-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathenv.example
More file actions
98 lines (82 loc) · 4.05 KB
/
env.example
File metadata and controls
98 lines (82 loc) · 4.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Divemap Environment Configuration
# Copy this file to .env and modify with your secure values
# Database Configuration
MYSQL_ROOT_PASSWORD=your_secure_root_password_here
MYSQL_DATABASE=divemap
MYSQL_USER=divemap_user
MYSQL_PASSWORD=your_secure_database_password_here
# Backend Configuration
# Generate a secure secret: openssl rand -hex 32
SECRET_KEY=your_very_long_random_secret_key_here_minimum_32_characters
# Token Configuration
ACCESS_TOKEN_EXPIRE_MINUTES=15 # Short-lived for security
REFRESH_TOKEN_EXPIRE_DAYS=30 # Longer-lived for convenience
REFRESH_TOKEN_COOKIE_SECURE=false # Set to true in production (HTTPS)
REFRESH_TOKEN_COOKIE_HTTPONLY=true # Prevent XSS attacks
REFRESH_TOKEN_COOKIE_SAMESITE=strict # Maximum security since we're behind nginx
ENABLE_TOKEN_ROTATION=true # Issue new refresh token with each refresh
ENABLE_AUDIT_LOGGING=true # Log authentication events
MAX_ACTIVE_SESSIONS_PER_USER=5 # Limit concurrent sessions
# JWT Configuration
ALGORITHM=HS256 # JWT signing algorithm
# Development Environment
ENVIRONMENT=development
NODE_ENV=development
CORS_ORIGINS=http://localhost
ALLOWED_ORIGINS=http://localhost
SUSPICIOUS_PROXY_CHAIN_LENGTH=3 # Development: Stricter monitoring for local development
# External Services
OPENAI_API_KEY=your_openai_api_key_here
# Google OAuth Configuration
# Get these from Google Cloud Console: https://console.cloud.google.com/
#GOOGLE_CLIENT_ID=your_google_client_id_here
#GOOGLE_CLIENT_SECRET=your_google_client_secret_here
# Cloudflare Turnstile Configuration
# Get these from Cloudflare Dashboard: https://dash.cloudflare.com/?to=/:account/turnstile
TURNSTILE_SECRET_KEY=your_turnstile_secret_key_here
TURNSTILE_SITE_KEY=your_turnstile_site_key_here
TURNSTILE_VERIFY_URL=https://challenges.cloudflare.com/turnstile/v0/siteverify
# Cloudflare R2 Storage Configuration (Optional)
# If any of these are missing, local filesystem storage will be used
# Get these from Cloudflare Dashboard: https://dash.cloudflare.com/?to=/:account/r2
#R2_ACCOUNT_ID=your_r2_account_id_here
#R2_ACCESS_KEY_ID=your_r2_access_key_id_here
#R2_SECRET_ACCESS_KEY=your_r2_secret_access_key_here
#R2_BUCKET_NAME=your_r2_bucket_name_here
# Chat Subsystem Configuration
# Generate a secure secret: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
CHAT_MASTER_KEY=your_chat_master_key_here
# AWS Configuration for Email Notifications (Optional)
# If not configured, email notifications will not be sent
# Get these from AWS Console: https://console.aws.amazon.com/
#AWS_ACCESS_KEY_ID=your_aws_access_key_id
#AWS_SECRET_ACCESS_KEY=your_aws_secret_access_key
#AWS_REGION=eu-central-1
#AWS_SQS_QUEUE_URL=https://sqs.REGION.amazonaws.com/ACCOUNT_ID/divemap-email-queue
#AWS_SES_FROM_EMAIL=noreply@divemap.com
#AWS_SES_FROM_NAME=Divemap
#FRONTEND_URL=https://divemap.com
# Lambda API Key (for internal service authentication)
# Generate with: openssl rand -hex 32
# Must match the lambda_api_key in terraform.tfvars
#LAMBDA_API_KEY=your-secure-random-api-key-here
# Production Environment
#ENVIRONMENT=production
#CORS_ORIGINS=https://divemap.gr,https://divemap.fly.dev
#ALLOWED_ORIGINS=https://divemap.gr,https://divemap.fly.dev
#REFRESH_TOKEN_COOKIE_SECURE=true # HTTPS required in production
#REFRESH_TOKEN_COOKIE_SAMESITE=strict # Maximum security in production
#SUSPICIOUS_PROXY_CHAIN_LENGTH=6 # Production: Cloudflare + Fly.io + nginx + frontend + backend = ~6 hops
# Security Notes:
# 1. Generate strong passwords using: openssl rand -base64 32
# 2. Generate JWT secret using: openssl rand -hex 32
# 3. Never commit .env file to version control
# 4. Use different passwords for each service
# 5. Rotate secrets regularly in production
### Cloudflare used by `make purge-cache`
#CLOUDFLARE_API_KEY=your_cloudflare_api_key_here
#CLOUDFLARE_ZONE_ID=your_cloudflare_zone_id_here
# Deployment Configuration
# Path to Fly.io configuration directory (optional)
# If unset, the 'fly' binary will use its system default (~/.fly)
#FLY_CONFIG_DIR=~/.fly-myconfig