till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-23 19:06:42 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

🔒️ feat(auth): centralize JWT validation and add deployment docs

Browse source 
- Migrate Chat, Picture, Presi, Zitare backends to shared auth guards
- Remove duplicate local JWT guards and decorators
- Add CD staging workflow for tagged releases
- Add comprehensive auth architecture documentation
- Add Hetzner deployment and Docker setup guides
- Add environment configuration audit docs
- Update env generation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Wuesteon 2025-12-01 20:44:45 +01:00
parent 942c588e15
commit 5b0b3095ff
50 changed files with 11916 additions and 718 deletions
Download patch file Download diff file Expand all files Collapse all files

234
docs/ENV_BACKEND_MATRIX.md Normal file
View file

@ -0,0 +1,234 @@
# Environment Variable Configuration Matrix
## Backend Authentication & Port Status
```
╔══════════════════╦════════╦═══════════════════════╦═════════════════════╦═══════════════╗
║ Backend ║ Port ║ Auth URL Variable ║ Dev Bypass ║ Validation ║
╠══════════════════╬════════╬═══════════════════════╬═════════════════════╬═══════════════╣
║ Mana Core Auth ║ 3001 ║ N/A (Auth service) ║ N/A ║ ✓ Config svc ║
║ Chat ║ 3002 ║ MANA_CORE_AUTH_URL ║ ✓ Implemented ║ ✗ Missing ║
║ Maerchenzauber ║ 3003 ║ MANA_SERVICE_URL ║ ? Unknown ║ ? Unknown ║
║ Manadeck ║ 3004 ║ MANA_SERVICE_URL ║ ? Unknown ║ ✓ Joi schema ║
║ Picture ║ 3003 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Nutriphi ║ 3002 ║ MANACORE_AUTH_URL ║ ? Unknown ║ ? Unknown ║
║ Zitare ║ 3007 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Presi ║ 3008 ║ MANA_CORE_AUTH_URL ║ ✗ Missing ║ ✗ Missing ║
║ Voxel Lava ║ 3010 ║ ? Not checked ║ ? Unknown ║ ? Unknown ║
║ Mana Games ║ 3011 ║ ? Not checked ║ ? Unknown ║ ? Unknown ║
╚══════════════════╩════════╩═══════════════════════╩═════════════════════╩═══════════════╝
```
Legend:
- ✓ = Implemented/Present
- ✗ = Missing/Not implemented
- ? = Not analyzed in this audit
- Port conflicts highlighted in red
---
## Database URL Configuration
```
╔══════════════════╦════════════════════════════════════════════════╦════════════════╗
║ Backend ║ Database URL Variable ║ Generated ║
╠══════════════════╬════════════════════════════════════════════════╬════════════════╣
║ Mana Core Auth ║ MANA_CORE_AUTH_DATABASE_URL ║ ✓ via gen-env ║
║ Chat ║ CHAT_DATABASE_URL ║ ✓ via gen-env ║
║ Manadeck ║ MANADECK_DATABASE_URL ║ ✓ via gen-env ║
║ Picture ║ PICTURE_DATABASE_URL ║ ✓ via gen-env ║
║ Nutriphi ║ NUTRIPHI_DATABASE_URL ║ ✓ via gen-env ║
║ Zitare ║ ZITARE_DATABASE_URL ║ ✓ via gen-env ║
║ Presi ║ PRESI_DATABASE_URL ║ ✓ via gen-env ║
║ Voxel Lava ║ VOXEL_LAVA_DATABASE_URL ║ ✓ via gen-env ║
║ Mana Games ║ None specified ║ N/A ║
╚══════════════════╩════════════════════════════════════════════════╩════════════════╝
```
---
## CORS Configuration Status
```
╔══════════════════╦═══════════════════════════════════╦═════════════════════════════════╗
