romfast/roa2web-service-auto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b137e80b71b1b660b384bceb1704462a32b7c629
roa2web-service-auto/backend/ENV-SETUP.md
Claude Agent b137e80b71 feat: multi-Oracle server support with runtime switching 
Complete implementation of multi-server Oracle database support:

Backend:
- Multi-pool Oracle with lazy loading per server
- Email-to-server cache for automatic server discovery
- JWT tokens include server_id claim
- /auth/check-identity and /auth/check-email endpoints
- /auth/my-servers endpoint for listing user's accessible servers
- Server switch with password re-authentication

Frontend:
- New ServerSelector component for header dropdown
- Multi-step login flow (identity → server → password)
- Server switching from header with password modal
- Mobile drawer menu with server selection
- Dark mode support for all new components
- URL bookmark support with ?server= query param

Scripts:
- Unified start.sh replacing start-prod.sh/start-test.sh
- Unified ssh-tunnel.sh with multi-server support
- Updated status.sh for new architecture

Tests:
- E2E tests for multi-server and single-server login flows
- Backend unit tests for all new endpoints
- Oracle multi-pool integration tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 22:39:06 +00:00

213 lines
5.7 KiB
Markdown
Raw Blame History

# Environment Configuration Guide
## Overview
The unified backend uses environment-specific configuration files that are automatically loaded by startup scripts.
**SECURITY**: All `.env*` files (except `.env*.example`) contain real credentials and are **NEVER committed to git**.
## File Structure
```
backend/
├── .env.prod.example # Production template (COMMITTED - no credentials)
├── .env.test.example # Test template (COMMITTED - no credentials)
├── .env.prod.example # Production template (COMMITTED - no credentials)
├── .env.example # Generic template (COMMITTED)
├── .env.prod # Production config (IGNORED - real credentials)
├── .env.test # Test config (IGNORED - real credentials)
├── .env.prod # Production config (IGNORED - real credentials)
└── .env # Active config (IGNORED - auto-generated)
```
## First-Time Setup
### Production
```bash
# 1. Copy template
cp backend/.env.prod.example backend/.env.prod
# 2. Edit with your credentials
vim backend/.env.prod
# 3. Fill in:
# - ORACLE_PASSWORD
# - JWT_SECRET_KEY (generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))")
# - AUTH_SESSION_SECRET (generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))")
# - TELEGRAM_BOT_TOKEN (from @BotFather)
# - SMTP_PASSWORD
# 4. Start
./start.sh prod
```
### Test
```bash
# Same process with .env.test
cp backend/.env.test.example backend/.env.test
vim backend/.env.test
# Fill in TEST credentials (separate from dev!)
./start.sh test
```
### Production
```bash
# Same process with .env.prod
cp backend/.env.prod.example backend/.env.prod
vim backend/.env.prod
# Fill in PRODUCTION credentials (generate NEW secrets!)
./start-backend.sh start
```
## How It Works
### Production
```bash
./start.sh prod # Checks for .env.prod → copies to .env → starts backend
```
### Test
```bash
./start.sh test # Checks for .env.test → copies to .env → starts backend
```
### Production
```bash
# Manual setup (one-time)
cp .env.prod.example .env.prod
vim .env.prod # Fill in credentials
# Then start
./start-backend.sh start
```
## Important Rules
### ✅ DO
- Copy `.env.*.example` to `.env.*` and fill in real credentials
- Edit `.env.prod` for production changes
- Edit `.env.test` for test environment changes
- Edit `.env.prod` for production
- Generate **new** secrets for each environment
- Keep `.env.prod`, `.env.test`, `.env.prod` **local only** (never commit!)
### ❌ DON'T
- Don't commit `.env`, `.env.prod`, `.env.test`, or `.env.prod` (they're in .gitignore)
- Don't manually edit `.env` (it's auto-generated!)
- Don't use same secrets across environments
- Don't share credentials via git (use secure channels)
- Don't put real credentials in `.env*.example` files
## Environment Differences
| Setting | .env.prod | .env.test | .env.prod |
|---------|----------|-----------|-----------|
| Oracle SID | `ROA` | `roa` | `ROA` |
| JWT Expire | 30 min | 480 min | 30 min |
| DEBUG | `true` | `true` | `false` |
| Cache DB | `roa2web_cache.db` | `roa2web_cache_test.db` | `roa2web_cache_prod.db` |
| Receipts DB | `receipts_dev.db` | `receipts_test.db` | `receipts_prod.db` |
| Telegram DB | `telegram.db` | `telegram_test.db` | `telegram_prod.db` |
## Security Notes
### Template Files (.env.*.example)
These contain **placeholders only**:
- ✅ Safe to commit to git
- ✅ Shared across team
- ✅ No real credentials
- 📖 Used as reference for first-time setup
### Actual Config Files (.env.prod, .env.test, .env.prod)
These contain **real credentials**:
-**NEVER commit to git** (in .gitignore)
- ❌ Never share via email/chat
- ✅ Keep local only
- ✅ Generate unique secrets per environment
- 🔐 Share securely if needed (encrypted vault, 1Password, etc.)
### Active Config (.env)
This is **auto-generated** and **ignored by git**:
- ❌ Never commit to git
- 🔄 Auto-overwritten by startup scripts
- 📝 Edit source files (.env.prod, .env.test) instead
## Generating Secrets
For `JWT_SECRET_KEY` and `AUTH_SESSION_SECRET`:
```bash
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
```
Generate **different** secrets for dev, test, and production!
## Quick Reference
### First Time Setup
```bash
# 1. Copy template
cp backend/.env.prod.example backend/.env.prod
# 2. Fill credentials
vim backend/.env.prod
# 3. Start
./start.sh prod
```
### Changing Configuration
```bash
# 1. Edit source file
vim backend/.env.prod
# 2. Restart to apply
./start.sh prod
```
### Production Deployment
```bash
# 1. Copy template
cp backend/.env.prod.example backend/.env.prod
# 2. Fill in PRODUCTION values
vim backend/.env.prod
# 3. Generate NEW secrets
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
# 4. Start backend
./start-backend.sh start
```
## Troubleshooting
### "Wrong database" error
Check that you're using the correct startup script:
- Production: `./start.sh prod` (uses `.env.prod`)
- Test: `./start.sh test` (uses `.env.test`)
### ".env.prod not found" error
First-time setup required:
```bash
cp backend/.env.prod.example backend/.env.prod
vim backend/.env.prod # Fill in your credentials
```
### Changes not taking effect
The `.env` file is regenerated on each start. Edit the source file (`.env.prod` or `.env.test`) instead.
### Checking what will be committed
```bash
git status backend/.env*
# Should show:
# modified: .env.prod.example (if you changed template)
# nothing else!
```
## Team Sharing
**Templates only** are committed to git:
- Share configuration structure via `.env*.example`
- Each developer creates their own `.env.prod` from template
- Never commit actual credentials
- Use secure channels for sharing sensitive values (1Password, encrypted vault, etc.)
Reference in New Issue View Git Blame Copy Permalink