ComputerSocietyVITC
diff --git a/‎.env.example‎
Lines changed: 151 additions & 23 deletions b/‎.env.example‎
Lines changed: 151 additions & 23 deletions
diff --git a/‎.env.production.example‎
Lines changed: 109 additions & 0 deletions b/‎.env.production.example‎
Lines changed: 109 additions & 0 deletions
@@ -1,36 +1,164 @@
-# Database Configuration
+# =============================================================================
+# RECRUITMENT BACKEND - ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Copy this file to .env and fill in the appropriate values for your environment
+# For production, consider using environment-specific files like .env.production
+
+# =============================================================================
+# ENVIRONMENT SETTINGS
+# =============================================================================
+# Current environment: development, testing, production
+ENV=development
+
+# =============================================================================
+# SERVER CONFIGURATION
+# =============================================================================
+# Port for the HTTP server to listen on
+PORT=8080
+
+# =============================================================================
+# DATABASE CONFIGURATION
+# =============================================================================
+# PostgreSQL database connection settings
 DB_HOST=localhost
 DB_PORT=5432
 DB_USER=postgres
-DB_PASSWORD=password
+DB_PASSWORD=your_secure_password_here
 DB_NAME=recruitment_db
+
+# Connection pool settings
+# Maximum number of open connections to the database
 DB_MAX_CONNS=10
+# Minimum number of idle connections in the pool
 DB_MIN_CONNS=2
 
-# Server Configuration
-PORT=8080
-GIN_MODE=debug
+# =============================================================================
+# SECURITY CONFIGURATION
+# =============================================================================
+# JWT Secret key - MUST be changed in production
+# Generate a secure random string of at least 32 characters
+# You can use: openssl rand -base64 32
+JWT_SECRET=your-super-secure-jwt-secret-key-change-in-production-minimum-32-chars
 
-# JWT Configuration (Generate a secure secret using: make jwt-secret)
-JWT_SECRET=your-secret-key-change-in-production
+# JWT Token expiry duration (examples: 1h, 24h, 7d, 30d)
 JWT_EXPIRY_DURATION=24h
 
-# Environment
-ENV=development
+# OTP Configuration
+# Email verification OTP duration (examples: 5m, 10m, 15m, 30m)
+EMAIL_VERIFICATION_OTP_DURATION=10m
+
+# Password reset OTP duration (examples: 15m, 30m, 1h)
+PASSWORD_RESET_OTP_DURATION=30m
+
+# =============================================================================
+# ADMIN USER CONFIGURATION
+# =============================================================================
+# Admin user auto-creation settings
+# If both ADMIN_EMAIL and ADMIN_PASSWORD are provided, an admin user will be created
+# automatically during server startup if it doesn't already exist
+
+# Admin user email address
+ADMIN_EMAIL=[email protected]
+
+# Admin user password (minimum 6 characters recommended)
+ADMIN_PASSWORD=secure_admin_password_123
+
+# Optional: Admin user full name (defaults to "System Administrator")
+ADMIN_NAME='System Administrator'
+
+# Optional: Admin user phone number (defaults to "0000000000")
+ADMIN_PHONE=+919876543210
+
+# =============================================================================
+# NETWORK SECURITY CONFIGURATION
+# =============================================================================
+# Comma-separated list of trusted proxy IP addresses/ranges
+# Used by Gin to determine real client IP addresses behind proxies
+# Common private network ranges are included by default
+# Example: 127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,your.proxy.ip
+TRUSTED_PROXIES=127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 
-# SMTP Configuration
+# Comma-separated list of allowed CORS origins
+# For development: * allows all origins
+# For production: specify exact domains (https://yourfrontend.com,https://app.yourcompany.com)
+# SECURITY WARNING: Never use * in production!
+CORS_ALLOWED_ORIGINS=*
+
+# =============================================================================
+# EMAIL CONFIGURATION
+# =============================================================================
+# SMTP server settings for sending emails
 SMTP_HOST=smtp.example.com
-SMTP_USER=[email protected]
-SMTP_FROM=[email protected]
 SMTP_PORT=587
-SMTP_PASSWORD=smtp-password
-
-# Development Notes:
-# - Copy this file to .env and update the values as needed
-# - Generate a secure JWT_SECRET using: make jwt-secret
-# - Change DB_PASSWORD to a secure password in production
-# - Set GIN_MODE to 'release' in production
-# - The default super admin credentials are:
-#   Email: [email protected]
-#   Password: password123
-#   (Change these immediately in production!)
