LawBridge is a full-stack legal services platform that connects users with verified legal professionals and provides AI-powered legal assistance. The system supports secure authentication with Two-Factor Authentication, lawyer consultations, appointment booking, Razorpay payment processing, Stream.io-based video consultations, a credit-gated AI legal chatbot, and a production-grade RAG pipeline built over Indian Constitutional Law documents.
LawBridge Database Schema: https://dbdocs.io/officialdslc1552005/LawBridgeSchema?view=relationships
- Secure registration with email verification via hashed tokens
- Magic link passwordless login for seamless authentication (15-minute expiry, single-use tokens)
- Google OAuth 2.0 login with PKCE (Proof Key for Code Exchange) for enhanced security
- JWT-based stateless authentication using short-lived access tokens and long-lived refresh tokens stored in HttpOnly cookies
- Optional Two-Factor Authentication (TOTP) via QR code or manual key entry; supports setup, verification, and disabling with password confirmation
- Password reset via time-limited email tokens
- Account deletion with OTP confirmation sent to registered email
- Profile management including name, phone, address, gender, date of birth, and profile image upload via Cloudinary
- Browse lawyers filtered by specialisation, city, experience, and fees with search and sort functionality
- Appointment booking with slot selection and conflict prevention
- Appointment scheduling constraints (maximum 2 appointments per day, and up to 3 appointments within a 5-day period)
- Razorpay payment integration for appointment fees with signature verification
- Appointment cancellation with automatic slot release back to the lawyer
- Real-time one-on-one video consultations using Stream.io Video SDK with call lifecycle tracking (join, leave, end, duration)
- Automatic video call termination via BullMQ background jobs when appointment time expires
- AI legal chatbot with session-based conversation history, Markdown-rendered responses, and a daily credit system (10 credits per user per day, reset at midnight)
- Document upload and analysis - Upload personal legal documents (PDF, DOCX, TXT, images) for AI-powered Q&A
- Hybrid RAG mode - Query both platform knowledge base and personal uploaded documents simultaneously
- User-specific document namespaces in Pinecone for isolated document storage per user
- Resources and legal information pages
- Contact, Privacy Policy, Terms and Conditions, and Refund Policy pages
- Professional profile management including speciality, degree, experience, fees, about section, and profile image
- Availability toggle to open or close appointment slots
- Appointment dashboard with upcoming and completed consultation history
- Earnings tracking for completed appointments
- Video call participation using Stream.io with the same call lifecycle as users
- Lawyer-specific authentication with separate JWT flow
- Admin authentication with dedicated JWT flow
- Add new lawyers to the platform with full profile and image upload
- View and manage all registered lawyers and users
- View and manage all appointments across the platform
- Revenue tracking and platform-wide analytics dashboard
- React 19.1.1
- Vite 7.x
- Tailwind CSS 4.x with Typography plugin
- React Router DOM 7.x with data router (
RouterProvider) - Axios with a custom interceptor for automatic silent token refresh, 429 rate-limit handling, and daily credit exhaustion handling
- React Context API for global application state (
AppContext) - Stream.io Video React SDK 1.26.x for video consultations
- React Markdown with remark-gfm and PrismJS for syntax-highlighted chatbot responses
- Lucide React for icons
- React Toastify for notifications
- Moment.js for date formatting
- React 19.1.1
- Vite 7.x
- Tailwind CSS 4.x
- React Router DOM 7.x
- Axios
- Stream.io Video React SDK 1.26.x
- Lucide React
- React Toastify
- Node.js with ES Modules
- Express.js 5.x
- MongoDB with Mongoose 8.x
