goodgo-platform

admin/goodgo-platform

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ho Ngoc Hai	e89c8f5810	fix(security): add production env validation and sanitize .env.example - Add startup env validation that fails fast in production if critical vars (JWT_SECRET, JWT_REFRESH_SECRET, DATABASE_URL, CORS_ORIGINS, REDIS_HOST) are missing - Fix CORS_ORIGINS to throw in production instead of defaulting to localhost - Replace hardcoded dev passwords in .env.example with CHANGE_ME placeholders - Add missing vars to .env.example (CORS_ORIGINS, SMTP_*, FIREBASE, LOG_LEVEL) - Warn on missing optional payment/storage vars at startup Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-08 06:12:39 +07:00
Ho Ngoc Hai	402b5b6810	fix(auth): remove hardcoded JWT fallback secret — fail fast on missing env var The auth module fell back to a publicly-known secret string when JWT_SECRET was unset, creating a critical authentication bypass risk. Both jwt.strategy.ts and auth.module.ts now throw at startup if JWT_SECRET is missing. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-08 04:01:21 +07:00
Ho Ngoc Hai	e1e5fa6252	feat: scaffold monorepo with Turborepo + NestJS + Next.js - Turborepo monorepo with pnpm workspaces - apps/api: NestJS 11.x with CQRS module - apps/web: Next.js 14 App Router + TailwindCSS - src/modules/shared: base entities, Result pattern, value objects - TypeScript 5.7+ strict mode, shared tsconfig base - Build pipeline: dev, build, lint, test, typecheck Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-07 23:52:33 +07:00

Author

SHA1

Message

Date

Ho Ngoc Hai

e89c8f5810

fix(security): add production env validation and sanitize .env.example

- Add startup env validation that fails fast in production if critical vars
  (JWT_SECRET, JWT_REFRESH_SECRET, DATABASE_URL, CORS_ORIGINS, REDIS_HOST)
  are missing
- Fix CORS_ORIGINS to throw in production instead of defaulting to localhost
- Replace hardcoded dev passwords in .env.example with CHANGE_ME placeholders
- Add missing vars to .env.example (CORS_ORIGINS, SMTP_*, FIREBASE, LOG_LEVEL)
- Warn on missing optional payment/storage vars at startup

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-08 06:12:39 +07:00

Ho Ngoc Hai

402b5b6810

fix(auth): remove hardcoded JWT fallback secret — fail fast on missing env var

The auth module fell back to a publicly-known secret string when JWT_SECRET
was unset, creating a critical authentication bypass risk. Both jwt.strategy.ts
and auth.module.ts now throw at startup if JWT_SECRET is missing.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-08 04:01:21 +07:00

Ho Ngoc Hai

e1e5fa6252

feat: scaffold monorepo with Turborepo + NestJS + Next.js

- Turborepo monorepo with pnpm workspaces
- apps/api: NestJS 11.x with CQRS module
- apps/web: Next.js 14 App Router + TailwindCSS
- src/modules/shared: base entities, Result pattern, value objects
- TypeScript 5.7+ strict mode, shared tsconfig base
- Build pipeline: dev, build, lint, test, typecheck

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-04-07 23:52:33 +07:00

3 Commits