TurboTrades/.env.production.template

# Production Environment Variables Template
# Copy this to .env and fill in your actual values

# =============================================================================
# SERVER CONFIGURATION
# =============================================================================
NODE_ENV=production
PORT=3000
HOST=0.0.0.0

# =============================================================================
# DATABASE
# =============================================================================
# Production MongoDB connection (MongoDB Atlas or remote server)
MONGODB_URI=mongodb+srv://username:password@cluster.mongodb.net/turbotrades?retryWrites=true&w=majority

# =============================================================================
# STEAM AUTHENTICATION
# =============================================================================
# Get your Steam API key from: https://steamcommunity.com/dev/apikey
STEAM_API_KEY=YOUR_STEAM_API_KEY_HERE

# Steam OAuth URLs - MUST match your production domain
STEAM_REALM=https://api.turbotrades.dev
STEAM_RETURN_URL=https://api.turbotrades.dev/auth/steam/return

# =============================================================================
# CORS & COOKIES
# =============================================================================
# Frontend domain - where requests come from
CORS_ORIGIN=https://turbotrades.dev

# Cookie configuration for production
COOKIE_DOMAIN=.turbotrades.dev
COOKIE_SECURE=true
COOKIE_SAME_SITE=none

# =============================================================================
# JWT SECRETS
# =============================================================================
# Generate secure random strings for production!
# You can use: openssl rand -base64 32
JWT_ACCESS_SECRET=your-super-secret-jwt-access-key-change-this-in-production
JWT_REFRESH_SECRET=your-super-secret-jwt-refresh-key-change-this-in-production
JWT_ACCESS_EXPIRY=15m
JWT_REFRESH_EXPIRY=7d

# Session secret
SESSION_SECRET=your-super-secret-session-key-change-this-in-production

# =============================================================================
# RATE LIMITING
# =============================================================================
RATE_LIMIT_MAX=100
RATE_LIMIT_TIMEWINDOW=60000

# =============================================================================
# WEBSOCKET
# =============================================================================
WS_PING_INTERVAL=30000
WS_MAX_PAYLOAD=1048576

# =============================================================================
# EMAIL (Optional - for future features)
# =============================================================================
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASS=your-app-password
EMAIL_FROM=noreply@turbotrades.com

# =============================================================================
# IMPORTANT NOTES
# =============================================================================
#
# 1. STEAM_REALM and STEAM_RETURN_URL must use your API domain (api.turbotrades.dev)
# 2. CORS_ORIGIN should be your frontend domain (turbotrades.dev)
# 3. COOKIE_DOMAIN should start with a dot for subdomain support (.turbotrades.dev)
# 4. COOKIE_SECURE must be true in production (requires HTTPS)
# 5. COOKIE_SAME_SITE should be 'none' for cross-domain cookies with HTTPS
# 6. Generate new JWT secrets for production (never use the defaults!)
#
# =============================================================================