Configuration¶
conf.js¶
27 lines:
require('dotenv').config();
module.exports = {
connectionLimit: process.env.connectionLimit,
host: process.env.host,
user: process.env.user,
password: process.env.password,
database: process.env.database,
dbPort: process.env.dbPort,
debug: process.env.debug,
port: process.env.port,
SENDGRID_API_KEY: process.env.SENDGRID_API_KEY,
FROM: process.env.FROM,
AWS_ACCESS_KEY: process.env.AWS_ACCESS_KEY,
AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,
NEWS_API_KEY: process.env.NEWS_API_KEY,
S3_Bucket_Name: process.env.S3_Bucket_Name,
S3_Region: process.env.S3_Region,
S3_Region2: process.env.S3_Region2,
S3_Path: process.env.S3_Path,
S3_Path2: process.env.S3_Path2,
S3_Bucket_Name2: process.env.S3_Bucket_Name2,
S3_Bucket_Url2: process.env.S3_Bucket_Url2,
OPENAI_API_KEY: process.env.OPENAI_API_KEY,
PEXELS_API_KEY: process.env.PEXELS_API_KEY,
PIXABAY_API_KEY: process.env.PIXABAY_API_KEY
};
Strictly smaller surface than Someli-admin-api/conf.js (which has Paddle, Stripe, Bedrock, Leonardo, Chaskiq, JWT, etc.). designer-api lacks:
- Any payments configuration (no Paddle, no Stripe)
- Any AI provider other than OpenAI (no Bedrock, no Gemini, no Vertex — but the code uses Polotno Node and OpenAI only, so this is consistent)
- JWT secret (auth uses
helper/index.js-based custom token, not Bearer JWT) TOKEN_HEADER_KEY(auth pattern differs fromSomeli-admin-api)
Required at startup¶
| Var | Used by | Mandatory? |
|---|---|---|
host, user, password, database, dbPort |
modules/dbDriver/lib/mysql.js, every job_*.js, every bot, every routes/routes.js query |
yes |
port |
server.js:5 (defaults to 5002) |
optional |
connectionLimit |
DB driver pool | optional |
debug |
DB driver | optional |
Per-feature¶
| Var | Used by | Status |
|---|---|---|
SENDGRID_API_KEY, FROM |
email handlers in routes | required for email features |
AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, S3_Bucket_Name, S3_Region, S3_Path, S3_Bucket_Url2, S3_Bucket_Name2, S3_Path2, S3_Region2 |
S3 in routes + jobs | required for media |
OPENAI_API_KEY |
bots + routes | required for AI |
PEXELS_API_KEY, PIXABAY_API_KEY |
stock image search | required for stock features |
NEWS_API_KEY |
News API (likely for trendsbot.js) |
optional |
conf/credentials.json¶
Present. Likely a Google service-account JSON (consistent with Someli-admin-api's file of the same name). Verify whether committed; if so, rotate.
Port 5002 collision¶
server.js defaults to port 5002, same as someli-api and Someli-admin-api. Running all three on the same machine without overrides will result in one of them failing to bind. Use process.env.port per-environment.
Multi-environment¶
No documented dev/uat/prod env-file convention. Each environment loads .env at runtime. No .env.example.
Hardcoded values in source (teamsnotification.js)¶
const token = 'xoxb-3144030948916-4162895069441-K1RjRxBuP8k9z6rQAxnmyKS2'
const channel = 'C05H25MDY3Z'
A Slack bot token and channel id are hardcoded in the source of teamsnotification.js. Same pattern as Someli-admin-api/routes/auth.js — see security.md for the finding. The token here is different from Someli-admin-api's (different Slack workspace user / scope), so both must be rotated separately.
Dotenv loading¶
conf.js calls require('dotenv').config() with no path argument — so it loads .env from the current working directory. When PM2 starts a job from a different directory, the env may not load. Recommendation: require('dotenv').config({ path: path.resolve(__dirname, '.env') }) (as someli-dashboard-be/conf.js already does).
Polotno license¶
Not in env vars — likely inside routes/routes.js somewhere (the Polotno SDK requires a license key). Search for polotno.com license calls. If hardcoded in source, rotate and move to env.
Unsplash key¶
Spotted in routes/routes.js:
const unsplash = createApi({
accessKey: 't0uIotWn5vRgDejBjDATYx6jY54WXihewTTtWzBxick',
fetch: nodeFetch
});
An Unsplash access key is hardcoded in source. This is a finding — see security.md. Move to process.env.UNSPLASH_KEY.
Pixabay key¶
Spotted in routes/routes.js:
conf.PIXABAY_API_KEY is OK.