Files
autocrm/.env.example
T
Vasyka 51917bcbaf feat: rate limiting + internal health monitor + secure VAPID note
Rate limiting:
- Shop POST endpoints get per-IP throttles with distinct prefixes so login,
  register, password-email, and password-reset have separate buckets:
  login/register/pw-reset = 5/min, pw-email = 3/min
- OcrInvoiceService gates per-tenant via RateLimiter (30/hour) so a runaway
  uploader can't burn Claude Vision spend

Health monitor (poor-man's monitoring):
- HealthCheckCommand probes DB (SELECT 1), cache write/read, public storage
  write/read, and most-recent backup age. On any failure, pushes a Telegram
  alert via HEALTH_ALERT_BOT_TOKEN/HEALTH_ALERT_CHAT_ID. Dedups identical
  failures within a 30-min window via cache.
- Scheduled every 10 min. Pair with external uptime monitoring (UptimeRobot,
  Better Stack hitting /up) for total-outage coverage.
- .env.example documents the two new env vars.

VAPID secret hygiene:
- credentials.md no longer stores the VAPID_PRIVATE_KEY; the source of truth
  is the Coolify env on the autocrm app. Doc points to where to read it
  (UI or API). Mitigates accidental git leak.

Tests (4 new):
- shop login throttles after 5 attempts (6th = 429); register throttle is
  independent of login (separate prefix); health command runs clean; dedup
  cache path exercised

Full suite: 138 passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 06:37:53 +00:00

84 lines
1.7 KiB
Bash

APP_NAME=AutoCRM
APP_ENV=production
APP_KEY=
APP_DEBUG=false
APP_TIMEZONE=Europe/Chisinau
APP_URL=https://service.mir.md
# Multi-tenant
CENTRAL_DOMAIN=service.mir.md
APP_LOCALE=ro
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=ro_RO
APP_MAINTENANCE_DRIVER=file
LOG_CHANNEL=stack
LOG_STACK=daily
LOG_LEVEL=info
LOG_DEPRECATIONS_CHANNEL=null
# DB — completate la deploy din Coolify
DB_CONNECTION=mariadb
DB_HOST=g5au90p05p2grua61up8cz8v
DB_PORT=3306
DB_DATABASE=default
DB_USERNAME=mariadb
DB_PASSWORD=
# Sesiuni / Cache / Queue → Redis
SESSION_DRIVER=redis
SESSION_LIFETIME=120
SESSION_DOMAIN=null
SESSION_SECURE_COOKIE=true
SESSION_SAME_SITE=lax
CACHE_STORE=redis
CACHE_PREFIX=autocrm
QUEUE_CONNECTION=redis
REDIS_CLIENT=phpredis
REDIS_HOST=z3jdc302kml28j8gjgq8sb74
REDIS_PORT=6379
REDIS_PASSWORD=
REDIS_DB=0
# Broadcasting (Reverb — adăugăm la nevoie)
BROADCAST_CONNECTION=log
# Mail — Mailpit intern
MAIL_MAILER=smtp
MAIL_HOST=autocrm-mailpit
MAIL_PORT=1025
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="noreply@service.mir.md"
MAIL_FROM_NAME="${APP_NAME}"
# Web Push (VAPID) — generate with: php artisan push:vapid
VAPID_SUBJECT=mailto:admin@service.mir.md
VAPID_PUBLIC_KEY=
VAPID_PRIVATE_KEY=
# Internal health monitor → Telegram alerts every 10 min on DB/cache/storage/backup failure.
# Create a separate bot at @BotFather and a private group; put the bot in it
# and use the group's chat_id (negative number).
HEALTH_ALERT_BOT_TOKEN=
HEALTH_ALERT_CHAT_ID=
# Storage — local pentru MVP, S3-compatible mai târziu
FILESYSTEM_DISK=local
# Octane
OCTANE_SERVER=frankenphp
# Misc
BCRYPT_ROUNDS=12
VITE_APP_NAME="${APP_NAME}"
# Boot
RUN_MIGRATIONS=true