mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 21:41:09 +02:00
5b0b3095ff
- Migrate Chat, Picture, Presi, Zitare backends to shared auth guards - Remove duplicate local JWT guards and decorators - Add CD staging workflow for tagged releases - Add comprehensive auth architecture documentation - Add Hetzner deployment and Docker setup guides - Add environment configuration audit docs - Update env generation scripts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
14 KiB
14 KiB
Environment Configuration Audit Report
Mana Universe Monorepo - Backend Authentication & Configuration
Date: December 1, 2025 Auditor: Environment Configuration Auditor Agent Scope: All NestJS backends and mana-core-auth service
EXECUTIVE SUMMARY
The monorepo has CRITICAL PORT CONFLICTS that will prevent multiple backends from running simultaneously. Additionally, there are inconsistencies in environment variable naming conventions across backends and missing configuration examples for some projects.
Status: NEEDS IMMEDIATE ACTION
- 2 port conflicts identified
- 3 naming convention inconsistencies
- 5 backends missing .env.example files
- Hardcoded CORS origins in multiple backends
1. PORT ASSIGNMENT MATRIX
Current Assignments (from .env.development)
| Backend | Port | Env Variable | Status | Conflict |
|---|---|---|---|---|
| Mana Core Auth | 3001 | MANA_CORE_AUTH_PORT | ✓ Unique | No |
| Chat | 3002 | CHAT_BACKEND_PORT | ✓ Unique | No |
| Maerchenzauber | 3003 | MAERCHENZAUBER_BACKEND_PORT | ⚠ CONFLICT | Yes |
| Manadeck | 3004 | MANADECK_BACKEND_PORT | ✓ Unique | No |
| Picture | 3003 | PICTURE_BACKEND_PORT | ⚠ CONFLICT | Yes |
| Nutriphi | 3002 | NUTRIPHI_BACKEND_PORT | ⚠ CONFLICT | Yes |
| Zitare | 3007 | ZITARE_BACKEND_PORT | ✓ Unique | No |
| Presi | 3008 | PRESI_BACKEND_PORT | ✓ Unique | No |
| Mana Games | 3011 | MANA_GAMES_BACKEND_PORT | ✓ Unique | No |
| Voxel Lava | 3010 | VOXEL_LAVA_BACKEND_PORT | ✓ Unique | No |
PORT CONFLICTS FOUND
-
Port 3003 - DOUBLE ASSIGNED
- Maerchenzauber Backend:
MAERCHENZAUBER_BACKEND_PORT=3003 - Picture Backend:
PICTURE_BACKEND_PORT=3003
- Maerchenzauber Backend:
-
Port 3002 - DOUBLE ASSIGNED
- Chat Backend:
CHAT_BACKEND_PORT=3002 - Nutriphi Backend:
NUTRIPHI_BACKEND_PORT=3002
- Chat Backend:
RECOMMENDATION
Reassign conflicting ports:
- Maerchenzauber: Keep 3003, reassign Picture to 3005 or 3006
- OR reassign Maerchenzauber to 3005 and keep Picture at 3003
- Nutriphi: Reassign to 3006 or another available port
- Mana Games: Currently 3011
- Voxel Lava: Currently 3010
2. AUTH ENVIRONMENT VARIABLES AUDIT
Central Configuration (.env.development)
PRESENT & CONFIGURED:
- ✓
MANA_CORE_AUTH_URL=http://localhost:3001(Line 16) - ✓
DEV_BYPASS_AUTH=true(Line 59 - Chat only) - ✓ JWT_PRIVATE_KEY & JWT_PUBLIC_KEY (Lines 19-20)
- ✓ CORS_ORIGINS=... (Line 41)
MISSING CENTRALIZED:
-
✗
DEV_USER_ID- NOT in .env.development- Used hardcoded in Chat:
17cb0be7-058a-4964-9e18-1fe7055fd014 - Should be centralized in .env.development
- Used hardcoded in Chat:
-
✗
MANA_CORE_SERVICE_KEY- NOT found in generate-env.mjs mapping- Defined for Manadeck in .env.example
- Not passed to backends via generator
Backend-Specific Auth Configuration
| Backend | Auth URL Var | Dev Bypass | Dev User ID | Status |
|---|---|---|---|---|
| Chat | MANA_CORE_AUTH_URL | ✓ Configured | ✗ Hardcoded | ⚠ Partially |
| Picture | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| Zitare | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| Presi | MANA_CORE_AUTH_URL | ✗ Missing | ✗ Not checked | ✗ Incomplete |
