Documentation

backend/.env.example

@@ -0,0 +1,227 @@
+# Looking Backend - Environment Variables
+# Copy this file to .env and fill in your values
+# NEVER commit .env files to version control
+
+# ============================================
+# SERVER CONFIGURATION
+# ============================================
+
+# Port for Express server to listen on
+# Default: 3069
+# Production: Use same port or configure via load balancer
+PORT=3069
+
+# Node environment
+# Options: development, production, test
+NODE_ENV=development
+
+# ============================================
+# DATABASE CONFIGURATION
+# ============================================
+
+# MongoDB connection string
+# Development (DevContainer): mongodb://mongo:27017/urge
+# Development (Local): mongodb://localhost:27017/urge
+# Production: Use MongoDB Atlas or managed instance
+MONGODB_URI=mongodb://mongo:27017/urge
+
+# MongoDB Admin Credentials (for connection if auth enabled)
+# Only needed if MongoDB requires authentication
+# MONGO_USER=admin
+# MONGO_PASS=password
+
+# ============================================
+# JWT AUTHENTICATION
+# ============================================
+
+# Secret key for JWT token signing
+# CRITICAL: Use a strong random string (minimum 32 characters)
+# Generate with: openssl rand -base64 32
+# NEVER share or commit this value
+JWT_SECRET=your-super-secret-jwt-key-change-this-to-random-32-chars
+
+# JWT token expiration time
+# Options: '15m', '1h', '24h', '7d'
+# Default: 15m (15 minutes)
+JWT_EXPIRES_IN=15m
+
+# ============================================
+# GOOGLE MAPS API
+# ============================================
+
+# Google Maps API key for geocoding features
+# Get API key: https://console.cloud.google.com/apis/credentials
+# Enable: Geocoding API, Places API (if used)
+# Restrict: Set HTTP referrer or IP restrictions for security
+GOOGLE_MAPS_API_KEY=AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+# ============================================
+# EMAIL CONFIGURATION (SMTP)
+# ============================================
+
+# SMTP server hostname
+# Examples:
+#   Gmail: smtp.gmail.com
+#   Outlook: smtp-mail.outlook.com
+#   SendGrid: smtp.sendgrid.net
+#   Custom: mail.yourdomain.com
+MAIL_HOST=smtp.gmail.com
+
+# SMTP server port
+# Common ports:
+#   587 - TLS/STARTTLS (recommended)
+#   465 - SSL
+#   25  - Unencrypted (not recommended)
+MAIL_PORT=587
+
+# SMTP username (usually your email address)
+MAIL_USER=support@example.com
+
+# SMTP password or app-specific password
+# For Gmail: Use App Password (not your account password)
+#   1. Go to Google Account → Security → 2-Step Verification
+#   2. Scroll to "App passwords"
+#   3. Generate password for "Mail"
+#   4. Use that 16-character password here
+MAIL_PASS=your-email-password-or-app-specific-password
+
+# Email sender name (displayed in "From" field)
+MAIL_FROM_NAME=Looking App Support
+
+# Email sender address (must match MAIL_USER or authorized sender)
+MAIL_FROM_ADDRESS=support@example.com
+
+# ============================================
+# CORS CONFIGURATION
+# ============================================
+
+# Allowed origins for CORS (comma-separated)
+# Development: * (all origins)
+# Production: Specific domains only
+# Examples:
+#   Development: *
+#   Production: https://pfosi.mifi.dev,https://www.pfosi.mifi.dev
+CORS_ORIGIN=*
+
+# ============================================
+# FILE UPLOAD CONFIGURATION
+# ============================================
+
+# Maximum file size for image uploads (in bytes)
+# 5MB = 5242880 bytes
+# 10MB = 10485760 bytes
+MAX_FILE_SIZE=5242880
+
+# Allowed image MIME types (comma-separated)
+ALLOWED_IMAGE_TYPES=image/jpeg,image/png,image/gif,image/webp
+
+# ============================================
+# LOGGING CONFIGURATION
+# ============================================
+
+# Log level
+# Options: error, warn, info, http, verbose, debug, silly
+# Production: info or warn
+# Development: debug or verbose
+LOG_LEVEL=debug
+
+# Log file location (if file logging enabled)
+# Default: logs/combined.log
+LOG_FILE=logs/combined.log
+
+# Error log file location
+LOG_ERROR_FILE=logs/error.log
+
+# ============================================
+# SECURITY CONFIGURATION
+# ============================================
+
+# Password hashing iterations (PBKDF2)
+# Higher = more secure but slower
+# Default: 233335
+# Recommended: 100000+
+PASSWORD_HASH_ITERATIONS=233335
+
+# Password minimum length
+PASSWORD_MIN_LENGTH=8
+
+# Session secret for express-session (if using sessions)
+# SESSION_SECRET=your-session-secret-change-this
+
+# ============================================
+# RATE LIMITING (if implemented)
+# ============================================
+
+# Maximum requests per window
+# RATE_LIMIT_MAX=100
+
+# Time window in milliseconds (15 minutes = 900000)
+# RATE_LIMIT_WINDOW_MS=900000
+
+# ============================================
+# PRODUCTION DEPLOYMENT
+# ============================================
+
+# Domain/hostname for the application
+# Used for email links, CORS, etc.
+# APP_URL=https://pfosi.mifi.dev
+# API_URL=https://api.pfosi.mifi.dev
+
+# Traefik labels (if using docker-compose with Traefik)
+# TRAEFIK_ENABLE=true
+# TRAEFIK_DOMAIN=api.pfosi.mifi.dev
+
+# ============================================
+# MONITORING & ANALYTICS (optional)
+# ============================================
+
+# Sentry DSN for error tracking
+# SENTRY_DSN=https://xxxxx@sentry.io/xxxxx
+
+# Google Analytics tracking ID
+# GA_TRACKING_ID=UA-XXXXXXXXX-X
+
+# ============================================
+# DATABASE SEEDING
+# ============================================
+
+# Path to seed data file
+# Default: data/profiles.json
+SEED_DATA_PATH=data/profiles.json
+
+# Auto-seed database on startup (true/false)
+# WARNING: This will wipe existing data
+# Only use in development
+AUTO_SEED=false
+
+# ============================================
+# FEATURE FLAGS (optional)
+# ============================================
+
+# Enable user story submissions via public endpoint
+# ENABLE_SUBMISSIONS=true
+
+# Require admin approval for submitted stories
+# REQUIRE_APPROVAL=true
+
+# Enable email notifications for new submissions
+# NOTIFY_ON_SUBMISSION=true
+
+# ============================================
+# NOTES
+# ============================================
+
+# 1. NEVER commit this file with real values to version control
+# 2. Add .env to .gitignore (already done)
+# 3. Use different values for development and production
+# 4. Rotate secrets regularly in production
+# 5. Use environment-specific .env files:
+#    - .env.development
+#    - .env.production
+#    - .env.test
+# 6. In production, use secret management tools:
+#    - Docker secrets
+#    - Kubernetes secrets
+#    - AWS Secrets Manager
+#    - Azure Key Vault
+#    - HashiCorp Vault