spotlightcam/backend/.env.production.example

# Server
NODE_ENV=production
PORT=3000

# CORS
CORS_ORIGIN=http://localhost

# Database (production)
DATABASE_URL=postgresql://spotlightcam:spotlightcam123@db-prod:5432/spotlightcam?schema=public

# JWT (CHANGE THESE IN PRODUCTION!)
JWT_SECRET=production-secret-key-CHANGE-THIS-IN-REAL-PRODUCTION
JWT_EXPIRES_IN=24h

# AWS SES (REPLACE WITH YOUR CREDENTIALS)
AWS_REGION=eu-central-1
AWS_ACCESS_KEY_ID=your-aws-access-key-id
AWS_SECRET_ACCESS_KEY=your-aws-secret-access-key
SES_FROM_EMAIL=noreply@spotlight.cam
SES_FROM_NAME=spotlight.cam

# Email Settings
FRONTEND_URL=http://localhost
VERIFICATION_TOKEN_EXPIRY=24h

# Security - Rate Limiting
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=100
RATE_LIMIT_AUTH_MAX=5
RATE_LIMIT_EMAIL_MAX=3

# Security - CSRF Protection
ENABLE_CSRF=true

# Security - Body Size Limits
BODY_SIZE_LIMIT=10kb

# Security - Password Policy
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false

# Security - Account Lockout
ENABLE_ACCOUNT_LOCKOUT=true
MAX_LOGIN_ATTEMPTS=5
LOCKOUT_DURATION_MINUTES=15

# Logging
LOG_LEVEL=warn

# Scheduler
# Enable simple in-process scheduler for auto-matching (enable on exactly one replica)
ENABLE_SCHEDULER=false
# Global tick interval in seconds (e.g., 300 = 5min)
SCHEDULER_INTERVAL_SEC=300
# Per-event minimum time between runs in seconds to avoid thrashing
MATCHING_MIN_INTERVAL_SEC=120

# Cloudflare Turnstile (CAPTCHA)
# Get your secret key from: https://dash.cloudflare.com/
TURNSTILE_SECRET_KEY=your-production-secret-key-here

# Cloudflare TURN/STUN
# Get your credentials from: https://dash.cloudflare.com/ -> Calls -> TURN
CLOUDFLARE_TURN_TOKEN_ID=your-production-turn-token-id-here
CLOUDFLARE_TURN_API_TOKEN=your-production-turn-api-token-here

# Beta Testing
# Auto-assign SUPPORTER tier to new registrations during beta
BETA_AUTO_SUPPORTER=false

# Event Check-in
# Enable date restriction for check-in (event dates ±1 day)
# Set to 'false' for testing or events where QR code access is controlled manually
ENABLE_CHECKIN_DATE_RESTRICTION=false