- JWT access tokens (short-lived, sent via Authorization header) and refresh tokens (long-lived, stored in HttpOnly cookies)
- BullMQ 6.x for background job processing (automatic video call termination)
- Google OAuth 2.0 with
google-auth-libraryfor secure social login with PKCE - Bcrypt 6.x for password hashing
- Zod 4.x for request body validation
- Multer 2.x for multipart file handling
- Cloudinary 2.x for image storage and document storage
- Razorpay SDK 2.x for payment order creation and signature verification
- Stream.io Node SDK for video token generation and call management
- ioredis 5.x for Redis-backed rate limiting, chatbot credit tracking, and BullMQ job queues
- Helmet for HTTP security headers
- express-mongo-sanitize for MongoDB operator injection prevention
- Nodemailer and Brevo (Sendinblue) for transactional email delivery
- otpauth and qrcode for TOTP-based Two-Factor Authentication
- cookie-parser for HttpOnly refresh token cookies
- Python 3.12
- FastAPI 0.123.x with Uvicorn 0.38.x
- LangChain 0.3.x ecosystem (langchain, langchain-core, langchain-community, langchain-text-splitters, langchain-google-genai, langchain-pinecone)
- Google Gemini 2.5 Flash as the language model via
langchain-google-genai - Google
gemini-embedding-001embedding model (3072-dimensional vectors) for document and query embeddings - Pinecone 7.x serverless vector database for similarity search over legal documents
- Multi-namespace architecture - Separate namespaces for platform knowledge base (
__default__) and per-user document uploads (user-uploads-{user_id}) - PyPDF2 and pypdf for PDF document loading
- python-docx for DOCX document processing
- Pillow (PIL) with pytesseract for OCR-based text extraction from images
- LangChain
RecursiveCharacterTextSplitterfor chunking (chunk size 1000, overlap 200) - Custom production-safe batch embedding pipeline with resume-from-checkpoint, rate-limit retry logic, daily quota detection, and per-batch progress persistence
- Hybrid retrieval mode - Query platform knowledge base, user uploads, or both simultaneously
- Session-aware RAG pipeline passing last 10 conversation turns as chat history into the prompt
- Secure key header (
secure_key) for backend-to-chatbot authentication - pydantic 2.x for request/response models
- python-dotenv for environment management
Browser / Mobile
|
+-------------+-------------+
| |
Frontend (React) Admin Panel (React)
| |
+-------------+-------------+
|
Backend (Express.js)
| | |
MongoDB Cloudinary Redis
|
RAG Chatbot (FastAPI)
|
Pinecone Vector DB
Google Gemini 2.5 Flash
- The Frontend and Admin Panel are separate React applications communicating with the Backend via REST APIs.
- The Backend issues short-lived access tokens (sent in the
Authorizationheader) and long-lived refresh tokens (stored in HttpOnly cookies). The frontend Axios interceptor silently refreshes access tokens on 401 responses using a queuing mechanism to prevent duplicate refresh calls. - Redis backs both the global rate limiter (fixed-window, per-IP, 200 requests per 60 seconds across all routes) and the per-route limiter, as well as the per-user chatbot credit counter which auto-expires at midnight.
- The chatbot service is an isolated FastAPI process running on port 4000. The Express backend proxies user messages to it, attaching a shared
RAG_SECRET_KEYheader. The chatbot validates this key before processing any request. - Conversation history is persisted in MongoDB and the last 10 messages are forwarded to the RAG pipeline on each request to maintain conversational context.
- All sensitive credentials are environment-based with no hardcoded secrets.
Law_Bridge_FullStack/
├── Frontend/ # User-facing React application
│ ├── src/
│ │ ├── api/ # Axios API modules (user, lawyer, appointment, chat, payment, video)
│ │ ├── components/ # Shared UI components (Navbar, Footer, Sidebar, etc.)
│ │ ├── context/ # React Context (AppContext, token helpers)
│ │ ├── layouts/ # Route layout wrappers
│ │ ├── pages/ # Page components (Home, Lawyers, Appointment, Chatbot, etc.)
