forked from ANYTECHS/clips-backend
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
235 lines (202 loc) · 13.8 KB
/
Copy path.env.example
File metadata and controls
235 lines (202 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# ─────────────────────────────────────────────────────────────────────────────
# ClipCash Backend — Environment Variables
# Copy this file to .env and fill in the values.
# Never commit your .env file to version control.
# ─────────────────────────────────────────────────────────────────────────────
# ── Database ──────────────────────────────────────────────────────────────────
# PostgreSQL connection string (Supabase or self-hosted)
DATABASE_URL="postgresql://postgres:password@localhost:5432/clipscash?schema=public"
# ── Encryption ────────────────────────────────────────────────────────────────
# Secret key for encrypting sensitive data (bank account info, tokens, etc.)
# Generate: openssl rand -base64 32
ENCRYPTION_SECRET="your_encryption_secret_min_32_chars"
# ── JWT ───────────────────────────────────────────────────────────────────────
# Secret used to sign JWT access tokens. Use a long random string.
JWT_SECRET="your_jwt_secret"
# Access token lifetime in seconds (default: 3600 = 1 hour)
JWT_EXPIRES=3600
# Refresh token lifetime in days (default: 14)
JWT_REFRESH_EXPIRES_DAYS=14
# ── Google OAuth ──────────────────────────────────────────────────────────────
# Create credentials at https://console.cloud.google.com/apis/credentials
GOOGLE_CLIENT_ID="your_google_client_id"
GOOGLE_CLIENT_SECRET="your_google_client_secret"
GOOGLE_CALLBACK_URL="http://localhost:3000/auth/google/callback"
# ── Email / SMTP ──────────────────────────────────────────────────────────────
# Used for magic links and transactional emails.
# For local dev, use Ethereal (https://ethereal.email) or Mailtrap.
APP_BASE_URL="http://localhost:3000"
SMTP_HOST="smtp.ethereal.email"
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER="your_smtp_user"
SMTP_PASS="your_smtp_pass"
SMTP_FROM='"Clips App" <noreply@clips.app>'
# ── CORS ──────────────────────────────────────────────────────────────────────
# Comma-separated list of allowed frontend origins
ALLOWED_ORIGINS="http://localhost:3000,http://localhost:3001"
# ── Redis ─────────────────────────────────────────────────────────────────────
# Redis is used for BullMQ job queues, rate limiting, and session caching.
REDIS_HOST="localhost"
REDIS_PORT=6379
# Leave empty if Redis has no password (common in local dev)
REDIS_PASSWORD=""
# ── Queue Configuration ───────────────────────────────────────────────────────
# Queue-specific Redis values override the shared REDIS_* settings above.
QUEUE_REDIS_HOST="localhost"
QUEUE_REDIS_PORT=6379
QUEUE_REDIS_USERNAME=""
QUEUE_REDIS_PASSWORD=""
QUEUE_REDIS_DB=0
QUEUE_REDIS_TLS=false
QUEUE_PREFIX="clips"
