chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/nitro.config.ts
chahinebrini 0e4c3787c2 feat(backend): DoH handshake endpoint for protected-device auto-activation 
POST /api/devices/protected/handshake — server-to-server endpoint called by
the AdGuard log-watcher whenever a Mac with our DNS-profile makes a DoH query
with its dnsToken embedded in the path (/dns-query/<token>).

- Idempotent: pending → active on first hit, lastDnsQueryAt always updated
- Auth: shared secret via x-handshake-secret (Infisical: HANDSHAKE_SECRET,
  must be set before enabling the watcher)
- Revoked tokens are silently ignored (no info leak to potential attackers)
- Realtime publication added so the native app auto-advances the AddMacSheet
  flow when status flips (no "I've installed it" button needed anymore)
2026-05-15 22:41:17 +02:00

94 lines
5.4 KiB
TypeScript
Raw Blame History

import { defineNitroConfig } from "nitropack/config";
export default defineNitroConfig({
compatibilityDate: "latest",
srcDir: "server",
preset: "node-server",
// Supabase als external dep — nicht bundlen
externals: {
inline: [/^(?!@supabase\/supabase-js)/],
},
imports: {
dirs: ["db", "db/**", "utils", "utils/**"],
exclude: ["**/node_modules/**"],
},
runtimeConfig: {
// ─── Database / Core ─────────────────────────────────────────────────
databaseUrl: process.env.DATABASE_URL ?? process.env.NUXT_DATABASE_URL ?? "",
encryptionKey: process.env.ENCRYPTION_KEY ?? "",
// ─── Admin / Cron ────────────────────────────────────────────────────
adminSecret: process.env.ADMIN_SECRET ?? "",
cronSecret: process.env.CRON_SECRET ?? "",
// Shared secret for AdGuard→Backend DoH-handshake (POST /api/devices/protected/handshake).
// Set in Infisical as HANDSHAKE_SECRET before enabling AdGuard webhook.
handshakeSecret: process.env.HANDSHAKE_SECRET ?? "",
// ─── LLM-Provider ────────────────────────────────────────────────────
// Infisical staging hat NUXT_*-prefix für openrouter+groq, andere ohne.
openrouterApiKey: process.env.OPENROUTER_API_KEY ?? process.env.NUXT_OPENROUTER_API_KEY ?? "",
openaiApiKey: process.env.OPENAI_API_KEY ?? process.env.NUXT_OPENAI_API_KEY ?? "",
groqApiKey: process.env.GROQ_API_KEY ?? process.env.NUXT_GROQ_API_KEY ?? "",
googleAiApiKey: process.env.GOOGLE_AI_API_KEY ?? "",
// ─── TTS-Provider ────────────────────────────────────────────────────
googleApiKey: process.env.GOOGLE_API_KEY ?? process.env.NUXT_GOOGLE_API_KEY ?? "",
deepgramApiKey: process.env.DEEPGRAM_API_KEY ?? process.env.NUXT_DEEPGRAM_API_KEY ?? "",
azureTtsKey: process.env.AZURE_TTS_KEY ?? "",
azureTtsRegion: process.env.AZURE_TTS_REGION ?? "",
// NEU im backend/-Layout (existieren in nuxt.config.ts NICHT, aber backend code liest sie)
cartesiaApiKey: process.env.CARTESIA_API_KEY ?? "",
cartesiaVoiceId: process.env.CARTESIA_VOICE_ID ?? "",
elevenlabsApiKey: process.env.ELEVENLABS_API_KEY ?? "",
elevenlabsVoiceId: process.env.ELEVENLABS_VOICE_ID ?? "",
// ─── Supabase (Server-only) ──────────────────────────────────────────
// Im alten Nuxt-Layout via @nuxtjs/supabase auto-injected. In standalone Nitro
// explizit deklarieren, damit auth/middleware nicht 500't.
// server/utils/auth.ts:32 liest `config.public.supabase ?? config.supabase`,
// also beide Pfade müssen existieren.
// Infisical staging-Namen: SUPABASE_KEY (nicht ANON_KEY), SUPABASE_SERVICE_KEY
// (nicht SERVICE_ROLE_KEY). NIE umbenennen ohne Infisical-secret-rotation.
supabaseUrl: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
supabaseAnonKey: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
supabaseServiceKey: process.env.SUPABASE_SERVICE_KEY ?? process.env.SUPABASE_SERVICE_ROLE_KEY ?? "",
// ─── Stripe ──────────────────────────────────────────────────────────
stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",
// ─── Email / External APIs ───────────────────────────────────────────
resendApiKey: process.env.RESEND_API_KEY ?? "",
// ─── Microsoft OAuth (PKCE, Public Client) ───────────────────────────────
// Client-ID der Azure-App-Registrierung "Rebreak Mail Access".
// Tenant: 'common' (Multi-Tenant + Personal-Accounts) — hardcoded im Code.
// Kein client_secret: Public Client / PKCE-Flow (keine Client-Secret-Exposure).
// Infisical secret name: MS_OAUTH_CLIENT_ID
msOauthClientId: process.env.MS_OAUTH_CLIENT_ID ?? "427575e1-0ec5-4468-b4a2-7ae3ce99a154",
// ─── Bot-User-IDs (DB-User-References für Lyra/Rebreak-Bot-Posts) ────
lyraBotUserId: process.env.LYRA_BOT_USER_ID ?? "",
rebreakBotUserId: process.env.REBREAK_BOT_USER_ID ?? "",
// ─── Public (client-readable) ────────────────────────────────────────
public: {
stripePublishableKey: process.env.STRIPE_PUBLISHABLE_KEY ?? "",
appUrl: process.env.APP_URL ?? "https://staging.rebreak.org",
apiBase: process.env.API_BASE ?? "https://staging.rebreak.org",
// server/utils/auth.ts liest config.public.supabase.{url,key}
// — wenn das fehlt, 500-cascade auf allen authentifizierten Routes
// (Incident 2026-05-06).
supabase: {
url:
process.env.SUPABASE_URL ??
"https://db-staging.rebreak.org",
key: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
},
},
},
});
Reference in New Issue View Git Blame Copy Permalink