| Manadeck | MANA_SERVICE_URL | ✗ Not in generation | ✗ Not mapped | ✗ Not generated |
ISSUE: Naming Convention Inconsistency
Different backends use DIFFERENT variable names for the same thing:
INCONSISTENT:
- Chat uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 95)
- Picture uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 230)
- Zitare uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 300)
- Presi uses: MANA_CORE_AUTH_URL (from generate-env.mjs line 330)
- Manadeck uses: MANA_SERVICE_URL (from generate-env.mjs line 205)
- Manadeck uses: APP_ID (from generate-env.mjs line 206)
- Nutriphi uses: MANACORE_AUTH_URL (from generate-env.mjs line 272)
STANDARDIZATION NEEDED: All backends should use consistent naming:
- Recommend:
MANA_CORE_AUTH_URL(most common)
3. ENVIRONMENT VARIABLE MAPPING AUDIT
Generate-env.mjs Coverage Analysis
| Backend | .env.example | generate-env.mjs | .env Generated | Coverage |
|---|---|---|---|---|
| Chat | ✓ Exists | ✓ Lines 85-98 | ✓ Will generate | ✓ Complete |
| Picture | ✓ Exists | ✓ Lines 223-243 | ✓ Will generate | ✓ Complete |
| Manadeck | ✓ Exists | ✓ Lines 199-209 | ✓ Will generate | ✓ Complete |
| Zitare | ✗ Missing | ✓ Lines 294-303 | ✓ Will generate | ⚠ Missing example |
| Presi | ✗ Missing | ✓ Lines 323-334 | ✓ Will generate | ⚠ Missing example |
| Mana-Core-Auth | ✓ Exists | ✓ Lines 57-82 | ✓ Will generate | ✓ Complete |
Missing .env.example files:
/apps/zitare/apps/backend/.env.example- Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, CORS_ORIGINS/apps/presi/apps/backend/.env.example- Should document PORT, DATABASE_URL, MANA_CORE_AUTH_URL, JWT_PUBLIC_KEY, CORS_ORIGINS
4. HARDCODED VALUES & SECURITY CONCERNS
Hardcoded in Source Code
Chat Backend (apps/chat/apps/backend/src/common/guards/jwt-auth.guard.ts):
const DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'; // Line 1
- Should be:
configService.get('DEV_USER_ID') - Should be in .env.development:
DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014
Hardcoded CORS Origins in main.ts
Chat (src/main.ts lines 10-18):
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5174',
'http://localhost:5178',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001', // Mana Core Auth
]
Picture (src/main.ts lines 11-19):
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5174',
'http://localhost:5175',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
Presi (src/main.ts lines 10-17):
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5177',
'http://localhost:5178',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
Zitare (src/main.ts lines 10-16):
origin: [
'http://localhost:3000',
'http://localhost:5173',
'http://localhost:5177',
'http://localhost:8081',
'exp://localhost:8081',
'http://localhost:3001',
]
RECOMMENDATION: Move CORS_ORIGINS to .env.development (already exists as CORS_ORIGINS global variable, but not used by all backends)
5. CONFIGURATION BEST PRACTICES COMPLIANCE
Configuration Module Setup
| Backend | ConfigModule | Validation | Env File Path | Status |
|---|---|---|---|---|
| Chat | ✓ ConfigModule.forRoot() | ✗ No validation schema | .env |
⚠ Minimal |
| Picture | ✓ ConfigModule.forRoot() | ✗ No validation schema | .env |
⚠ Minimal |
| Zitare | ✓ ConfigModule.forRoot() | ✗ No validation schema | .env |
⚠ Minimal |
| Presi | ✓ ConfigModule.forRoot() | ✗ No validation schema | .env |
⚠ Minimal |
| Manadeck | ✓ ConfigModule.forRoot() | ✓ Joi schema | .env |
✓ Complete |
| Mana-Core-Auth | ✓ ConfigModule.forRoot() | ✓ Config service | .env |
✓ Complete |
ISSUE: Chat, Picture, Zitare, Presi lack validation schemas.