│ │ └── routes/ # React Router configuration
│ ├── package.json
│ └── vite.config.js
│
├── Admin/ # Admin and Lawyer panel React application
│ ├── src/
│ │ ├── api/
│ │ ├── components/
│ │ ├── context/
│ │ ├── layouts/
│ │ ├── pages/
│ │ │ ├── Admin/ # Admin pages (Dashboard, LawyerList, AllAppointments, AddLawyer)
│ │ │ └── Lawyer/ # Lawyer pages (LawyerDashboard, LawyerAppointments, LawyerProfile, LawyerVideoCall)
│ │ └── routes/
│ ├── package.json
│ └── vite.config.js
│
├── Backend/ # Express.js REST API server
│ ├── config/ # MongoDB, Cloudinary, Redis, Stream.io connections
│ ├── controllers/ # Route handlers (user, lawyer, admin, chat, message, video)
│ ├── middleware/ # Auth guards, rate limiters, credit manager, multer, mongo sanitize
│ ├── models/ # Mongoose models (User, Lawyer, Appointment, Conversation)
│ ├── routes/ # Express routers (auth, user, lawyer, admin, chat, message, video)
│ ├── services/ # Email templates and mail service
│ ├── utils/ # Token generation, hashing, cookie options, crypto helpers
│ ├── validations/ # Zod schemas for request and token validation
│ └── server.js # Application entry point
│
├── chatbot/ # Python FastAPI RAG chatbot service
│ ├── data/ # PDF legal documents (Indian Constitutional Law)
│ ├── src/
│ │ ├── api/
│ │ │ └── chat.py # FastAPI endpoints (/chat, /health)
│ │ ├── config/ # Environment, Gemini, and Pinecone initialisation
│ │ ├── embeddings/ # Embedding creation pipeline
│ │ ├── loaders/ # PDF loader using PyPDFLoader
│ │ ├── processors/ # Text chunker using RecursiveCharacterTextSplitter
│ │ └── vectorStore_Retrieval/ # Pinecone vector store, batch uploader, retriever
│ ├── main.py # Entry point (setup, server, or both)
│ └── req.txt # Python dependencies
│
├── doc_analyser/ # Document analyser module (in development)
├── LICENSE
└── README.md
Fields: name, email, password (bcrypt hashed), image, phone, address, gender, dob, emailVerified, emailVerificationToken, emailVerificationExpiry, resetPasswordToken, resetPasswordExpiry, deleteOtp, deleteOtpExpiresAt, refreshToken, twoFactorEnabled, twoFactorSecret, credits (dailyLimit, remaining, lastReset)
Fields: name, email, password (bcrypt hashed), image, speciality, degree, experience, about, available, fees, slots_booked, address, date, refreshToken
Fields: userId, lawyerId, slotDate, slotTime, userData (snapshot), lawyerData (snapshot), amount, date, cancelled, payment, isCompleted, videoCall (callId, roomId, status, startedAt, endedAt, duration, userJoined, lawyerJoined), createdAt, updatedAt
Fields: userId (ref: User), sessionId, title, messages (array of {role, content, timestamps}), createdAt, updatedAt. Compound unique index on (userId, sessionId).
| Method | Path | Description |
|---|---|---|
| POST | /refresh |
Refresh access token using HttpOnly refresh token cookie |
| POST | /logout |
Clear refresh token and revoke session |
| Method | Path | Description |
|---|---|---|
| POST | /register |
Register a new user account |
| POST | /login |
Login; returns access token and sets refresh cookie |
| GET | /google |
Initiate Google OAuth 2.0 login with PKCE |
| GET | /google/callback |
Handle Google OAuth callback and exchange code for tokens |
| POST | /google/exchange |
Exchange one-time code for access and refresh tokens |
| POST | /magic-link |
Request magic link for passwordless login (rate limited: 3/hour) |
| GET | /verify-magic-link/:token |
Verify magic link token and authenticate user |
| POST | /verify-email |
Verify email with hashed token from email link |
| POST | /resend-verification |
Resend email verification link |
| POST | /forgot-password |
Send password reset email |
| POST | /reset-password |
Reset password using token from email |
| GET | /profile |
Get authenticated user profile |
| PUT | /update-profile |
Update profile fields and/or upload profile image |
| GET | /appointments |
List all appointments for the authenticated user |
| POST | /cancel-appointment |
Cancel a booked appointment |
| POST | /create-payment-order |
Create a Razorpay payment order for a lawyer appointment |
| POST | /verify-payment-and-create-appointment |
Verify Razorpay payment and finalize appointment booking |
| POST | /request-delete-otp |
Request OTP to confirm account deletion |
| POST | /verify-delete-otp |
Verify OTP and permanently delete account |
| POST | /setup-2fa |
Generate TOTP secret and QR code for 2FA setup |
