mirror of
https://github.com/escalante29/WealthySmart.git
synced 2026-07-17 09:08:46 +02:00
Fail fast on missing or weak auth secrets; 7-day tokens
SECRET_KEY, ADMIN_USERNAME, and ADMIN_PASSWORD no longer have working defaults: the backend refuses to boot if they are unset, default, or weak (SEC-01). Token expiry drops from 30 to 7 days (SEC-05). New COOKIE_SECURE (default true) and CORS_ORIGINS settings. Dev compose now sources credentials from .env with required-var errors instead of hardcoding them (ARCH-14); .env.example documents the template. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
26
.env.example
Normal file
26
.env.example
Normal file
@@ -0,0 +1,26 @@
|
||||
# WealthySmart environment template.
|
||||
# Copy to .env for local development. Production values live in Gitea Actions
|
||||
# secrets and are written to .env.prod by .github/workflows/deploy.yml on every
|
||||
# deploy — new variables must be added BOTH there and here.
|
||||
|
||||
# ── Database (dev compose; must match the wealthysmart-db-dev volume) ────────
|
||||
POSTGRES_USER=wealthy_user
|
||||
POSTGRES_PASSWORD=wealthy_pass
|
||||
POSTGRES_DB=wealthysmart
|
||||
|
||||
# ── Auth (REQUIRED — the backend refuses to boot without these) ──────────────
|
||||
# Generate with: openssl rand -hex 32
|
||||
SECRET_KEY=
|
||||
ADMIN_USERNAME=admin
|
||||
# Must not be "admin".
|
||||
ADMIN_PASSWORD=
|
||||
# Cookies require HTTPS when true. Set false for local HTTP development.
|
||||
COOKIE_SECURE=false
|
||||
|
||||
# ── Push notifications (optional in dev) ─────────────────────────────────────
|
||||
VAPID_PRIVATE_KEY=
|
||||
VAPID_PUBLIC_KEY=
|
||||
|
||||
# ── AI agent (optional in dev; Asistente won't work without it) ──────────────
|
||||
OPENAI_API_KEY=
|
||||
AGENT_MODEL=gpt-5.4-mini
|
||||
Reference in New Issue
Block a user