EXAMPLE (Manadeck validation.schema.ts):
export const validationSchema = Joi.object({
NODE_ENV: Joi.string().valid('development', 'production'),
PORT: Joi.number().required(),
DATABASE_URL: Joi.string().required(),
MANA_CORE_AUTH_URL: Joi.string().required(),
// ... etc
});
6. CRITICAL ISSUES SUMMARY
BLOCKING ISSUES (Fix Immediately)
-
Port Conflict - 3002
- Chat and Nutriphi both assigned to port 3002
- Cannot run simultaneously
- Fix: Reassign Nutriphi to port 3006
-
Port Conflict - 3003
- Picture and Maerchenzauber both assigned to port 3003
- Cannot run simultaneously
- Fix: Reassign Picture to port 3005 or Maerchenzauber to 3006
-
Hardcoded Dev User ID in Chat Backend
DEV_USER_ID = '17cb0be7-058a-4964-9e18-1fe7055fd014'hardcoded in source- Not configurable via environment
- Fix: Move to .env.development and load via ConfigService
MAJOR ISSUES (Fix Soon)
-
Inconsistent Auth Variable Names
- Manadeck uses
MANA_SERVICE_URLinstead ofMANA_CORE_AUTH_URL - Nutriphi uses
MANACORE_AUTH_URL(no underscore) - Fix: Standardize all to
MANA_CORE_AUTH_URL
- Manadeck uses
-
Hardcoded CORS Origins
- 4 backends hardcode CORS lists in main.ts
- Should use environment variables
- Fix: Use CORS_ORIGINS from .env.development
-
Missing Configuration Examples
- Zitare and Presi lack .env.example files
- Fix: Create comprehensive .env.example files
MEDIUM ISSUES (Improve Quality)
-
Missing Validation Schemas
- 4 backends lack Joi validation schemas
- No type safety for environment variables
- Fix: Add validation schemas to Chat, Picture, Zitare, Presi
-
Dev Bypass Auth Not Consistent
- Only Chat backend has DEV_BYPASS_AUTH implemented
- Other backends may lack development bypass mechanism
- Fix: Add consistent development auth bypass pattern
7. RECOMMENDED ACTIONS
Phase 1: Critical Fixes (Do First)
# 1. Fix port conflicts in .env.development
# Change line 122: PICTURE_BACKEND_PORT=3003 → PICTURE_BACKEND_PORT=3005
# Change line 146: NUTRIPHI_BACKEND_PORT=3002 → NUTRIPHI_BACKEND_PORT=3006
# 2. Add DEV_USER_ID to .env.development
# Add after line 59: DEV_USER_ID=17cb0be7-058a-4964-9e18-1fe7055fd014
# 3. Standardize auth URL naming
# Update generate-env.mjs line 272 (Nutriphi):
# MANACORE_AUTH_URL: → MANA_CORE_AUTH_URL:
# Update generate-env.mjs line 205 (Manadeck):
# MANA_SERVICE_URL: → MANA_CORE_AUTH_URL:
Phase 2: Configuration Examples
# Create missing .env.example files:
# - apps/zitare/apps/backend/.env.example
# - apps/presi/apps/backend/.env.example
# Based on .env.development variables and backend requirements
Phase 3: Code Quality
# Add validation schemas to:
# - apps/chat/apps/backend/src/config/validation.schema.ts
# - apps/picture/apps/backend/src/config/validation.schema.ts
# - apps/zitare/apps/backend/src/config/validation.schema.ts
# - apps/presi/apps/backend/src/config/validation.schema.ts
# Move CORS origins to environment:
# Update main.ts in Chat, Picture, Zitare, Presi to:
# app.enableCors({
# origin: (configService.get('CORS_ORIGINS') || '').split(','),
# })
8. UPDATED PORT ASSIGNMENTS (RECOMMENDED)
