admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7438dfd9b109b3f5e50e4675bea0f36eca4f99be
honeyDueAPI/deploy/prod.env.example
Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 09:48:01 -06:00

74 lines
1.8 KiB
Plaintext
Raw Blame History

# API service settings
DEBUG=false
ALLOWED_HOSTS=api.casera.app,casera.app
CORS_ALLOWED_ORIGINS=https://casera.app,https://admin.casera.app
TIMEZONE=UTC
BASE_URL=https://casera.app
PORT=8000
# Admin service settings
NEXT_PUBLIC_API_URL=https://api.casera.app
ADMIN_PANEL_URL=https://admin.casera.app
# Database (Neon recommended)
DB_HOST=CHANGEME_NEON_HOST
DB_PORT=5432
POSTGRES_USER=CHANGEME_DB_USER
POSTGRES_DB=casera
DB_SSLMODE=require
DB_MAX_OPEN_CONNS=25
DB_MAX_IDLE_CONNS=10
DB_MAX_LIFETIME=600s
# Redis (in stack defaults to redis://redis:6379/0)
REDIS_URL=redis://redis:6379/0
REDIS_DB=0
# Email (password goes in deploy/secrets/email_host_password.txt)
EMAIL_HOST=smtp.gmail.com
EMAIL_PORT=587
EMAIL_USE_TLS=true
EMAIL_HOST_USER=CHANGEME_EMAIL_USER
DEFAULT_FROM_EMAIL=Casera <noreply@casera.app>
# Push notifications
# APNS private key goes in deploy/secrets/apns_auth_key.p8
APNS_AUTH_KEY_ID=CHANGEME_APNS_KEY_ID
APNS_TEAM_ID=CHANGEME_APNS_TEAM_ID
APNS_TOPIC=com.tt.casera
APNS_USE_SANDBOX=false
APNS_PRODUCTION=true
# Worker schedules (UTC)
TASK_REMINDER_HOUR=14
OVERDUE_REMINDER_HOUR=15
DAILY_DIGEST_HOUR=3
# Storage
STORAGE_UPLOAD_DIR=/app/uploads
STORAGE_BASE_URL=/uploads
STORAGE_MAX_FILE_SIZE=10485760
STORAGE_ALLOWED_TYPES=image/jpeg,image/png,image/gif,image/webp,application/pdf
# Feature flags
FEATURE_PUSH_ENABLED=true
FEATURE_EMAIL_ENABLED=true
FEATURE_WEBHOOKS_ENABLED=true
FEATURE_ONBOARDING_EMAILS_ENABLED=true
FEATURE_PDF_REPORTS_ENABLED=true
FEATURE_WORKER_ENABLED=true
# Optional auth/iap values
APPLE_CLIENT_ID=
APPLE_TEAM_ID=
GOOGLE_CLIENT_ID=
GOOGLE_ANDROID_CLIENT_ID=
GOOGLE_IOS_CLIENT_ID=
APPLE_IAP_KEY_ID=
APPLE_IAP_ISSUER_ID=
APPLE_IAP_BUNDLE_ID=
APPLE_IAP_KEY_PATH=
APPLE_IAP_SANDBOX=false
GOOGLE_IAP_PACKAGE_NAME=
GOOGLE_IAP_SERVICE_ACCOUNT_PATH=
Reference in New Issue View Git Blame Copy Permalink