Configuration¶
conf.js¶
49 lines, re-exporting process.env after require('dotenv').config(). All values are strings or undefined; no validation.
Required at startup¶
| Var | Used by | Mandatory? |
|---|---|---|
host, user, password, database, dbPort |
modules/dbDriver/lib/mysql.js (callback driver) and per-handler mysql2.createConnection(...) calls |
Yes — server boot will log "Something Went Wrong!" without these |
port (or process.env.port) |
server.js:5 — process.env.port \|\| conf.port \|\| 5002 |
Optional, default 5002 |
connectionLimit |
modules/dbDriver/lib/mysql.js pool |
Optional, MySQL pool default applies |
debug |
modules/dbDriver/lib/mysql.js pool |
Optional |
Required by handlers (per-feature)¶
| Var | Used by |
|---|---|
SENDGRID_API_KEY, FROM |
email handlers in routes/routes.js (sendgrid @sendgrid/mail) |
AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, S3_Bucket_Name, S3_Region, S3_Bucket_Name2, S3_Region2, S3_Path, S3_Path2, S3_Bucket_Url2, S3_Path_RAG |
S3 access throughout routes/auth.js and routes/routes.js; two buckets in two regions (mirrors someli-api) |
OPENAI_API_KEY |
OpenAI calls in helper/aiLogics.js, routes/auth.js |
PEXELS_API_KEY, PIXABAY_API_KEY |
stock image fetching (helper/stockImage.js) |
JWT_SECRET_KEY |
methods.ensureToken Bearer-JWT verification |
PUBLISH_KEY |
(unclear; likely outbound webhook auth) |
NOTIFY_URL, APP_URL, API_URL |
client-facing URLs for email links etc. |
LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET |
LinkedIn OAuth (likely vestigial — handlers absent) |
SUPPORT_URL_EXPIRY_MIN |
impersonation / support link TTL |
AWS_BEDROCK_SECRET, AWS_BEDROCK_KEY, AWS_BEDROCK_MODEL, AWS_BEDROCK_REGION |
AWS Bedrock (Claude / Llama / Nova) — see helper/aiLogics.js |
GOOGLE_API_KEY |
Google APIs |
PADDLE_API_KEY, PADDLE_WEBHOOK_KEY, PADDLE_API_DOMAIN, PADDLE_ENV |
Paddle (production) |
CHASKIQ_SECRET |
Chaskiq (customer-support chat) integration |
LEONARDO_KEY |
Leonardo AI (image generation) |
PADDLE_TEST_API_KEY, PADDLE_TEST_WEBHOOK_KEY, PADDLE_TEST_API_DOMAIN, PADDLE_TEST_ENV |
Paddle (sandbox) |
TOKEN_HEADER_KEY |
middlewares/auth.js — name of the HTTP header carrying the encrypted token (e.g., Token) |
The .env is not committed (no .env in the repo root). The repo also doesn't ship a .env.example.
Not in conf.js but used by code¶
process.env.PORTdirectly (in addition toconf.port)- (sometimes via
process.env.Xrather thanconf.Xeven when both exist)
conf/credentials.json¶
A file named conf/credentials.json is present in this repo. Not inspected during this audit. Most likely a Google service-account JSON for Cloud RAG / Vertex AI access — the same pattern used in someli-api.
Security note: shipping a service-account JSON in the repo is a finding. Verify whether this file is committed in .gitignore or actually checked in, and rotate credentials if checked in. See security.md.
Multi-environment patterns¶
There is no convention for dev / uat / prod env files in the repo. Each environment loads its own .env at runtime. The PADDLE_ENV / PADDLE_TEST_ENV separation lets one process target either sandbox or production billing, but the rest of the env is single-environment.
Process port¶
Default 5002 (same as someli-api and designer-api). This is a collision: if all three are run locally on default ports, only one will bind. Use process.env.port to override; the admin FE expects this API at VITE_API_URL (admin_console_R/src/config/env.ts).