+SMTP_USER=your_smtp_username
+SMTP_PASSWORD=your_smtp_password
+
+# OTP durations (examples: 5m, 10m, 15m, 30m)
+EMAIL_VERIFICATION_OTP_DURATION=10m
+PASSWORD_RESET_OTP_DURATION=30m
+
+# From email address for outgoing emails
+EMAIL_FROM=[email protected]
+
+# Email Templates Configuration
+# Use {{.OTP}}, {{.TOKEN}}, {{.DURATION}} as placeholders in email bodies
+# Email Verification Templates
+EMAIL_VERIFICATION_SUBJECT=Thank you for applying to IEEE Computer Society VITC. Please verify your email address
+EMAIL_VERIFICATION_BODY=Your OTP is: <strong>{{.OTP}}</strong>. It is valid for {{.DURATION}}.
+
+# Resend Verification Templates  
+EMAIL_RESEND_VERIFICATION_SUBJECT=IEEE Computer Society VITC - New Verification Code
+EMAIL_RESEND_VERIFICATION_BODY=Your new OTP is: <strong>{{.OTP}}</strong>. It is valid for {{.DURATION}}.
+
+# Password Reset Templates
+EMAIL_PASSWORD_RESET_SUBJECT=IEEE Computer Society VITC - Password Reset Request
+EMAIL_PASSWORD_RESET_BODY=You have requested to reset your password. Your reset token is: <strong>{{.TOKEN}}</strong>. This token is valid for {{.DURATION}}. If you did not request this reset, please ignore this email.
+
+# Password Reset Success Templates
+EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT=IEEE Computer Society VITC - Password Reset Successful
+EMAIL_PASSWORD_RESET_SUCCESS_BODY=Your password has been successfully reset. If you did not perform this action, please contact support immediately.
+
+# =============================================================================
+# BUSINESS LOGIC CONFIGURATION
+# =============================================================================
+# Comma-separated list of allowed email domains for registration
+# Example: company.com,university.edu
+ALLOWED_EMAIL_DOMAINS=vit.ac.in,vitstudent.ac.in
+
+# Maximum number of applications a user can create
+MAXIMUM_APPLICATIONS_PER_USER=2
+
+# =============================================================================
+# DEVELOPMENT/TESTING SPECIFIC SETTINGS
+# =============================================================================
+# These settings are typically only used in development/testing environments
+
+# Set to true to enable additional debugging features
+# DEBUG=false
+
+# Set to true to enable SQL query logging
+# DB_LOG_QUERIES=false
+
+# =============================================================================
+# PRODUCTION NOTES
+# =============================================================================
+# For production deployment:
+# 1. Set ENV=production
+# 2. Generate a secure JWT_SECRET (minimum 32 characters)
+# 3. Use strong database passwords
+# 4. Configure proper SMTP settings
+# 5. Review and set appropriate ALLOWED_EMAIL_DOMAINS
+# 6. Consider using environment-specific files (.env.production)
+# 7. Never commit actual .env files to version control
+# 8. Use secrets management services for sensitive data in cloud deployments
+
+# =============================================================================
+# EXAMPLE PRODUCTION VALUES
+# =============================================================================
+# ENV=production
+# PORT=8080
+# JWT_SECRET=super-secure-random-string-generated-with-openssl-rand-base64-32
+# DB_PASSWORD=very-secure-database-password
+# SMTP_HOST=smtp.yourmailprovider.com
+# SMTP_USER=apikey
+# SMTP_PASSWORD=your-api-key-or-password
@@ -0,0 +1,109 @@
+# =============================================================================
+# PRODUCTION ENVIRONMENT CONFIGURATION
+# =============================================================================
+# This file is loaded when ENV=production
+# Copy to .env.production for your production environment
+# 
+# SECURITY WARNING: Never commit production secrets to version control!
+# Use your deployment platform's secrets management instead.
