marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend/.env.example
Chris ccce778cb7
fix: restore password migration COALESCE and add trust proxy diagnostics (#1057) 
* fix: restore password migration COALESCE and add trust proxy diagnostics

This commit addresses two critical issues affecting user login:

1. Password Migration Fix:
   - Restore COALESCE(password_digest, password) in migration 20260420000004
   - The COALESCE fix from commit d1aa6086 was accidentally reverted
   - Handles both v1.0.0 column naming (password) and current (password_digest)
   - Allows users from v1.0.0 to successfully login after migration

2. Trust Proxy Configuration Improvements:
   - Add startup logging to show trust proxy configuration value
   - Add config parsing logging to diagnose env variable issues
   - Add trust proxy status to /health endpoint
   - Improve error messages for ERR_ERL_UNEXPECTED_X_FORWARDED_FOR
   - Update .env.example with comprehensive trust proxy documentation

3. Diagnostic Tools:
   - Add backend/scripts/diagnose-password-migration.js script
   - Script checks database schema and identifies affected users
   - Provides actionable recovery steps

4. Documentation:
   - Add docs/troubleshooting/migration-issues.md
   - Covers password migration issues and trust proxy configuration
   - Includes Docker-specific troubleshooting steps
   - Provides step-by-step recovery procedures

Files changed:
- backend/migrations/20260420000004-make-password-optional.js (restore COALESCE)
- backend/app.js (add trust proxy logging)
- backend/config/config.js (add config parsing logging)
- backend/shared/middleware/errorHandler.js (better trust proxy errors)
- backend/scripts/diagnose-password-migration.js (new diagnostic tool)
- backend/.env.example (improved trust proxy documentation)
- docs/troubleshooting/migration-issues.md (new troubleshooting guide)

* docs: remove troubleshooting documentation file

* fix: resolve CodeQL false positives in diagnostic script

Rename variables to avoid CodeQL flagging them as sensitive data:
- hasPassword -> passwordColumnExists
- hasPasswordDigest -> passwordDigestColumnExists
- users_with_password -> count_with_digest
- users_without_password -> count_without_digest

These variables only contain booleans and counts, not actual password data.
2026-04-23 01:03:19 +03:00

108 lines
3.5 KiB
Text
Raw Blame History

NODE_ENV=development
HOST=0.0.0.0
PORT=3002
# Database file path (defaults to db/{NODE_ENV}.sqlite3)
# DB_FILE=db/development.sqlite3
FRONTEND_URL=http://localhost:8080
BACKEND_URL=http://localhost:3002
TUDUDI_USER_EMAIL=admin@example.com
TUDUDI_USER_PASSWORD=change-me-to-secure-password
TUDUDI_SESSION_SECRET=your-random-64-character-hex-string-here
ENABLE_EMAIL=false
EMAIL_SMTP_HOST=smtp.gmail.com
EMAIL_SMTP_PORT=587
EMAIL_SMTP_SECURE=false
EMAIL_SMTP_USERNAME=your-email@example.com
EMAIL_SMTP_PASSWORD=your-app-password
EMAIL_FROM_ADDRESS=noreply@example.com
EMAIL_FROM_NAME=Tududi
REGISTRATION_TOKEN_EXPIRY_HOURS=24
DISABLE_SCHEDULER=false
DISABLE_TELEGRAM=false
# Feature Flags
FF_ENABLE_BACKUPS=false
FF_ENABLE_CALENDAR=false
FF_ENABLE_HABITS=false
FF_ENABLE_MCP=false
# Trust Proxy Configuration
# REQUIRED when running behind a reverse proxy (Nginx, Caddy, Traefik, etc.)
# This allows Express to correctly read client IPs from X-Forwarded-For headers
# Without this setting, you will see rate limiting errors like:
# "ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false"
#
# IMPORTANT: For Docker, ensure this is set in your environment variables or docker-compose.yml
# NOT just in this .env file, as Docker may not mount .env files by default
#
# Supported values:
# true - Trust all proxies (recommended for most setups)
# false - Don't trust any proxies (default)
# 1 - Trust the first hop only
# loopback - Trust loopback addresses (127.0.0.1/::1)
# 172.16.0.0/12 - Trust a specific subnet
#
# For troubleshooting, see: docs/troubleshooting/migration-issues.md
TUDUDI_TRUST_PROXY=true
# Disable HSTS (HTTP Strict Transport Security) headers
# Set to 'true' for local development when running production builds on HTTP
# NEVER enable this in actual production deployments with HTTPS
# DISABLE_HSTS=false
# OIDC/SSO Configuration
# See docs/10-oidc-sso.md for detailed setup instructions
OIDC_ENABLED=false
# BASE_URL=https://your-domain.com # Required for OIDC callbacks
# Password Authentication
# Set to false to disable password login/registration (SSO-only mode)
# Default: true (password auth enabled)
PASSWORD_AUTH_ENABLED=true
# Single provider configuration
# OIDC_PROVIDER_NAME=PocketID
# OIDC_PROVIDER_SLUG=pocketid
# OIDC_ISSUER_URL=https://pocketid.app
# OIDC_CLIENT_ID=your-client-id
# OIDC_CLIENT_SECRET=your-client-secret
# OIDC_SCOPE=openid profile email
# OIDC_AUTO_PROVISION=true
# OIDC_ADMIN_EMAIL_DOMAINS=example.com,company.com
# For multiple providers, use numbered variables:
# OIDC_PROVIDER_1_NAME=Google
# OIDC_PROVIDER_1_SLUG=google
# OIDC_PROVIDER_1_ISSUER=https://accounts.google.com
# OIDC_PROVIDER_1_CLIENT_ID=xxx.apps.googleusercontent.com
# OIDC_PROVIDER_1_CLIENT_SECRET=xxx
# OIDC_PROVIDER_1_AUTO_PROVISION=true
# CalDAV Synchronization
# See docs/feature-plans/01-caldav-sync.md for detailed documentation
CALDAV_ENABLED=false
# Encryption key for storing remote calendar passwords
# If not set, falls back to TUDUDI_SESSION_SECRET
# ENCRYPTION_KEY=your-256-bit-encryption-key
# CalDAV defaults
# CALDAV_DEFAULT_SYNC_INTERVAL=15 # Minutes
# CALDAV_MAX_RECURRING_INSTANCES=365 # Number of future instances to expand
# CALDAV_CONFLICT_RESOLUTION=last_write_wins
# Performance settings
# CALDAV_RATE_LIMIT=60 # Requests per minute
# CALDAV_MAX_SYNC_TASKS=1000 # Max tasks per sync
# CALDAV_REQUEST_TIMEOUT=30000 # Milliseconds
# Debugging
# CALDAV_LOG_LEVEL=info
# CALDAV_LOG_REQUESTS=false
Reference in a new issue View git blame Copy permalink