chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/nitro.config.ts
chahinebrini bdfcc40a6c feat(auth-hook): send-email hook for dynamic sender-name + i18n subject 
GoTrue-Send-Email-Hook (v2.155+) → backend rendert Mails selbst, schickt
via Brevo Transactional API. Vorteil: pro Mail-Typ × Locale eigener
Sender-Display-Name UND Subject (GoTrue's eingebauter Mailer ist global
statisch).

Files:
- backend/server/utils/mail/templates.ts — 5 mail-types × 4 locales
  Sender-Name, Subject, Title, Body, HelpText, Privacy-Label.
  HTML-Renderer mit Nunito + Icon + DSGVO-Footer (analog public/templates).
- backend/server/utils/mail/brevo.ts — Brevo Transactional API client
  (POST /v3/smtp/email, separate REST-API-Key vom SMTP-Key)
- backend/server/api/auth-hooks/send-email.post.ts — Endpoint mit
  Standard-Webhooks Signature-Verify (HMAC-SHA256, timing-safe compare,
  multi-secret-rotation support)
- backend/nitro.config.ts — runtimeConfig: brevoApiKey,
  hookSendEmailSecrets, mailSenderEmail

Requires (außerhalb dieses commits):
- Infisical staging: BREVO_API_KEY (✓), HOOK_SEND_EMAIL_SECRETS (✓)
- docker-compose: GOTRUE_HOOK_SEND_EMAIL_{ENABLED,URI,SECRETS} (✓)
- GoTrue upgrade v2.154 → v2.189 (✓, mit auth.factor_type owner-transfer)
2026-05-19 18:04:14 +02:00

