# Looking Backend - Environment Variables # Copy this file to .env and fill in your values # NEVER commit .env files to version control # ============================================ # SERVER CONFIGURATION # ============================================ # Port for Express server to listen on # Default: 3069 # Production: Use same port or configure via load balancer PORT=3069 # Node environment # Options: development, production, test NODE_ENV=development # ============================================ # DATABASE CONFIGURATION # ============================================ # MongoDB connection string # Development (DevContainer): mongodb://mongo:27017/urge # Development (Local): mongodb://localhost:27017/urge # Production: Use MongoDB Atlas or managed instance MONGODB_URI=mongodb://mongo:27017/urge # MongoDB Admin Credentials (for connection if auth enabled) # Only needed if MongoDB requires authentication # MONGO_USER=admin # MONGO_PASS=password # ============================================ # JWT AUTHENTICATION # ============================================ # Secret key for JWT token signing # CRITICAL: Use a strong random string (minimum 32 characters) # Generate with: openssl rand -base64 32 # NEVER share or commit this value JWT_SECRET=your-super-secret-jwt-key-change-this-to-random-32-chars # JWT token expiration time # Options: '15m', '1h', '24h', '7d' # Default: 15m (15 minutes) JWT_EXPIRES_IN=15m # ============================================ # GOOGLE MAPS API # ============================================ # Google Maps API key for geocoding features # Get API key: https://console.cloud.google.com/apis/credentials # Enable: Geocoding API, Places API (if used) # Restrict: Set HTTP referrer or IP restrictions for security GOOGLE_MAPS_API_KEY=AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # ============================================ # EMAIL CONFIGURATION (SMTP) # ============================================ # SMTP server hostname # Examples: # Gmail: smtp.gmail.com # Outlook: smtp-mail.outlook.com # SendGrid: smtp.sendgrid.net # Custom: mail.yourdomain.com MAIL_HOST=smtp.gmail.com # SMTP server port # Common ports: # 587 - TLS/STARTTLS (recommended) # 465 - SSL # 25 - Unencrypted (not recommended) MAIL_PORT=587 # SMTP username (usually your email address) MAIL_USER=support@example.com # SMTP password or app-specific password # For Gmail: Use App Password (not your account password) # 1. Go to Google Account → Security → 2-Step Verification # 2. Scroll to "App passwords" # 3. Generate password for "Mail" # 4. Use that 16-character password here MAIL_PASS=your-email-password-or-app-specific-password # Email sender name (displayed in "From" field) MAIL_FROM_NAME=Looking App Support # Email sender address (must match MAIL_USER or authorized sender) MAIL_FROM_ADDRESS=support@example.com # ============================================ # CORS CONFIGURATION # ============================================ # Allowed origins for CORS (comma-separated) # Development: * (all origins) # Production: Specific domains only # Examples: # Development: * # Production: https://pfosi.mifi.dev,https://www.pfosi.mifi.dev CORS_ORIGIN=* # ============================================ # FILE UPLOAD CONFIGURATION # ============================================ # Maximum file size for image uploads (in bytes) # 5MB = 5242880 bytes # 10MB = 10485760 bytes MAX_FILE_SIZE=5242880 # Allowed image MIME types (comma-separated) ALLOWED_IMAGE_TYPES=image/jpeg,image/png,image/gif,image/webp # ============================================ # LOGGING CONFIGURATION # ============================================ # Log level # Options: error, warn, info, http, verbose, debug, silly # Production: info or warn # Development: debug or verbose LOG_LEVEL=debug # Log file location (if file logging enabled) # Default: logs/combined.log LOG_FILE=logs/combined.log # Error log file location LOG_ERROR_FILE=logs/error.log # ============================================ # SECURITY CONFIGURATION # ============================================ # Password hashing iterations (PBKDF2) # Higher = more secure but slower # Default: 233335 # Recommended: 100000+ PASSWORD_HASH_ITERATIONS=233335 # Password minimum length PASSWORD_MIN_LENGTH=8 # Session secret for express-session (if using sessions) # SESSION_SECRET=your-session-secret-change-this # ============================================ # RATE LIMITING (if implemented) # ============================================ # Maximum requests per window # RATE_LIMIT_MAX=100 # Time window in milliseconds (15 minutes = 900000) # RATE_LIMIT_WINDOW_MS=900000 # ============================================ # PRODUCTION DEPLOYMENT # ============================================ # Domain/hostname for the application # Used for email links, CORS, etc. # APP_URL=https://pfosi.mifi.dev # API_URL=https://api.pfosi.mifi.dev # Traefik labels (if using docker-compose with Traefik) # TRAEFIK_ENABLE=true # TRAEFIK_DOMAIN=api.pfosi.mifi.dev # ============================================ # MONITORING & ANALYTICS (optional) # ============================================ # Sentry DSN for error tracking # SENTRY_DSN=https://xxxxx@sentry.io/xxxxx # Google Analytics tracking ID # GA_TRACKING_ID=UA-XXXXXXXXX-X # ============================================ # DATABASE SEEDING # ============================================ # Path to seed data file # Default: data/profiles.json SEED_DATA_PATH=data/profiles.json # Auto-seed database on startup (true/false) # WARNING: This will wipe existing data # Only use in development AUTO_SEED=false # ============================================ # FEATURE FLAGS (optional) # ============================================ # Enable user story submissions via public endpoint # ENABLE_SUBMISSIONS=true # Require admin approval for submitted stories # REQUIRE_APPROVAL=true # Enable email notifications for new submissions # NOTIFY_ON_SUBMISSION=true # ============================================ # NOTES # ============================================ # 1. NEVER commit this file with real values to version control # 2. Add .env to .gitignore (already done) # 3. Use different values for development and production # 4. Rotate secrets regularly in production # 5. Use environment-specific .env files: # - .env.development # - .env.production # - .env.test # 6. In production, use secret management tools: # - Docker secrets # - Kubernetes secrets # - AWS Secrets Manager # - Azure Key Vault # - HashiCorp Vault