# Defaults applied to jobs unless a queue or producer supplies stricter options.
QUEUE_DEFAULT_ATTEMPTS=3
QUEUE_DEFAULT_BACKOFF_DELAY_MS=1000
QUEUE_REMOVE_ON_COMPLETE=1000
QUEUE_REMOVE_ON_FAIL=5000
# ── BullMQ Worker Concurrency ─────────────────────────────────────────────────
# Controls how many jobs each queue processes in parallel.
# Higher values = more throughput but more CPU/memory usage.
#
# Recommended values:
# Development : 1–2 (easier debugging, lower resource usage)
# Staging : 2–4 (balance between testing and resources)
# Production : 5–10 (maximize throughput; tune to server capacity)
#
# See BULLMQ_WORKER_SCALING.md for detailed guidance.
# Clip generation is CPU-intensive (FFmpeg + Cloudinary upload)
BULLMQ_CLIP_GENERATION_CONCURRENCY=2
# Email delivery is I/O-bound and can handle higher concurrency
BULLMQ_EMAIL_DELIVERY_CONCURRENCY=5
# ── BullMQ Queue Rate Limits & Overflow Protection ────────────────────────────
# Prevents queue overload during traffic spikes.
#
# Per-user rate limits (sliding window):
# BULLMQ_{QUEUE}_MAX_JOBS_PER_USER — max jobs one user can enqueue per window
# BULLMQ_{QUEUE}_RATE_WINDOW_SECS — sliding window size in seconds
#
# Global queue overflow (total depth across all users):
# BULLMQ_{QUEUE}_GLOBAL_DEPTH_CAP — max total waiting+active+delayed jobs
# before overflow kicks in (0 = disabled)
# BULLMQ_{QUEUE}_OVERFLOW_DELAY_MS — ms to delay new jobs when over cap
# (0 = reject immediately with HTTP 429)
#
# Supported queues: CLIP_GENERATION, EMAIL_DELIVERY, NFT_MINT, CLIP_POSTING
# clip-generation — CPU-heavy, keep limits conservative
BULLMQ_CLIP_GENERATION_MAX_JOBS_PER_USER=5
BULLMQ_CLIP_GENERATION_RATE_WINDOW_SECS=3600
BULLMQ_CLIP_GENERATION_GLOBAL_DEPTH_CAP=200
BULLMQ_CLIP_GENERATION_OVERFLOW_DELAY_MS=30000
# email-delivery — lightweight I/O, higher limits OK
BULLMQ_EMAIL_DELIVERY_MAX_JOBS_PER_USER=10
BULLMQ_EMAIL_DELIVERY_RATE_WINDOW_SECS=3600
BULLMQ_EMAIL_DELIVERY_GLOBAL_DEPTH_CAP=500
BULLMQ_EMAIL_DELIVERY_OVERFLOW_DELAY_MS=10000
# nft-mint — blockchain txs are slow; conservative limits
BULLMQ_NFT_MINT_MAX_JOBS_PER_USER=3
BULLMQ_NFT_MINT_RATE_WINDOW_SECS=3600
BULLMQ_NFT_MINT_GLOBAL_DEPTH_CAP=100
BULLMQ_NFT_MINT_OVERFLOW_DELAY_MS=60000
# clip-posting — I/O-bound social API calls
BULLMQ_CLIP_POSTING_MAX_JOBS_PER_USER=10
BULLMQ_CLIP_POSTING_RATE_WINDOW_SECS=3600
BULLMQ_CLIP_POSTING_GLOBAL_DEPTH_CAP=300
BULLMQ_CLIP_POSTING_OVERFLOW_DELAY_MS=15000
# ── Brute Force Protection ────────────────────────────────────────────────────
# Max failed login attempts before lockout
BRUTE_FORCE_MAX_ATTEMPTS=5
# Lockout duration in seconds (default: 900 = 15 min)
BRUTE_FORCE_LOCKOUT_DURATION=900
# Sliding window duration in seconds for counting attempts
BRUTE_FORCE_WINDOW_DURATION=900
# ── Rate Limiting ─────────────────────────────────────────────────────────────
# Comma-separated IPs that bypass rate limiting (e.g. internal health checks)
THROTTLER_WHITELIST=127.0.0.1,::1
# ── JWT Cookie Settings ───────────────────────────────────────────────────────
# Set COOKIE_SECURE=false only in local HTTP dev environments (defaults to true)
# COOKIE_SAME_SITE: 'lax' (recommended), 'strict', or 'none' (requires COOKIE_SECURE=true)
COOKIE_SECURE=true
COOKIE_SAME_SITE=lax
# ── Stellar Network ───────────────────────────────────────────────────────────
# 'testnet' for development/staging, 'public' for mainnet production.
# Defaults to 'testnet' if not set.
STELLAR_NETWORK=testnet
# Horizon API endpoint (defaults to testnet if not set)
STELLAR_HORIZON_URL="https://horizon-testnet.stellar.org"
# Platform wallet address for receiving subscription payments
STELLAR_WALLET_ADDRESS="your_stellar_wallet_address"