| POST | /verify-2fa |
Verify TOTP code and enable 2FA |
| POST | /disable-2fa |
Disable 2FA after password and TOTP verification |
| Method | Path | Description |
|---|---|---|
| POST | /login |
Lawyer login |
| GET | /profile |
Get authenticated lawyer profile |
| POST | /update-profile |
Update lawyer profile and image |
| GET | /appointments |
Get lawyer's appointment list |
| POST | /cancel-appointment |
Cancel an appointment |
| POST | /complete-appointment |
Mark appointment as completed |
| GET | /dashboard |
Get dashboard stats (earnings, appointments) |
| POST | /change-availability |
Toggle availability status |
| Method | Path | Description |
|---|---|---|
| POST | /login |
Admin login |
| POST | /add-lawyer |
Add a new lawyer with image upload |
| GET | /lawyers |
List all lawyers |
| GET | /users |
List all users |
| GET | /appointments |
List all appointments |
| POST | /cancel-appointment |
Cancel any appointment |
| GET | /dashboard |
Platform-wide stats and revenue data |
| Method | Path | Description |
|---|---|---|
| POST | /get-token |
Generate Stream.io token and create video call room for an appointment |
| POST | /update-status |
Update call status (join, leave, end) and calculate duration |
| GET | /call-details/:appointmentId |
Retrieve video call metadata for an appointment |
| Method | Path | Description |
|---|---|---|
| POST | /create |
Create a new chat session |
| GET | /:sessionId |
Get chat messages for a session |
| GET | /sessions |
Get all chat sessions for the user |
| POST | /update-title |
Update the title of a chat session |
| DELETE | /delete |
Delete a chat session |
| Method | Path | Description |
|---|---|---|
| POST | /send |
Send a message; proxies to RAG chatbot, decrements credit, saves conversation in background |
| Method | Path | Description |
|---|---|---|
| POST | /upload |
Upload a legal document (PDF, DOCX, TXT, image) for AI analysis; stores in Cloudinary and processes via chatbot |
| GET | / |
Get all uploaded documents for the authenticated user |
| Method | Path | Description |
|---|---|---|
| GET | / |
Service status |
| POST | /chat |
Accepts sessionId, history, message, user_id, and mode (knowledge-base/user-uploads/both); returns RAG-generated legal response. Requires secure_key header. |
| POST | /upload-document |
Process uploaded document: extract text, chunk, embed, and store in user-specific Pinecone namespace. Requires secure_key header. |
| GET | /health |
Health check |
- Stateless JWT authentication with two-token architecture
- Access tokens are short-lived and transmitted via the
Authorization: Bearerheader - Refresh tokens are long-lived and stored exclusively in HttpOnly, secure, sameSite cookies
- Refresh tokens are stored in the database and invalidated on logout or account deletion
- Email verification is required before full platform access
- TOTP-based Two-Factor Authentication using the
otpauthlibrary; setup delivers a QR code and a manual base32 key; a 2-window delta is accepted to tolerate clock skew - Brute-force protection on TOTP verification using Redis-backed attempt counters
- Password hashing with bcrypt (salted)
- Zod schema validation on all sensitive request bodies
- Role-based access control enforced via three separate middleware guards:
authUser,authLawyer,authAdmin - MongoDB operator injection prevention via
express-mongo-sanitize - HTTP security headers via Helmet
- CORS restricted to an explicit allowlist (
ALLOWED_ORIGINSenv variable); non-origin requests blocked in production - Global Redis-backed rate limiter: 200 requests per 60 seconds per IP across all routes
- Per-route rate limiter available for sensitive endpoints (e.g. login, 2FA verification)
- Chatbot service protected by a shared
RAG_SECRET_KEYvalidated on every request
Each user is allocated 10 chatbot queries per day. Credits are tracked in two places simultaneously:
- Redis: a per-user key (
credits:<userId>) auto-expires at midnight using a TTL calculated to the next 00:00:00 - MongoDB:
credits.remainingon the User document, decremented atomically with Redis and reset on the next day's first request
When credits are exhausted, the backend returns HTTP 403 with a daily credit limit message. The frontend Axios interceptor catches this and permanently disables the chat input for the session with a persistent toast notification.
