admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0154a0105702f4e7ad2ec9f83875c411c7940ce
goodgo-platform/.env.example
Ho Ngoc Hai e89cd0ce84 fix(security): reject placeholder/weak JWT secrets at startup 
The env-validation module previously only checked that JWT_SECRET and
JWT_REFRESH_SECRET were _present_ — it accepted any value, including
known placeholders like "CHANGE_ME". This meant a developer could copy
.env.example verbatim and run the app with predictable, forgeable tokens.

Changes:
- Add FORBIDDEN_SECRET_VALUES blocklist (case-insensitive) with 23 common
  placeholder strings (CHANGE_ME, secret, password, test, etc.)
- Enforce minimum 32-character length for JWT secrets (NIST HMAC guidance)
- Export validateJwtSecret() for direct testing and reuse
- Update .env.example: replace "CHANGE_ME" with generation instructions
- Add 14 unit tests covering placeholder rejection, length enforcement,
  missing-var errors, and production-mode validation

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-09 01:20:30 +07:00

146 lines
5.2 KiB
Plaintext
Raw Blame History

# =============================================================================
# GoodGo Platform — Environment Variables
# Copy this file to .env and update values for your local environment
# =============================================================================
# -----------------------------------------------------------------------------
# PostgreSQL + PostGIS
# -----------------------------------------------------------------------------
DB_HOST=localhost
DB_PORT=5432
DB_NAME=goodgo
DB_USER=goodgo
DB_PASSWORD=CHANGE_ME
DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?schema=public
# -----------------------------------------------------------------------------
# Redis
# -----------------------------------------------------------------------------
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=
REDIS_URL=redis://${REDIS_HOST}:${REDIS_PORT}
# -----------------------------------------------------------------------------
# Typesense
# -----------------------------------------------------------------------------
TYPESENSE_HOST=localhost
TYPESENSE_PORT=8108
TYPESENSE_PROTOCOL=http
TYPESENSE_API_KEY=CHANGE_ME
# -----------------------------------------------------------------------------
# MinIO (S3-compatible Object Storage)
# -----------------------------------------------------------------------------
MINIO_ENDPOINT=localhost
MINIO_PORT=9000
MINIO_CONSOLE_PORT=9001
MINIO_ACCESS_KEY=CHANGE_ME
MINIO_SECRET_KEY=CHANGE_ME
MINIO_BUCKET=goodgo-media
MINIO_USE_SSL=false
# -----------------------------------------------------------------------------
# NestJS API
# -----------------------------------------------------------------------------
API_PORT=3000
PORT=3001
NODE_ENV=development
# -----------------------------------------------------------------------------
# CORS — comma-separated allowed origins (REQUIRED in production)
# -----------------------------------------------------------------------------
CORS_ORIGINS=http://localhost:3000,http://localhost:3001
# -----------------------------------------------------------------------------
# JWT / Auth (REQUIRED — app will not start without these)
#
# SECURITY: Generate strong, random secrets (min 32 characters).
# openssl rand -base64 48
#
# Do NOT use placeholder values like "CHANGE_ME" — the app will reject them.
# Each secret must be unique and kept out of version control.
# -----------------------------------------------------------------------------
JWT_SECRET=<generate with: openssl rand -base64 48>
JWT_EXPIRES_IN=15m
JWT_REFRESH_SECRET=<generate with: openssl rand -base64 48>
JWT_REFRESH_EXPIRES_IN=7d
# -----------------------------------------------------------------------------
# OAuth Providers
# -----------------------------------------------------------------------------
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_CALLBACK_URL=http://localhost:3001/auth/google/callback
ZALO_APP_ID=
ZALO_APP_SECRET=
ZALO_CALLBACK_URL=http://localhost:3001/auth/zalo/callback
FRONTEND_URL=http://localhost:3000
# -----------------------------------------------------------------------------
# Next.js Web
# -----------------------------------------------------------------------------
NEXT_PUBLIC_API_URL=http://localhost:3000
WEB_PORT=3001
# -----------------------------------------------------------------------------
# AI Service (Python/FastAPI)
# -----------------------------------------------------------------------------
AI_SERVICE_PORT=8000
AI_SERVICE_URL=http://localhost:8000
CLAUDE_API_KEY=
# -----------------------------------------------------------------------------
# Mapbox
# -----------------------------------------------------------------------------
NEXT_PUBLIC_MAPBOX_TOKEN=
# -----------------------------------------------------------------------------
# Payment Gateways (VNPay, MoMo, ZaloPay)
# Leave empty if not using payment features
# -----------------------------------------------------------------------------
VNPAY_TMN_CODE=
VNPAY_HASH_SECRET=
VNPAY_BASE_URL=https://sandbox.vnpayment.vn/paymentv2/vpcpay.html
VNPAY_API_URL=https://sandbox.vnpayment.vn/merchant_webapi/api/transaction
MOMO_PARTNER_CODE=
MOMO_ACCESS_KEY=
MOMO_SECRET_KEY=
MOMO_ENDPOINT=https://test-payment.momo.vn/v2/gateway/api
ZALOPAY_APP_ID=
ZALOPAY_KEY1=
ZALOPAY_KEY2=
ZALOPAY_ENDPOINT=https://sb-openapi.zalopay.vn/v2
# -----------------------------------------------------------------------------
# Email / SMTP
# -----------------------------------------------------------------------------
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_USER=
SMTP_PASS=
SMTP_FROM=noreply@goodgo.vn
# -----------------------------------------------------------------------------
# Firebase Cloud Messaging (optional)
# -----------------------------------------------------------------------------
FIREBASE_SERVICE_ACCOUNT=
# -----------------------------------------------------------------------------
# Sentry Error Tracking
# -----------------------------------------------------------------------------
SENTRY_DSN=
NEXT_PUBLIC_SENTRY_DSN=
SENTRY_AUTH_TOKEN=
SENTRY_ORG=
SENTRY_PROJECT=
# -----------------------------------------------------------------------------
# Logging
# -----------------------------------------------------------------------------
LOG_LEVEL=info
Reference in New Issue View Git Blame Copy Permalink