feat: enhance backend security and configuration

- Updated Dockerfile to improve security with a non-root user and added health checks.
- Modified docker-compose.yml to set containers as read-only, restrict ports to localhost, and implement health checks.
- Enhanced .env.example with additional environment variables for security and configuration.
- Improved FastAPI application with middleware for security headers, CORS, and body size limits.
- Refactored authentication flow in auth.py to include state validation and improved error handling.
- Added rate limiting to various endpoints to prevent abuse.
- Updated researcher and publication handling to ensure better validation and error management.

backend/app/services/normalizer.py

@@ -1,5 +1,8 @@
 from typing import List
 
+# ---------------------------------------------------------
+# Función auxiliar: obtener valor de un diccionario
+# ---------------------------------------------------------
 
 def _get(d: dict | None, *keys, default=None):
     cur = d or {}
@@ -11,6 +14,9 @@ def _get(d: dict | None, *keys, default=None):
             return default
     return cur
 
+# ---------------------------------------------------------
+# Clase de normalización de publicaciones
+# ---------------------------------------------------------
 
 class PublicationNormalizer:
     @staticmethod

backend/app/services/orcid_client.py

@@ -14,8 +14,14 @@ BASE_URL_SANDBOX = "https://pub.sandbox.orcid.org/v3.0"
 # TOKEN_URL_PROD = "https://orcid.org/oauth/token"
 # BASE_URL_PROD = "https://pub.orcid.org/v3.0"
 
+# ---------------------------------------------------------
+# Clase de cliente de ORCID
+# ---------------------------------------------------------
 
 class ORCIDClient:
+    # ---------------------------------------------------------
+    # Función auxiliar: inicializar el cliente de ORCID
+    # ---------------------------------------------------------
     def __init__(self):
         # Asegura que al ejecutar `uvicorn` local también se carga `backend/.env`.
         # (En docker `ORCID_REDIRECT_URI` y secretos llegan por env_file, así que esto no molesta.)
@@ -115,6 +121,10 @@ class ORCIDClient:
             params["state"] = state
         return f"{self.authorization_url}?{urllib.parse.urlencode(params)}"
 
+    # ---------------------------------------------------------
+    # Función auxiliar: intercambiar código de autorización
+    # ---------------------------------------------------------
+
     def exchange_authorization_code(
         self,
         *,

backend/app/services/sword_generator.py

@@ -6,6 +6,9 @@ ATOM_NS = "http://www.w3.org/2005/Atom"
 DC_NS = "http://purl.org/dc/elements/1.1/"
 EXTRA_NS = "http://example.org/orcid-extra"   # namespace para campos extendidos
 
+# ---------------------------------------------------------
+# Clase de generador de feed SWORD
+# ---------------------------------------------------------
 
 class SWORDGenerator:
 

backend/app/services/sync_service.py

@@ -8,12 +8,23 @@ from app.db.repositories.researcher_repository import ResearcherRepository
 from app.db.repositories.publication_repository import PublicationRepository
 from app.db.repositories.syncjob_repository import SyncJobRepository
 
+# ---------------------------------------------------------
+# Clase de servicio de sincronización
+# ---------------------------------------------------------
 
 class SyncService:
 
+    # ---------------------------------------------------------
+    # Función auxiliar: inicializar el servicio de sincronización
+    # ---------------------------------------------------------
+
     def __init__(self):
         self.orcid_client = ORCIDClient()
 
+    # ---------------------------------------------------------
+    # Función auxiliar: sincronizar las publicaciones de un investigador
+    # ---------------------------------------------------------
+
     def sync_researcher(self, db: Session, orcid_id: str):
         """
         Sincroniza las publicaciones de un investigador con manejo robusto de errores.
@@ -109,6 +120,10 @@ class SyncService:
             "total": new_records + updated_records
         }
 
+    # ---------------------------------------------------------
+    # Función auxiliar: sincronizar y obtener investigador + publicaciones
+    # ---------------------------------------------------------
+
     def sync_and_get_full(self, db: Session, orcid_id: str):
         """
         Sincroniza (si es necesario) y devuelve investigador + publicaciones.

backend/app/services/zip_generator.py

@@ -7,12 +7,16 @@ from xml.etree.ElementTree import Element, SubElement, tostring
 from app.db.models import Publication, Researcher
 from app.services.sword_generator import SWORDGenerator
 
+# ---------------------------------------------------------
+# Clase de generador de ZIP
+# ---------------------------------------------------------
 
 class ZIPGenerator:
 
     # ---------------------------------------------------------
-    # MANIFEST.TXT — más completo
+    # Función auxiliar: generar manifest.txt
     # ---------------------------------------------------------
+
     @staticmethod
     def generate_manifest(researcher, publications):
         lines = [