fix(security): add production env validation and sanitize .env.example

- Add startup env validation that fails fast in production if critical vars (JWT_SECRET, JWT_REFRESH_SECRET, DATABASE_URL, CORS_ORIGINS, REDIS_HOST) are missing - Fix CORS_ORIGINS to throw in production instead of defaulting to localhost - Replace hardcoded dev passwords in .env.example with CHANGE_ME placeholders - Add missing vars to .env.example (CORS_ORIGINS, SMTP_*, FIREBASE, LOG_LEVEL) - Warn on missing optional payment/storage vars at startup Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:12:39 +07:00
parent d77c14e549
commit e89c8f5810
4 changed files with 112 additions and 10 deletions
--- a/.env.example
+++ b/.env.example
@@ -10,7 +10,7 @@ DB_HOST=localhost
 DB_PORT=5432
 DB_NAME=goodgo
 DB_USER=goodgo
-DB_PASSWORD=goodgo_secret
+DB_PASSWORD=CHANGE_ME
 DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?schema=public

 # -----------------------------------------------------------------------------
@@ -18,6 +18,7 @@ DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_N
 # -----------------------------------------------------------------------------
 REDIS_HOST=localhost
 REDIS_PORT=6379
+REDIS_PASSWORD=
 REDIS_URL=redis://${REDIS_HOST}:${REDIS_PORT}

 # -----------------------------------------------------------------------------
@@ -26,16 +27,16 @@ REDIS_URL=redis://${REDIS_HOST}:${REDIS_PORT}
 TYPESENSE_HOST=localhost
 TYPESENSE_PORT=8108
 TYPESENSE_PROTOCOL=http
-TYPESENSE_API_KEY=ts_dev_key_change_me
+TYPESENSE_API_KEY=CHANGE_ME

 # -----------------------------------------------------------------------------
 # MinIO (S3-compatible Object Storage)
 # -----------------------------------------------------------------------------
 MINIO_ENDPOINT=localhost
-MINIO_API_PORT=9000
+MINIO_PORT=9000
 MINIO_CONSOLE_PORT=9001
-MINIO_USER=minioadmin
-MINIO_PASSWORD=minioadmin_secret
+MINIO_ACCESS_KEY=CHANGE_ME
+MINIO_SECRET_KEY=CHANGE_ME
 MINIO_BUCKET=goodgo-media
 MINIO_USE_SSL=false

@@ -43,14 +44,20 @@ MINIO_USE_SSL=false
 # NestJS API
 # -----------------------------------------------------------------------------
 API_PORT=3000
+PORT=3001
 NODE_ENV=development

 # -----------------------------------------------------------------------------
-# JWT / Auth (REQUIRED — app will not start without JWT_SECRET)
+# CORS — comma-separated allowed origins (REQUIRED in production)
 # -----------------------------------------------------------------------------
-JWT_SECRET=your_jwt_secret_change_me
+CORS_ORIGINS=http://localhost:3000,http://localhost:3001
+
+# -----------------------------------------------------------------------------
+# JWT / Auth (REQUIRED — app will not start without these)
+# -----------------------------------------------------------------------------
+JWT_SECRET=CHANGE_ME
 JWT_EXPIRES_IN=15m
-JWT_REFRESH_SECRET=your_refresh_secret_change_me
+JWT_REFRESH_SECRET=CHANGE_ME
 JWT_REFRESH_EXPIRES_IN=7d

 # -----------------------------------------------------------------------------
@@ -63,6 +70,7 @@ WEB_PORT=3001
 # AI Service (Python/FastAPI)
 # -----------------------------------------------------------------------------
 AI_SERVICE_PORT=8000
+AI_SERVICE_URL=http://localhost:8000
 CLAUDE_API_KEY=

 # -----------------------------------------------------------------------------
@@ -72,12 +80,38 @@ NEXT_PUBLIC_MAPBOX_TOKEN=

 # -----------------------------------------------------------------------------
 # Payment Gateways (VNPay, MoMo, ZaloPay)
+# Leave empty if not using payment features
 # -----------------------------------------------------------------------------
 VNPAY_TMN_CODE=
 VNPAY_HASH_SECRET=
+VNPAY_BASE_URL=https://sandbox.vnpayment.vn/paymentv2/vpcpay.html
+VNPAY_API_URL=https://sandbox.vnpayment.vn/merchant_webapi/api/transaction
+
 MOMO_PARTNER_CODE=
 MOMO_ACCESS_KEY=
 MOMO_SECRET_KEY=
+MOMO_ENDPOINT=https://test-payment.momo.vn/v2/gateway/api
+
 ZALOPAY_APP_ID=
 ZALOPAY_KEY1=
 ZALOPAY_KEY2=
+ZALOPAY_ENDPOINT=https://sb-openapi.zalopay.vn/v2
+
+# -----------------------------------------------------------------------------
+# Email / SMTP
+# -----------------------------------------------------------------------------
+SMTP_HOST=localhost
+SMTP_PORT=1025
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM=noreply@goodgo.vn
+
+# -----------------------------------------------------------------------------
+# Firebase Cloud Messaging (optional)
+# -----------------------------------------------------------------------------
+FIREBASE_SERVICE_ACCOUNT=
+
+# -----------------------------------------------------------------------------
+# Logging
+# -----------------------------------------------------------------------------
+LOG_LEVEL=info