romfast/roa2web-service-auto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f115b5e35a0d65a39e72cdd4138db3cd4c174aea
roa2web-service-auto/backend/ENV-SETUP.md
Claude Agent b137e80b71 feat: multi-Oracle server support with runtime switching 
Complete implementation of multi-server Oracle database support:

Backend:
- Multi-pool Oracle with lazy loading per server
- Email-to-server cache for automatic server discovery
- JWT tokens include server_id claim
- /auth/check-identity and /auth/check-email endpoints
- /auth/my-servers endpoint for listing user's accessible servers
- Server switch with password re-authentication

Frontend:
- New ServerSelector component for header dropdown
- Multi-step login flow (identity → server → password)
- Server switching from header with password modal
- Mobile drawer menu with server selection
- Dark mode support for all new components
- URL bookmark support with ?server= query param

Scripts:
- Unified start.sh replacing start-prod.sh/start-test.sh
- Unified ssh-tunnel.sh with multi-server support
- Updated status.sh for new architecture

Tests:
- E2E tests for multi-server and single-server login flows
- Backend unit tests for all new endpoints
- Oracle multi-pool integration tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 22:39:06 +00:00

5.7 KiB
Raw Blame History

Environment Configuration Guide

Overview

The unified backend uses environment-specific configuration files that are automatically loaded by startup scripts.

SECURITY: All .env* files (except .env*.example) contain real credentials and are NEVER committed to git.

File Structure

backend/
├── .env.prod.example    # Production template (COMMITTED - no credentials)
├── .env.test.example   # Test template (COMMITTED - no credentials)
├── .env.prod.example   # Production template (COMMITTED - no credentials)
├── .env.example        # Generic template (COMMITTED)
├── .env.prod            # Production config (IGNORED - real credentials)
├── .env.test           # Test config (IGNORED - real credentials)
├── .env.prod           # Production config (IGNORED - real credentials)
└── .env                # Active config (IGNORED - auto-generated)

First-Time Setup

Production

# 1. Copy template
cp backend/.env.prod.example backend/.env.prod

# 2. Edit with your credentials
vim backend/.env.prod

# 3. Fill in:
#    - ORACLE_PASSWORD
#    - JWT_SECRET_KEY (generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))")
#    - AUTH_SESSION_SECRET (generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))")
#    - TELEGRAM_BOT_TOKEN (from @BotFather)
#    - SMTP_PASSWORD

# 4. Start
./start.sh prod

Test

# Same process with .env.test
cp backend/.env.test.example backend/.env.test
vim backend/.env.test
# Fill in TEST credentials (separate from dev!)
./start.sh test

Production

# Same process with .env.prod
cp backend/.env.prod.example backend/.env.prod
vim backend/.env.prod
# Fill in PRODUCTION credentials (generate NEW secrets!)
./start-backend.sh start

How It Works

Production

./start.sh prod       # Checks for .env.prod → copies to .env → starts backend

Test

./start.sh test      # Checks for .env.test → copies to .env → starts backend

Production

# Manual setup (one-time)
cp .env.prod.example .env.prod
vim .env.prod        # Fill in credentials
# Then start
./start-backend.sh start

Important Rules

DO

  • Copy .env.*.example to .env.* and fill in real credentials
  • Edit .env.prod for production changes
  • Edit .env.test for test environment changes
  • Edit .env.prod for production
  • Generate new secrets for each environment
  • Keep .env.prod, .env.test, .env.prod local only (never commit!)

DON'T

  • Don't commit .env, .env.prod, .env.test, or .env.prod (they're in .gitignore)
  • Don't manually edit .env (it's auto-generated!)
  • Don't use same secrets across environments
  • Don't share credentials via git (use secure channels)
  • Don't put real credentials in .env*.example files

Environment Differences

Setting .env.prod .env.test .env.prod
Oracle SID ROA roa ROA
JWT Expire 30 min 480 min 30 min
DEBUG true true false
Cache DB roa2web_cache.db roa2web_cache_test.db roa2web_cache_prod.db
Receipts DB receipts_dev.db receipts_test.db receipts_prod.db
Telegram DB telegram.db telegram_test.db telegram_prod.db

Security Notes

Template Files (.env.*.example)

These contain placeholders only:

  • Safe to commit to git
  • Shared across team
  • No real credentials
  • 📖 Used as reference for first-time setup

Actual Config Files (.env.prod, .env.test, .env.prod)

These contain real credentials:

  • NEVER commit to git (in .gitignore)
  • Never share via email/chat
  • Keep local only
  • Generate unique secrets per environment
  • 🔐 Share securely if needed (encrypted vault, 1Password, etc.)

Active Config (.env)

This is auto-generated and ignored by git:

  • Never commit to git
  • 🔄 Auto-overwritten by startup scripts
  • 📝 Edit source files (.env.prod, .env.test) instead

Generating Secrets

For JWT_SECRET_KEY and AUTH_SESSION_SECRET:

python3 -c "import secrets; print(secrets.token_urlsafe(32))"

Generate different secrets for dev, test, and production!

Quick Reference

First Time Setup

# 1. Copy template
cp backend/.env.prod.example backend/.env.prod

# 2. Fill credentials
vim backend/.env.prod

# 3. Start
./start.sh prod

Changing Configuration

# 1. Edit source file
vim backend/.env.prod

# 2. Restart to apply
./start.sh prod

Production Deployment

# 1. Copy template
cp backend/.env.prod.example backend/.env.prod

# 2. Fill in PRODUCTION values
vim backend/.env.prod

# 3. Generate NEW secrets
python3 -c "import secrets; print(secrets.token_urlsafe(32))"

# 4. Start backend
./start-backend.sh start

Troubleshooting

"Wrong database" error

Check that you're using the correct startup script:

  • Production: ./start.sh prod (uses .env.prod)
  • Test: ./start.sh test (uses .env.test)

".env.prod not found" error

First-time setup required:

cp backend/.env.prod.example backend/.env.prod
vim backend/.env.prod  # Fill in your credentials

Changes not taking effect

The .env file is regenerated on each start. Edit the source file (.env.prod or .env.test) instead.

Checking what will be committed

git status backend/.env*
# Should show:
#   modified: .env.prod.example (if you changed template)
#   nothing else!

Team Sharing

Templates only are committed to git:

  • Share configuration structure via .env*.example
  • Each developer creates their own .env.prod from template
  • Never commit actual credentials
  • Use secure channels for sharing sensitive values (1Password, encrypted vault, etc.)