mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-16 10:39:40 +02:00
efb077b9ea
Set useJWTPlugin: true so id_tokens are signed with EdDSA keys from JWKS instead of HS256. This fixes Synapse OIDC integration which verifies tokens via JWKS endpoint.
91 lines
3.7 KiB
Text
91 lines
3.7 KiB
Text
# ============================================================================
|
|
# Mana Core Auth - Environment Configuration
|
|
# ============================================================================
|
|
# Copy this file to .env and fill in your values.
|
|
# Variables marked [REQUIRED] must be set.
|
|
# Variables marked [REQUIRED IN PRODUCTION] are optional in development.
|
|
# ============================================================================
|
|
|
|
# Environment
|
|
NODE_ENV=development
|
|
PORT=3001
|
|
|
|
# Logging
|
|
# Options: debug, info, warn, error
|
|
LOG_LEVEL=debug
|
|
|
|
# ============================================================================
|
|
# Database [REQUIRED]
|
|
# ============================================================================
|
|
DATABASE_URL=postgresql://manacore:manacore@localhost:5432/manacore_auth
|
|
|
|
# ============================================================================
|
|
# Redis (Optional in development, recommended in production)
|
|
# ============================================================================
|
|
REDIS_HOST=localhost
|
|
REDIS_PORT=6379
|
|
REDIS_PASSWORD=
|
|
|
|
# ============================================================================
|
|
# Base URL [REQUIRED IN PRODUCTION]
|
|
# ============================================================================
|
|
# The public URL where this auth service is accessible
|
|
# Used for email verification links, OIDC callbacks, etc.
|
|
BASE_URL=http://localhost:3001
|
|
|
|
# ============================================================================
|
|
# CORS [REQUIRED IN PRODUCTION]
|
|
# ============================================================================
|
|
# Comma-separated list of allowed origins
|
|
# In development, defaults to localhost ports if not set
|
|
CORS_ORIGINS=http://localhost:3000,http://localhost:5173,http://localhost:5174,http://localhost:8081
|
|
|
|
# ============================================================================
|
|
# JWT Configuration
|
|
# ============================================================================
|
|
# Note: Better Auth uses EdDSA keys stored in the database (JWKS).
|
|
# These RSA keys are only used as fallback for legacy token generation.
|
|
# You can leave these empty if using Better Auth's default JWKS.
|
|
|
|
# JWT_PRIVATE_KEY=
|
|
# JWT_PUBLIC_KEY=
|
|
JWT_ACCESS_TOKEN_EXPIRY=15m
|
|
JWT_REFRESH_TOKEN_EXPIRY=7d
|
|
JWT_ISSUER=manacore
|
|
JWT_AUDIENCE=manacore
|
|
|
|
# ============================================================================
|
|
# Stripe (Optional - credit system won't work without it)
|
|
# ============================================================================
|
|
# Get your keys from https://dashboard.stripe.com/apikeys
|
|
STRIPE_SECRET_KEY=sk_test_...
|
|
STRIPE_PUBLISHABLE_KEY=pk_test_...
|
|
STRIPE_WEBHOOK_SECRET=whsec_...
|
|
|
|
# ============================================================================
|
|
# SMTP (Optional - emails will be logged if not configured)
|
|
# ============================================================================
|
|
# Using Brevo (formerly Sendinblue) SMTP relay
|
|
SMTP_HOST=smtp-relay.brevo.com
|
|
SMTP_PORT=587
|
|
SMTP_USER=
|
|
SMTP_PASSWORD=
|
|
SMTP_FROM=ManaCore <noreply@mana.how>
|
|
|
|
# ============================================================================
|
|
# Credits
|
|
# ============================================================================
|
|
CREDITS_SIGNUP_BONUS=150
|
|
CREDITS_DAILY_FREE=5
|
|
|
|
# ============================================================================
|
|
# Rate Limiting
|
|
# ============================================================================
|
|
# TTL in seconds, limit is requests per TTL
|
|
RATE_LIMIT_TTL=60
|
|
RATE_LIMIT_MAX=100
|
|
|
|
# ============================================================================
|
|
# AI Services (Optional)
|
|
# ============================================================================
|
|
GOOGLE_GENAI_API_KEY=
|