║ Backend ║ CORS Implementation ║ Recommendation ║
╠══════════════════╬═══════════════════════════════════╬═════════════════════════════════╣
║ Chat ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Picture ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Zitare ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Presi ║ Hardcoded array in main.ts ║ Move to CORS_ORIGINS env var ║
║ Manadeck ║ configService.get('FRONTEND_URL') ║ Already using env var (better) ║
║ Mana Core Auth ║ configService array ║ Already using env var (good) ║
╚══════════════════╩═══════════════════════════════════╩═════════════════════════════════╝
```
Current hardcoded CORS allowed origins (should be environment variable):
```javascript
// In 4 backends
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:5173', // Primary web dev port
'http://localhost:5174', // Secondary web port
'http://localhost:5175', // Tertiary web port
'http://localhost:5177', // Zitare web
'http://localhost:5178', // Chat web / Presi web
'http://localhost:8081', // Expo dev server
'exp://localhost:8081', // Expo protocol
'http://localhost:3001', // Mana Core Auth
]
```
---
## Port Availability & Conflicts
```
Port 3000 ━━━━━━━━ [FREE]
Port 3001 ━━━━━━━━ Mana Core Auth (ACTIVE)
Port 3002 ━━━━━━━━ Chat (ACTIVE) + Nutriphi (ACTIVE) ⚠ CONFLICT!
3002a Chat
3002b Nutriphi (should be 3006)
Port 3003 ━━━━━━━━ Maerchenzauber (ACTIVE) + Picture (ACTIVE) ⚠ CONFLICT!
3003a Maerchenzauber
3003b Picture (should be 3005)
Port 3004 ━━━━━━━━ Manadeck (ACTIVE)
Port 3005 ━━━━━━━━ [AVAILABLE] ← Assign to Picture
Port 3006 ━━━━━━━━ [AVAILABLE] ← Assign to Nutriphi
Port 3007 ━━━━━━━━ Zitare (ACTIVE)
Port 3008 ━━━━━━━━ Presi (ACTIVE)
Port 3009 ━━━━━━━━ [RESERVED - mentioned in CLAUDE.md]
Port 3010 ━━━━━━━━ Voxel Lava (ACTIVE)
Port 3011 ━━━━━━━━ Mana Games (ACTIVE)
```
---
## Environment Variable Generation Map
### From .env.development to Backend .env Files
```
MANA_CORE_AUTH_PORT (3001)
↓ (generate-env.mjs line 61)
├→ services/mana-core-auth/.env {PORT}
CHAT_BACKEND_PORT (3002)
↓ (generate-env.mjs line 89)
├→ apps/chat/apps/backend/.env {PORT}
MANA_CORE_AUTH_URL (http://localhost:3001)
↓ (generate-env.mjs multiple lines)
├→ apps/chat/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/picture/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/zitare/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/presi/apps/backend/.env {MANA_CORE_AUTH_URL}
├→ apps/manadeck/apps/backend/.env {MANA_SERVICE_URL} ← NAMING INCONSISTENCY
└→ apps/nutriphi/apps/backend/.env {MANACORE_AUTH_URL} ← NAMING INCONSISTENCY
CORS_ORIGINS (http://localhost:3000,http://localhost:3002,...)
↓ (generate-env.mjs line 75, 136, 232, 301, 332, 372)
├→ services/mana-core-auth/.env {CORS_ORIGINS}
├→ apps/maerchenzauber/apps/backend/.env {CORS_ORIGINS}
├→ apps/picture/apps/backend/.env {CORS_ORIGINS}
├→ apps/zitare/apps/backend/.env {CORS_ORIGINS}
├→ apps/presi/apps/backend/.env {CORS_ORIGINS}
└→ games/mana-games/apps/backend/.env {CORS_ORIGINS}
[BUT NOT USED by Chat, Picture, Zitare, Presi - they hardcode instead!]