# ── Payout Limits ─────────────────────────────────────────────────────────────
# Minimum and maximum payout amounts per currency.
# Use JSON or individual MIN/MAX variables (individual vars take precedence).
# PAYOUT_LIMITS={"USD":{"min":5,"max":10000},"EUR":{"min":8,"max":5000}}
MIN_PAYOUT_USD=5
MAX_PAYOUT_USD=10000
# Payouts at or above this amount require manual admin approval
PAYOUT_APPROVAL_THRESHOLD=500
# Legacy alias kept for backwards compatibility
MIN_STELLAR_PAYOUT=5
# ── Stellar NFT / Soroban ─────────────────────────────────────────────────────
# Platform royalty in Basis Points (BPS). 100 BPS = 1%.
PLATFORM_ROYALTY_BPS=100
# Creator royalty in Basis Points (BPS). 1000 BPS = 10%.
CREATOR_ROYALTY_BPS=1000
# Platform wallet that receives the royalty share
PLATFORM_WALLET_ADDRESS="GDV76E6XN6A3Q3WXVZ4KPRQ7L6E6XN6A3Q3WXVZ4KPRQ7L6E6XN6"
# Soroban smart contract ID for NFT minting with royalties (REQUIRED in production).
# Deploy the contract from contracts/nft-royalty/ and paste the resulting ID here.
# The app will fail fast on startup if this is missing in production.
SOROBAN_NFT_CONTRACT_ID="your_soroban_nft_contract_id"
# ── IPFS / Pinata ─────────────────────────────────────────────────────────────
# Used to upload NFT metadata JSON to IPFS before minting.
# Provider: pinata (default) or nftstorage
# IPFS_PROVIDER="pinata"
# Get your JWT at https://app.pinata.cloud/keys
PINATA_JWT="your_pinata_jwt_token"
# Alternative: nft.storage API key (https://nft.storage)
# NFT_STORAGE_API_KEY="your_nft_storage_api_key"
# Override the default Pinata endpoint if needed
# IPFS_API_URL="https://api.pinata.cloud/pinning/pinJSONToIPFS"
# ── Cloudinary ────────────────────────────────────────────────────────────────
# Used to store and serve generated clip videos and thumbnails via CDN.
# Create a free account at https://cloudinary.com and find these in the dashboard.
CLOUDINARY_CLOUD_NAME="your_cloudinary_cloud_name"
CLOUDINARY_API_KEY="your_cloudinary_api_key"
CLOUDINARY_API_SECRET="your_cloudinary_api_secret"
# ── Ayrshare ──────────────────────────────────────────────────────────────────
# Used to auto-post clips to TikTok, Instagram, YouTube Shorts, and more.
# Get your API key at https://www.ayrshare.com
AYRSHARE_API_KEY="your_ayrshare_api_key"
# ── Metrics ───────────────────────────────────────────────────────────────────
# Bearer token required to access the Prometheus /metrics endpoint.
# Send as header: x-metrics-token: <value>
METRICS_TOKEN="change-this-in-production"
# ── Leaderboard ───────────────────────────────────────────────────────────────
# Set to 'true' to enable the public earnings leaderboard endpoint.
LEADERBOARD_ENABLED=false
# ── Webhook Security ──────────────────────────────────────────────────────────
# HMAC-SHA256 secret for verifying incoming Stellar payment webhook signatures.
# Must match the secret configured in your Stellar webhook provider.
WEBHOOK_SECRET="your_webhook_secret_min_32_chars_long"
# Platform-specific webhook validation secrets
TIKTOK_WEBHOOK_SECRET="your_tiktok_webhook_secret"
YOUTUBE_WEBHOOK_SECRET="your_youtube_webhook_secret"
# ── Admin ─────────────────────────────────────────────────────────────────────
# Comma-separated admin email addresses for anomaly detection notifications
ADMIN_EMAILS="admin@example.com,admin2@example.com"
# Single admin email for job failure notifications
ADMIN_EMAIL="admin@example.com"
# Slack incoming webhook URL for queue failure notifications (optional)
# Create at https://api.slack.com/apps → Incoming Webhooks
SLACK_WEBHOOK_URL=""
# ── Anomaly Detection ─────────────────────────────────────────────────────────
# Multiplier for flagging earnings anomalies (default: 3 = 3× the average)
ANOMALY_THRESHOLD_MULTIPLIER=3
# Minimum earnings amount required before anomaly analysis runs (default: 10)
MIN_EARNINGS_FOR_ANALYSIS=10
# Number of days of history used for anomaly baseline (default: 30)
ANOMALY_LOOKBACK_DAYS=30
# ── Swagger UI ────────────────────────────────────────────────────────────────
# Swagger UI is enabled by default in development (NODE_ENV != 'production').
# Set to 'true' to force-enable in production (not recommended for public APIs).
# ENABLE_SWAGGER_UI=false