flightsimulatorplatfrom/OpenSquawk
1
0
Fork 0
mirror of https://github.com/OpenSquawk/OpenSquawk synced 2026-06-29 13:20:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
release
OpenSquawk/.env.example
leubeem 0154c6d624 fix(security): mandatory cron secret + reject placeholder JWT secrets (SEC-07, OPS-02, SEC-09) 
SEC-07 — committed secrets:
- Replace real-looking defaults in .env.example (JWT_SECRET/JWT_REFRESH_SECRET
  "changeme", MANUAL_INVITE_PASSWORD "pm.local@zghl.de") with CHANGE_ME
  placeholders, and drop the personal DOME_LIGHT_WEBHOOK_URL default.
- Add a Nitro startup plugin (server/plugins/validate-secrets.ts) that refuses
  to boot in production when JWT_SECRET is unset, looks like a placeholder, or
  is shorter than 32 chars (warns only in development).

OPS-02 / SEC-09 — cron endpoints:
- requireCronSecret now fails closed: when no CRON_SECRET/KPI_CRON_SECRET is
  configured the endpoint returns 503 instead of being publicly callable
  (previously it allowed the request with a warning). Both cron routes already
  call the guard. Prefer the x-cron-secret header over the loggable ?secret=
  query param; document CRON_SECRET in .env.example.

Operational note: production deployments must now set JWT_SECRET (>=32 chars)
and CRON_SECRET, or the server won't start / crons return 503.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 11:07:27 +02:00

53 lines
1.4 KiB
Plaintext
Raw Permalink Blame History

# Runtime
NODE_ENV=development
MONGODB_URI=mongodb://127.0.0.1:27017/opensquawk
# Authentication
# Generate strong, unique random values — e.g. `openssl rand -hex 32`.
# The server refuses to start in production if these are unset, look like a
# placeholder, or are shorter than 32 characters.
JWT_SECRET=CHANGE_ME
JWT_REFRESH_SECRET=CHANGE_ME
# OpenAI
OPENAI_API_KEY=sk-your-openai-key
OPENAI_PROJECT=
OPENAI_BASE_URL=
# Optional: specify a custom API endpoint, e.g. http://localhost:1234/v1
LLM_MODEL=gpt-5-nano
TTS_MODEL=tts-1
VOICE_ID=alloy
# ATC audio generation
ATC_OUT_DIR=./storage/atc
FLIGHTLAB_TTS_CACHE_DIR=./.cache/flightlab-tts
USE_SPEACHES=false
USE_PIPER=false
PIPER_PORT=5001
SPEACHES_BASE_URL=
SPEECH_MODEL_ID=speaches-ai/piper-en_US-ryan-low
# Optional: external webhook for bridge dome-light telemetry. Leave empty to disable.
DOME_LIGHT_WEBHOOK_URL=
# Notifications
NOTIFY_RESEND_API_KEY=
NOTIFY_EMAIL_TO=
NOTIFY_EMAIL_FROM="OpenSquawk <info@opensquawk.de>"
NOTIFY_SMTP_HOST=
NOTIFY_SMTP_PORT=587
NOTIFY_SMTP_SECURE=false
NOTIFY_SMTP_USER=
NOTIFY_SMTP_PASS=
# Bootstrap invitations
BOOTSTRAP_INVITE_DEADLINE=2025-09-01T00:00:00Z
# Manual invitation generator
MANUAL_INVITE_PASSWORD=CHANGE_ME
# Cron / scheduled tasks
# Required for the /api/service/cron/* endpoints (they send emails and mint
# invite codes). Without it those endpoints return 503. Pass it via the
# `x-cron-secret` header (preferred) or `?secret=` query param.
CRON_SECRET=CHANGE_ME
Reference in New Issue View Git Blame Copy Permalink