The platform supports a comprehensive document analysis flow, allowing users to query their own uploaded legal documents alongside the platform's core legal knowledge base:
-
Frontend → Backend (Document Selection)
- User selects a file (PDF, DOCX, TXT, or image) on the frontend
- Backend performs validation: file extension, size limit (10MB), and daily upload limit (5 documents/day)
- Original file is stored securely on Cloudinary with user-specific folder structure
- File metadata is saved in MongoDB with status tracking
-
Backend → Python Chatbot API (Processing Request)
- Backend forwards file to
POST /upload-documentwithuser_id,filename,cloudinary_url, andfile_bytes - Request authenticated via shared
secure_keyheader
- Backend forwards file to
-
Python Pipeline (Document Ingestion)
- Detection: Identifies file type (PDF, DOCX, TXT, Image)
- Extraction:
- PDF: PyPDF2/pypdf page-by-page extraction
- DOCX: python-docx paragraph extraction
- TXT: Direct UTF-8 reading
- Images: Pillow + pytesseract OCR
- Chunking: RecursiveCharacterTextSplitter (1000 chars, 200 overlap)
- Embedding & Storage: Chunks vectorized with Google gemini-embedding-001 and stored in Pinecone user-specific namespace (
user-uploads-{user_id}) - Returns success response with chunk count and namespace
-
Chat Flow (Multi-Source Q&A)
- User submits question with selected mode:
knowledge-base,user-uploads, orboth - Backend forwards to
POST /chatwithmode,user_id,message, and conversationhistory - Python API performs parallel retrieval:
- knowledge-base mode: Queries
__default__namespace (platform legal documents) - user-uploads mode: Queries
user-uploads-{user_id}namespace (user's documents) - both mode: Merges results from both namespaces
- knowledge-base mode: Queries
- Top 3 most similar chunks retrieved per namespace using cosine similarity
- Combined context + last 10 messages + current question sent to Google Gemini 2.5 Flash
- Model generates response with source attribution
- User submits question with selected mode:
-
Response Delivery
- Answer returned to user with Markdown formatting
- Citations indicate source: platform knowledge base vs user uploads
- Conversation saved to MongoDB with timestamps
The chatbot service implements a core Retrieval Augmented Generation pipeline:
- PDF documents from the
chatbot/data/directory are loaded page-by-page usingPyPDFLoaderwith source filename metadata tagging. - Documents are chunked using
RecursiveCharacterTextSplitterwith a chunk size of 1000 characters and an overlap of 200 characters. - Chunks are embedded using Google
gemini-embedding-001(3072 dimensions) and stored in a Pinecone serverless index (cosine similarity, AWS us-east-1). - The embedding upload pipeline processes batches of 25 chunks, enforces a 1-second delay between batches, retries on HTTP 429 with exponential backoff (up to 5 retries), stops immediately on daily quota exhaustion, and persists batch progress to
progress.jsonfor resumable uploads. - At query time, the top 3 most similar chunks are retrieved from Pinecone using similarity search.
- The retrieved context, the last 10 messages of conversation history, and the current question are combined into a structured prompt and sent to Google Gemini 2.5 Flash.
- The prompt instructs the model to answer strictly from context when relevant, fall back to general Indian legal guidance when not, avoid referencing the context or system prompt, and use Markdown formatting when detailed output is requested.