```
---
## Issues Severity Matrix
```
╔═══════════════╦════════════════════════════════════════════════╦══════════════════╗
║ Severity ║ Count ║ Issue Description ║ Time to Fix ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ BLOCKING ║ 2 ║ Port conflicts (3002, 3003) ║ 15 minutes ║
║ ║ 1 ║ Hardcoded DEV_USER_ID ║ 30 minutes ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ MAJOR ║ 3 ║ Auth URL naming inconsistencies ║ 30 minutes ║
║ ║ 4 ║ Hardcoded CORS origins ║ 1-2 hours ║
║ ║ 2 ║ Missing .env.example files ║ 15 minutes ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ MEDIUM ║ 4 ║ Missing validation schemas ║ 2-3 hours ║
║ ║ 1 ║ Dev bypass auth inconsistency ║ 1-2 hours ║
╠═══════════════╬═══════╬═════════════════════════════════════════╬══════════════════╣
║ TOTAL ║ 17 ║ All issues identified ║ 6-8 hours total ║
╚═══════════════╩═══════╩═════════════════════════════════════════╩══════════════════╝
```
---
## Configuration Best Practices Scorecard
```
╔════════════════════════════════════╦═════════════════════════════════════════╗
║ Criteria ║ Score (0-10) ║
╠════════════════════════════════════╬═════════════════════════════════════════╣
║ Port Assignment Uniqueness ║ 4/10 (2 conflicts found) ║
║ Environment Variable Standardization║ 6/10 (3 naming conventions) ║
║ Configuration Documentation ║ 5/10 (3 missing .env.example files) ║
║ Centralized Environment Setup ║ 8/10 (good but some backends override) ║
║ Configuration Validation ║ 3/10 (only 2/8 backends have schemas) ║
║ Hardcoded Values ║ 4/10 (CORS + DEV_USER_ID hardcoded) ║
║ Auth Configuration Consistency ║ 4/10 (4 different variable names) ║
║ Security (no secrets in source) ║ 7/10 (mostly good, except DEV_USER_ID) ║
╠════════════════════════════════════╬═════════════════════════════════════════╣
║ OVERALL SCORE ║ 5.1/10 (NEEDS IMPROVEMENT) ║
╚════════════════════════════════════╩═════════════════════════════════════════╝
```
**To reach 8/10:** Fix blocking issues + add missing validation schemas
**To reach 9/10:** + Move all CORS to environment + Standardize auth URLs
**To reach 10/10:** + Complete documentation + Consistent dev bypass pattern across all
---
## Quick Reference: Variable Name Standardization
### Current (Inconsistent)
```
Chat: MANA_CORE_AUTH_URL
Picture: MANA_CORE_AUTH_URL
Zitare: MANA_CORE_AUTH_URL
Presi: MANA_CORE_AUTH_URL
Manadeck: MANA_SERVICE_URL ← Different!
Nutriphi: MANACORE_AUTH_URL ← Different!
```
### Recommended (Consistent)
```
All backends: MANA_CORE_AUTH_URL ← Standardized
```
### Migration Path
1. Add MANA_CORE_AUTH_URL to .env.development (already exists!)
2. Update generate-env.mjs:
- Line 205: Change `MANA_SERVICE_URL` to `MANA_CORE_AUTH_URL` (Manadeck)
- Line 272: Change `MANACORE_AUTH_URL` to `MANA_CORE_AUTH_URL` (Nutriphi)
3. Update app.module.ts files if they reference old variable name
4. Update config/validation.schema.ts files if applicable
5. Test `pnpm setup:env` generates correct variables
6. Verify all backends read MANA_CORE_AUTH_URL
---
## Next Steps
1. **Read the full audit:** `/docs/ENV_CONFIGURATION_AUDIT.md`
2. **Follow the checklist:** `/docs/ENV_AUDIT_SUMMARY.md`
3. **Review this matrix:** You are here!
4. **Implement fixes:** Start with Phase 1 (blocking issues)
5. **Test & verify:** Run all backends simultaneously
6. **Document results:** Update CLAUDE.md with final port assignments
---
Generated: December 1, 2025
Auditor: Environment Configuration Auditor Agent (Claude Flow Swarm)