+
+ENV=production
+
+# =============================================================================
+# SERVER - PRODUCTION
+# =============================================================================
+PORT=8080
+
+# =============================================================================
+# DATABASE - PRODUCTION
+# =============================================================================
+# Use production database credentials
+DB_HOST=your-production-db-host
+DB_PORT=5432
+DB_USER=your-production-db-user
+DB_PASSWORD=your-very-secure-production-password
+DB_NAME=recruitment_db_production
+DB_MAX_CONNS=25
+DB_MIN_CONNS=5
+
+# =============================================================================
+# SECURITY - PRODUCTION
+# =============================================================================
+# CRITICAL: Generate with: openssl rand -base64 32
+JWT_SECRET=REPLACE-WITH-SECURE-RANDOM-STRING-MINIMUM-32-CHARACTERS
+JWT_EXPIRY_DURATION=24h
+
+# OTP Configuration
+EMAIL_VERIFICATION_OTP_DURATION=10m
+PASSWORD_RESET_OTP_DURATION=30m
+
+# =============================================================================
+# ADMIN USER CONFIGURATION
+# =============================================================================
+# Admin user auto-creation settings
+# If both ADMIN_EMAIL and ADMIN_PASSWORD are provided, an admin user will be created
+# automatically during server startup if it doesn't already exist
+
+# Admin user email address
+[email protected]
+
+# Admin user password (minimum 6 characters recommended)
+ADMIN_PASSWORD=secure_admin_password_123
+
+# Optional: Admin user full name (defaults to "System Administrator")
+ADMIN_NAME='System Administrator'
+
+# Optional: Admin user phone number (defaults to "0000000000")
+ADMIN_PHONE=+919876543210
+
+# =============================================================================
+# NETWORK SECURITY - PRODUCTION
+# =============================================================================
+# Trusted proxy IPs - configure based on your infrastructure
+# Examples: load balancer IPs, CDN ranges, reverse proxy IPs
+TRUSTED_PROXIES=your.loadbalancer.ip,your.proxy.ip
+
+# CORS allowed origins - NEVER use * in production!
+# Specify exact frontend domains that should be allowed
+CORS_ALLOWED_ORIGINS=https://yourfrontend.com,https://app.yourcompany.com
+
+# =============================================================================
+# EMAIL - PRODUCTION
+# =============================================================================
+SMTP_HOST=your-production-smtp-host
+SMTP_PORT=587
+SMTP_USER=your-production-smtp-user
+SMTP_PASSWORD=your-production-smtp-password
+[email protected]
+
+# OTP durations (examples: 5m, 10m, 15m, 30m)
+EMAIL_VERIFICATION_OTP_DURATION=10m
+PASSWORD_RESET_OTP_DURATION=30m
+
+# Email Templates - Production (customize for your organization)
+EMAIL_VERIFICATION_SUBJECT=Thank you for applying to IEEE Computer Society VITC. Please verify your email address
+EMAIL_VERIFICATION_BODY=Your OTP is: <strong>{{.OTP}}</strong>. It is valid for {{.DURATION}}.
+EMAIL_RESEND_VERIFICATION_SUBJECT=IEEE Computer Society VITC - New Verification Code
+EMAIL_RESEND_VERIFICATION_BODY=Your new OTP is: <strong>{{.OTP}}</strong>. It is valid for {{.DURATION}}.
+EMAIL_PASSWORD_RESET_SUBJECT=IEEE Computer Society VITC - Password Reset Request
+EMAIL_PASSWORD_RESET_BODY=You have requested to reset your password. Your reset token is: <strong>{{.TOKEN}}</strong>. This token is valid for {{.DURATION}}. If you did not request this reset, please ignore this email.
+EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT=IEEE Computer Society VITC - Password Reset Successful
+EMAIL_PASSWORD_RESET_SUCCESS_BODY=Your password has been successfully reset. If you did not perform this action, please contact support immediately.
+
+# =============================================================================
+# BUSINESS LOGIC - PRODUCTION
+# =============================================================================
+ALLOWED_EMAIL_DOMAINS=youruniversity.edu,yourcompany.com
+MAXIMUM_APPLICATIONS_PER_USER=2
+
+# =============================================================================
+# PRODUCTION SECURITY CHECKLIST
+# =============================================================================
+# □ JWT_SECRET is at least 32 characters and randomly generated
+# □ DB_PASSWORD is strong and unique
+# □ SMTP credentials are valid and secure
+# □ ALLOWED_EMAIL_DOMAINS is properly configured
+# □ TRUSTED_PROXIES contains only your infrastructure IPs
+# □ CORS_ALLOWED_ORIGINS contains only your frontend domains (NO *)
+# □ All secrets are managed through your deployment platform
+# □ This file is not committed to version control