elpatron
dea33e3f00
Ersetzt die spoofbare X-User-Id-Auth durch signierte HttpOnly-Sessions nach WebAuthn, erzwingt WRITE-only Sync, speichert den Master-Key nur im RAM und ergänzt CORS, Rate-Limits, Helmet sowie Passkey-Reauth für sensible Aktionen. Co-authored-by: Cursor <cursoragent@cursor.com>
25 lines
880 B
Bash
Executable File
25 lines
880 B
Bash
Executable File
OpenWeatherMapAPIKey=<owm_api_key>
|
|
|
|
# Passkey configuration (WebAuthn Relying Party ID and Origin)
|
|
# For local dev: localhost and http://localhost
|
|
# For production: e.g. kapteins-daagbok.eu and https://kapteins-daagbok.eu
|
|
RP_ID=localhost
|
|
# Must match the frontend URL (Vite dev: http://localhost:5173)
|
|
ORIGIN=http://localhost:5173
|
|
|
|
# API session signing (min. 32 chars; required in production)
|
|
# Generate: openssl rand -base64 48
|
|
SESSION_SECRET=
|
|
|
|
# Web Push (VAPID) — generate with: npx web-push generate-vapid-keys
|
|
# Public key may also be set on the client as VITE_VAPID_PUBLIC_KEY
|
|
VAPID_PUBLIC_KEY=
|
|
VAPID_PRIVATE_KEY=
|
|
VAPID_SUBJECT=mailto:support@kapteins-daagbok.eu
|
|
|
|
# Feedback via Ntfy (https://ntfy.sh or self-hosted)
|
|
# NTFY_TOPIC: topic name only (not the full URL)
|
|
NTFY_SERVER=https://ntfy.sh
|
|
NTFY_TOPIC=kapteins-daagbok-feedback
|
|
NTFY_TOKEN=tk_example_ntfy_access_token
|