| Backend | Recommended Port | Current | Status |
|---|---|---|---|
| Mana Core Auth | 3001 | 3001 | ✓ Keep |
| Chat | 3002 | 3002 | ✓ Keep |
| Maerchenzauber | 3003 | 3003 | ✓ Keep |
| Manadeck | 3004 | 3004 | ✓ Keep |
| Picture | 3005 | 3003 | CHANGE |
| Nutriphi | 3006 | 3002 | CHANGE |
| Zitare | 3007 | 3007 | ✓ Keep |
| Presi | 3008 | 3008 | ✓ Keep |
| Voxel Lava | 3010 | 3010 | ✓ Keep |
| Mana Games | 3011 | 3011 | ✓ Keep |
9. ENVIRONMENT VARIABLE SUMMARY TABLE
Required for All Backends
| Variable | Purpose | Centralized | Backend Usage |
|---|---|---|---|
| NODE_ENV | Environment type | ✓ .env.development | All |
| PORT | Server port | ✓ Individual vars | All |
| DATABASE_URL | PostgreSQL connection | ✓ Individual vars | Chat, Manadeck, Picture, Zitare, Presi |
| MANA_CORE_AUTH_URL | Auth service URL | ✓ .env.development | Chat, Picture, Zitare, Presi, Manadeck |
| CORS_ORIGINS | Allowed origins | ✓ .env.development | All (hardcoded, should use env) |
Optional but Recommended
| Variable | Purpose | Centralized | Backend Usage |
|---|---|---|---|
| DEV_BYPASS_AUTH | Skip auth in dev | ⚠ Partial | Chat only |
| DEV_USER_ID | Dev test user | ✗ Hardcoded | Chat |
| JWT_PUBLIC_KEY | Token validation | ✓ .env.development | Presi |
Backend-Specific
| Backend | Key Variables | Centralized |
|---|---|---|
| Chat | GOOGLE_GENAI_API_KEY, AZURE_OPENAI_* | ✓ .env.development |
| Picture | REPLICATE_API_TOKEN, S3_* vars | ✓ .env.development |
| Zitare | (None beyond base) | ✓ .env.development |
| Presi | (None beyond base) | ✓ .env.development |
| Manadeck | GOOGLE_GENAI_API_KEY | ✓ .env.development |
| Mana-Core-Auth | JWT_, STRIPE_, CREDITS_* | ✓ .env.development |
10. IMPLEMENTATION CHECKLIST
- Fix port conflict: Picture 3003 → 3005
- Fix port conflict: Nutriphi 3002 → 3006
- Add DEV_USER_ID to .env.development
- Update Chat backend to use DEV_USER_ID from ConfigService
- Standardize MANA_SERVICE_URL to MANA_CORE_AUTH_URL in Manadeck generate-env.mjs
- Standardize MANACORE_AUTH_URL to MANA_CORE_AUTH_URL in Nutriphi generate-env.mjs
- Create .env.example for Zitare backend
- Create .env.example for Presi backend
- Add validation schemas to Chat backend config
- Add validation schemas to Picture backend config
- Add validation schemas to Zitare backend config
- Add validation schemas to Presi backend config
- Move CORS origins from hardcoded arrays to environment variables (all backends)
- Document port assignments in CLAUDE.md
- Test all backends can run simultaneously with correct ports
- Verify auth endpoint connectivity from each backend to mana-core-auth
AUDIT DETAILS
Files Reviewed:
- .env.development (202 lines)
- scripts/generate-env.mjs (433 lines)
- 6 backends app.module.ts files
- 5 backends main.ts files
- 3 .env.example files (Chat, Picture, Manadeck)
- 1 mana-core-auth main.ts
- Various configuration schemas and guards
Total Files Analyzed: 25+ Lines of Code Reviewed: 2,000+ Issues Identified: 8 critical/major issues Port Conflicts Found: 2 (affecting 3 backends)