romfast/space-booking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
space-booking/backend/.env.example
Claude Agent 7ce430cc1d feat(security): harden for production deployment 
- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 19:44:20 +00:00

51 lines
1.5 KiB
Plaintext
Raw Permalink Blame History

# Application settings
APP_NAME="Space Booking API"
# DEBUG=true for local dev. In production set DEBUG=false — the app will then
# REFUSE to start unless SECRET_KEY is changed from the default below.
DEBUG=true
# Database
DATABASE_URL="sqlite:///./space_booking.db"
# JWT
SECRET_KEY="your-secret-key-change-in-production"
ALGORITHM="HS256"
ACCESS_TOKEN_EXPIRE_MINUTES=1440
# SMTP
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_USER=
SMTP_PASSWORD=
SMTP_FROM_ADDRESS=noreply@space-booking.local
SMTP_ENABLED=false
# Frontend URL (used for OAuth callback redirects)
FRONTEND_URL=http://localhost:5173
# Google Calendar Integration
GOOGLE_CLIENT_ID=your_google_client_id_here
GOOGLE_CLIENT_SECRET=your_google_client_secret_here
GOOGLE_REDIRECT_URI=http://localhost:8000/api/integrations/google/callback
# Demo seed (LOCAL DEV ONLY). The entrypoint runs seed_db.py only when
# RUN_SEED=1. It plants weak demo accounts/content — never set this in prod.
# RUN_SEED=1
# ADMIN_PASSWORD=
# MANAGER_PASSWORD=
# USER_PASSWORD=
# === PRODUCTION (Dokploy) ===
# Do NOT set RUN_SEED. Tables are auto-created on boot, and the FIRST user to
# register becomes the superadmin (instance owner) — register your own account
# first, immediately after deploy.
# DEBUG=false
# SECRET_KEY=<python -c "import secrets; print(secrets.token_hex(32))">
# FRONTEND_URL=https://space.roa.romfast.ro
# SMTP_ENABLED=true
# SMTP_HOST=smtp.example.com
# SMTP_PORT=587
# SMTP_USER=user@example.com
# SMTP_PASSWORD=parola
# SMTP_FROM_ADDRESS=rezervari@romfast.ro
Reference in New Issue View Git Blame Copy Permalink