114 lines
6.6 KiB
TypeScript
Raw Blame History

import { defineNitroConfig } from "nitropack/config";
export default defineNitroConfig({
compatibilityDate: "latest",
srcDir: "server",
preset: "node-server",
// Static-Assets explizit: GoTrue lädt Mail-Templates von
// https://api.staging.rebreak.org/templates/*.html → kommt aus public/templates/.
// Default-publicAssets greift nicht zuverlässig wenn srcDir auf "server" zeigt.
publicAssets: [
{ baseURL: "/", dir: "../public", maxAge: 60 * 60 },
],
// Supabase als external dep — nicht bundlen
externals: {
inline: [/^(?!@supabase\/supabase-js)/],
},
imports: {
dirs: ["db", "db/**", "utils", "utils/**"],
exclude: ["**/node_modules/**"],
},
runtimeConfig: {
// ─── Database / Core ─────────────────────────────────────────────────
databaseUrl: process.env.DATABASE_URL ?? process.env.NUXT_DATABASE_URL ?? "",
encryptionKey: process.env.ENCRYPTION_KEY ?? "",
// ─── Admin / Cron ────────────────────────────────────────────────────
adminSecret: process.env.ADMIN_SECRET ?? "",
cronSecret: process.env.CRON_SECRET ?? "",
// Shared secret for AdGuard→Backend DoH-handshake (POST /api/devices/protected/handshake).
// Set in Infisical as HANDSHAKE_SECRET before enabling AdGuard webhook.
handshakeSecret: process.env.HANDSHAKE_SECRET ?? "",
// ─── LLM-Provider ────────────────────────────────────────────────────
// Infisical staging hat NUXT_*-prefix für openrouter+groq, andere ohne.
openrouterApiKey: process.env.OPENROUTER_API_KEY ?? process.env.NUXT_OPENROUTER_API_KEY ?? "",
openaiApiKey: process.env.OPENAI_API_KEY ?? process.env.NUXT_OPENAI_API_KEY ?? "",
groqApiKey: process.env.GROQ_API_KEY ?? process.env.NUXT_GROQ_API_KEY ?? "",
googleAiApiKey: process.env.GOOGLE_AI_API_KEY ?? "",
// ─── TTS-Provider ────────────────────────────────────────────────────
googleApiKey: process.env.GOOGLE_API_KEY ?? process.env.NUXT_GOOGLE_API_KEY ?? "",
deepgramApiKey: process.env.DEEPGRAM_API_KEY ?? process.env.NUXT_DEEPGRAM_API_KEY ?? "",
azureTtsKey: process.env.AZURE_TTS_KEY ?? "",
azureTtsRegion: process.env.AZURE_TTS_REGION ?? "",
// NEU im backend/-Layout (existieren in nuxt.config.ts NICHT, aber backend code liest sie)
cartesiaApiKey: process.env.CARTESIA_API_KEY ?? "",
cartesiaVoiceId: process.env.CARTESIA_VOICE_ID ?? "",
elevenlabsApiKey: process.env.ELEVENLABS_API_KEY ?? "",
elevenlabsVoiceId: process.env.ELEVENLABS_VOICE_ID ?? "",
// ─── Supabase (Server-only) ──────────────────────────────────────────
// Im alten Nuxt-Layout via @nuxtjs/supabase auto-injected. In standalone Nitro
// explizit deklarieren, damit auth/middleware nicht 500't.
// server/utils/auth.ts:32 liest `config.public.supabase ?? config.supabase`,
// also beide Pfade müssen existieren.
// Infisical staging-Namen: SUPABASE_KEY (nicht ANON_KEY), SUPABASE_SERVICE_KEY
// (nicht SERVICE_ROLE_KEY). NIE umbenennen ohne Infisical-secret-rotation.
supabaseUrl: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
supabaseAnonKey: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
supabaseServiceKey: process.env.SUPABASE_SERVICE_KEY ?? process.env.SUPABASE_SERVICE_ROLE_KEY ?? "",
// ─── Stripe ──────────────────────────────────────────────────────────
stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",
// ─── Email / External APIs ───────────────────────────────────────────
resendApiKey: process.env.RESEND_API_KEY ?? "",
// ─── Brevo (Mail-Versand) ────────────────────────────────────────────
// Auth-Hook (send-email.post.ts) → Brevo Transactional API.
// BREVO_API_KEY ist Brevo REST API-Key (Format: xkeysib-...),
// separater Key vom SMTP-Key der für GoTrue-Fallback genutzt wird.
brevoApiKey: process.env.BREVO_API_KEY ?? "",
// Send-Email-Hook Webhook-Secret (Standard-Webhooks Format).
// Liste comma-separated: "v1,whsec_<base64>" (multi-secret für Rotation).
// Muss IDENTISCH zu GOTRUE_HOOK_SEND_EMAIL_SECRETS im docker-compose sein.
hookSendEmailSecrets: process.env.HOOK_SEND_EMAIL_SECRETS ?? "",
// Sender-Email-Adresse im From-Header. Sender-Name wird pro Mail-Typ
// dynamisch in templates.ts gesetzt.
mailSenderEmail: process.env.MAIL_SENDER_EMAIL ?? "welcome@rebreak.org",
// ─── Microsoft OAuth (PKCE, Public Client) ───────────────────────────────
// Client-ID der Azure-App-Registrierung "Rebreak Mail Access".
// Tenant: 'common' (Multi-Tenant + Personal-Accounts) — hardcoded im Code.
// Kein client_secret: Public Client / PKCE-Flow (keine Client-Secret-Exposure).
// Infisical secret name: MS_OAUTH_CLIENT_ID
msOauthClientId: process.env.MS_OAUTH_CLIENT_ID ?? "427575e1-0ec5-4468-b4a2-7ae3ce99a154",
// ─── Bot-User-IDs (DB-User-References für Lyra/Rebreak-Bot-Posts) ────
lyraBotUserId: process.env.LYRA_BOT_USER_ID ?? "",
rebreakBotUserId: process.env.REBREAK_BOT_USER_ID ?? "",
// ─── Public (client-readable) ────────────────────────────────────────
public: {
stripePublishableKey: process.env.STRIPE_PUBLISHABLE_KEY ?? "",
appUrl: process.env.APP_URL ?? "https://staging.rebreak.org",
apiBase: process.env.API_BASE ?? "https://staging.rebreak.org",
// server/utils/auth.ts liest config.public.supabase.{url,key}
// — wenn das fehlt, 500-cascade auf allen authentifizierten Routes
// (Incident 2026-05-06).
supabase: {
url:
process.env.SUPABASE_URL ??
"https://db-staging.rebreak.org",
key: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
},
},
},
});
Reference in New Issue View Git Blame Copy Permalink