# Production Environment Configuration
# NEVER commit this file with real values!
# Use environment variables or secrets manager in production

# Server
NODE_ENV=production
PORT=3000

# CORS - Your production domains
CORS_ORIGIN=https://spotlight.cam,https://www.spotlight.cam

# Database - Use managed database or strong credentials
# NEVER use default passwords in production!
DATABASE_URL=postgresql://prod_user:STRONG_PASSWORD_HERE@db:5432/spotlightcam_prod

# JWT - CRITICAL: Generate strong secrets
# Generate with: openssl rand -base64 64
JWT_SECRET=CHANGE_THIS_TO_RANDOM_64_CHAR_STRING
JWT_EXPIRES_IN=24h

# AWS SES - Production credentials
# BEST PRACTICE: Use IAM roles instead of access keys
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
SES_FROM_EMAIL=noreply@spotlight.cam
SES_FROM_NAME=spotlight.cam

# Email Settings
FRONTEND_URL=https://spotlight.cam
VERIFICATION_TOKEN_EXPIRY=24h

# Security Settings - Production (strict)
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=100
RATE_LIMIT_AUTH_MAX=5
RATE_LIMIT_EMAIL_MAX=3
ENABLE_CSRF=true
BODY_SIZE_LIMIT=10kb
LOG_LEVEL=warn

# Password Policy - Enforced in production
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false

# Account Lockout - Enabled in production
ENABLE_ACCOUNT_LOCKOUT=true
MAX_LOGIN_ATTEMPTS=5
LOCKOUT_DURATION_MINUTES=15

# Database Connection Pool
DB_POOL_MIN=2
DB_POOL_MAX=10

# Monitoring (optional)
SENTRY_DSN=
NEW_RELIC_LICENSE_KEY=

# IMPORTANT SECURITY NOTES:
# 1. Generate JWT_SECRET with: openssl rand -base64 64
# 2. Use AWS IAM roles instead of access keys when possible
# 3. Use environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault)
# 4. Never commit .env files to version control
# 5. Rotate all secrets regularly (every 90 days)
# 6. Use strong database passwords (20+ characters, mixed case, numbers, symbols)