The backend utilizes BullMQ and Redis for handling asynchronous background jobs:
- Video Call Auto-Termination:
videoWorkerautomatically ends video calls when appointment time expires - Job Scheduling: Calls scheduled to end at
slotEnd + 10 minuteswith automatic status updates and duration calculation - Job Lifecycle Tracking: QueueEvents monitor job completion and failures with detailed logging
- Graceful Handling: Failed jobs logged for debugging; completed jobs update appointment records atomically
- OAuth2 & OIDC: Secure Google login implemented using PKCE (Proof Key for Code Exchange) with:
- State parameter for CSRF protection
- Code verifier and challenge stored in secure HttpOnly cookies
- One-time code exchange mechanism to securely pass tokens to frontend
- Automatic account creation for new Google users
- Prevention of password-based login for Google-authenticated accounts
- Magic Link Authentication: Passwordless login via time-limited email tokens (15-minute expiry, single-use)
- Two-Factor Authentication (2FA): TOTP-based 2FA with:
- QR code and manual key setup
- 2-window delta for clock skew tolerance
- Brute-force protection via Redis attempt counters
- Password confirmation required for disabling
- Security Middleware:
- Global rate limiting: 200 requests/60s per IP across all routes
- Route-specific rate limiting for sensitive endpoints (login, 2FA, magic link)
helmetfor secure HTTP headersexpress-mongo-sanitizefor NoSQL injection prevention- CORS restricted to explicit allowlist
- Data Privacy:
- Secure account deletion with OTP verification
- User chat data export capability
- Per-user document isolation via Pinecone namespaces
- Node.js v18 or higher
- pnpm v10 or higher
- Python 3.12
- MongoDB Atlas or a local MongoDB instance
- Redis instance (local or hosted, e.g. Upstash)
- Pinecone account with a 3072-dimensional cosine index
- Google Cloud project with Gemini API enabled
- Cloudinary account
- Razorpay account
- Stream.io account
- Brevo (Sendinblue) account for transactional email
Clone the repository:
git clone https://github.com/Divyansh1552005/Law_Bridge_Application.git
cd Law_Bridge_FullStack
Install Frontend dependencies:
cd Frontend
pnpm install
Install Backend dependencies:
cd Backend
pnpm install
Install Admin dependencies:
cd Admin
pnpm install
Install Chatbot dependencies:
cd chatbot
python3 -m venv rag
source rag/bin/activate
pip install -r req.txt
Each service requires its own .env file. Refer to the .env.example file in the Frontend, Backend, Admin, and chatbot directories for the required variables.
Key variables by service:
Backend
MONGODB_URI– MongoDB connection stringREDIS_URL– Redis connection URLJWT_ACCESS_SECRET,JWT_REFRESH_SECRET– JWT signing secretsGOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET– Google OAuth 2.0 credentialsCLOUDINARY_NAME,CLOUDINARY_API_KEY,CLOUDINARY_API_SECRETRAZORPAY_KEY_ID,RAZORPAY_KEY_SECRETSTREAM_API_KEY,STREAM_API_SECRETRAG_CHATBOT_API_URL– Base URL of the FastAPI chatbot serviceRAG_SECRET_KEY– Shared secret for backend-to-chatbot authenticationALLOWED_ORIGINS– Comma-separated list of allowed CORS originsFRONTEND_URL– Frontend URL for OAuth redirectsBREVO_API_KEYor SMTP credentials for email delivery
Chatbot
GOOGLE_API_KEY– Google Gemini API keyPINECONE_API_KEY– Pinecone API keyPINECONE_INDEX– Name of the Pinecone indexAPP_SECRET_KEY– Must matchRAG_SECRET_KEYin the Backend
Frontend / Admin
VITE_BACKEND_URL– URL of the Express backend
Start the Backend:
cd Backend
pnpm start
Start the Frontend:
cd Frontend
pnpm run dev
Start the Admin panel:
cd Admin
pnpm run dev
Start the Chatbot service (first-time setup, creates embeddings then starts server):
cd chatbot
source rag/bin/activate
python main.py
Start the Chatbot service (subsequent runs, embeddings already exist):
cd chatbot
source rag/bin/activate
python main.py server
Create embeddings only without starting the server:
python main.py setup
- Fork the repository
- Create a feature branch
- Commit your changes with descriptive messages
- Open a pull request against the main branch
This project is licensed under the MIT License. See the LICENSE file for details.
For support, contact: lawbridgeorg@gmail.com
LawBridge is an informational platform and does not constitute legal advice. AI-generated responses are based on publicly available legal documents and are intended for educational purposes only. Users must consult a qualified legal professional before making any legal decisions.
Built by Divyansh