results stored in MongoDB
  8. WebSocket notification sent to frontend

Video Streaming

  1. User requests video access token
  2. Backend generates short-lived token
  3. Token set as HTTP-only cookie
  4. Frontend requests video with cookie
  5. Backend validates token and streams video

Security Architecture

Authentication Flow

  1. User logs in with username/email and password
  2. Backend validates credentials
  3. JWT token generated with user roles
  4. Token sent to frontend
  5. Frontend includes token in Authorization header for API requests

Authorization Flow

  1. Request received with JWT token
  2. Token validated and user context loaded
  3. ACL service checks permissions
  4. Access granted or denied based on ACL entries

ACL Architecture

Components

  • AclEntry: Individual permission grants
  • AclObjectIdentity: Maps domain objects to ACL entries
  • AclSid: Security identities (users and roles)

Permission Checking

  1. Check if user is admin (always granted)
  2. Look up object identity
  3. Retrieve ACL entries for object
  4. Check user-specific permissions
  5. Check role-based permissions
  6. Return access decision

Design Decisions

Why MongoDB for ACL?

  • Flexible schema for ACL entries
  • Efficient queries for permission checking
  • Aligns with existing MongoDB usage
  • HTTP-only cookies prevent JavaScript access
  • Automatic cookie handling by browsers
  • Better security than URL tokens

Why Stateless Sessions?

  • Scalability (no session storage needed)
  • JWT tokens contain all necessary information
  • Works well with microservices architecture