-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path.env.example
More file actions
162 lines (139 loc) · 6.49 KB
/
.env.example
File metadata and controls
162 lines (139 loc) · 6.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Environment Variables Template for dpm-core-server
# Copy this file to .env and fill in the actual values
# ============================================================================
# Cookie Configuration (IMPORTANT: RFC6265 Compliance)
# ============================================================================
# Cookie Domain Configuration
# CRITICAL: Domain MUST NOT start with a dot (.) character per RFC6265
#
# Correct Examples:
# - Local: COOKIE_DOMAIN=localhost
# - Dev: COOKIE_DOMAIN=depromeet.shop (NOT .depromeet.shop)
# - Prod: COOKIE_DOMAIN=depromeet.com (NOT .depromeet.com)
#
# Incorrect Examples (will cause validation error):
# - COOKIE_DOMAIN=.depromeet.shop ❌ WRONG - Tomcat will reject this
# - COOKIE_DOMAIN=.depromeet.com ❌ WRONG - Tomcat will reject this
#
# Why no leading dot?
# - RFC6265 prohibits cookie domains starting with dots
# - Tomcat's Rfc6265CookieProcessor validates and rejects leading dots
# - Modern browsers (Chrome, Firefox, Safari) automatically share cookies
# across subdomains even without the leading dot
COOKIE_DOMAIN=localhost
# Cookie Security Settings
# Set to 'true' for HTTPS environments (dev, prod)
# Set to 'false' for local HTTP development
COOKIE_SECURE=false
# Cookie HttpOnly Setting
# When true, cookies cannot be accessed via JavaScript (more secure)
COOKIE_HTTP_ONLY=false
# ============================================================================
# Database Configuration
# ============================================================================
DEV_DB_HOST=localhost
DEV_DB_PORT=3306
DEV_DB_SCHEMA=dpm_core
DEV_DB_USERNAME=your_username
DEV_DB_PASSWORD=your_password
# ============================================================================
# JWT Configuration
# ============================================================================
# Secret key for JWT token signing
# Generate with: openssl rand -base64 64
JWT_SECRET_KEY=your_jwt_secret_key_here
# Token expiration times (in milliseconds)
ACCESS_TOKEN_EXPIRATION_TIME=3600000 # 1 hour
REFRESH_TOKEN_EXPIRATION_TIME=2592000000 # 30 days
# ============================================================================
# OAuth2 Configuration - Kakao
# ============================================================================
KAKAO_CLIENT_ID=your_kakao_client_id
KAKAO_CLIENT_SECRET=your_kakao_client_secret
KAKAO_REDIRECT_URI=https://api.depromeet.shop/login/oauth2/code/kakao
# ============================================================================
# OAuth2 Configuration - Apple (Local)
# ============================================================================
# Apple Sign In Configuration for Local Environment
# Client ID: Your Apple Service ID (e.g., com.depromeet.core.local)
LOCAL_APPLE_CLIENT_ID=com.depromeet.core.local
# Key ID: Your Apple Key ID (10-character identifier)
LOCAL_APPLE_KEY_ID=your_key_id
# Team ID: Your Apple Developer Team ID
LOCAL_APPLE_TEAM_ID=your_team_id
# Private Key: Your Apple Sign In private key (.p8 file content)
# Copy the entire content of your .p8 file, including BEGIN/END markers
LOCAL_APPLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
your_private_key_content_here
-----END PRIVATE KEY-----"
# Redirect URI: Where Apple redirects after authentication
LOCAL_APPLE_REDIRECT_URI=https://local-core.depromeet.shop:3010/login/oauth2/code/apple
# Client Secret: Auto-generated JWT (DO NOT set this manually)
LOCAL_APPLE_CLIENT_SECRET=generated_by_jwt
# ============================================================================
# OAuth2 Configuration - Apple (Development)
# ============================================================================
# These should be set in your CI/CD pipeline, not locally
DEV_APPLE_CLIENT_ID=com.depromeet.core.dev
DEV_APPLE_KEY_ID=your_dev_key_id
DEV_APPLE_TEAM_ID=your_team_id
DEV_APPLE_PRIVATE_KEY=your_dev_private_key
DEV_APPLE_REDIRECT_URI=https://core.depromeet.shop/login/oauth2/code/apple
DEV_APPLE_CLIENT_SECRET=generated_by_jwt
# ============================================================================
# OAuth2 Configuration - Apple (Production)
# ============================================================================
# These should be set in your CI/CD pipeline for production
PROD_APPLE_CLIENT_ID=com.depromeet.core
PROD_APPLE_KEY_ID=your_prod_key_id
PROD_APPLE_TEAM_ID=your_team_id
PROD_APPLE_PRIVATE_KEY=your_prod_private_key
PROD_APPLE_REDIRECT_URI=https://core.depromeet.com/login/oauth2/code/apple
PROD_APPLE_CLIENT_SECRET=generated_by_jwt
# ============================================================================
# Redirect URLs
# ============================================================================
# Frontend URLs for redirect after login/logout
REDIRECT_URL=https://core.depromeet.shop
ADMIN_REDIRECT_URL=https://admin.depromeet.shop
SWAGGER_URL=http://localhost:8080/swagger-ui/index.html
# Security URLs
LOGOUT_URL=/logout
# ============================================================================
# CORS Configuration
# ============================================================================
# CORS allowed origins are configured in application.yml
# See: application/src/main/resources/application.yml
#
# Allowed origins include:
# - https://localhost:3000
# - https://local.depromeet.shop
# - https://local-core.depromeet.shop:3010
# - https://local-admin.depromeet.shop:3020
# - https://core.depromeet.shop
# - https://admin.depromeet.shop
# - https://api.depromeet.shop
# - https://core.depromeet.com
# - https://admin.depromeet.com
# - https://api.depromeet.com
# ============================================================================
# Additional Configuration
# ============================================================================
# Cohort value (for AB testing or feature flags)
COHORT_VALUE=17
# Session attendance configuration
SESSION_ATTENDANCE_START_HOUR=14
# Attendance graduation thresholds
ATTENDANCE_GRADUATION_IMPOSSIBLE_THRESHOLD=4
ATTENDANCE_GRADUATION_AT_RISK_THRESHOLD=3
# Security logging level
SECURITY_LOGGING_LEVEL=DEBUG
# ============================================================================
# Important Notes
# ============================================================================
# 1. NEVER commit .env file to git (it's in .gitignore)
# 2. Keep JWT_SECRET_KEY secure and random
# 3. Rotate Apple private keys periodically (per Apple's requirements)
# 4. Cookie domain MUST NOT start with a dot (see RFC6265 above)
# 5. Use different redirect URIs for local, dev, and prod
# 6. Test OAuth2 flow in each environment before deployment