CooperandGoodman/yolkbook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
yolkbook/.env.example
derekc 2d3ad3a06c Add login lockout with ntfy alerts and update docs 
- Lock accounts for 15 minutes after 5 consecutive failed login attempts
- Send urgent ntfy notification when an account is locked
- Send high-priority ntfy notification on login attempt against a locked account
- Auto-reset lockout on expiry; reset counter on successful login
- Add v2.4 migration for failed_login_attempts and locked_until columns
- Add ALLOWED_ORIGINS and SECURE_COOKIES to .env.example
- Update README: lockout row in security table, new ntfy events

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 23:11:30 -07:00

38 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

# Copy this file to .env and fill in your values before starting the stack.
# cp .env.example .env
# ── MySQL ─────────────────────────────────────────────────────────────────────
# Use strong random passwords — generate with: openssl rand -hex 16
MYSQL_ROOT_PASSWORD=change_me
MYSQL_DATABASE=eggtracker
MYSQL_USER=eggtracker
MYSQL_PASSWORD=change_me
# ── Super admin ───────────────────────────────────────────────────────────────
# This account is created (and its password synced) automatically on every startup.
# Use a strong password of at least 10 characters.
ADMIN_USERNAME=admin
ADMIN_PASSWORD=change_me
# ── JWT signing secret ────────────────────────────────────────────────────────
# Generate a strong random value before deploying:
# openssl rand -hex 32
JWT_SECRET=change_me
# ── CORS ─────────────────────────────────────────────────────────────────────
# Comma-separated list of external origins that may call the API.
# Leave empty if the API is only accessed via the bundled nginx frontend (same-origin).
# Example: ALLOWED_ORIGINS=https://myapp.example.com,https://admin.example.com
ALLOWED_ORIGINS=
# ── Cookies ───────────────────────────────────────────────────────────────────
# Set to false only when testing locally over plain HTTP (no HTTPS/NRP)
SECURE_COOKIES=true
# ── Ntfy push notifications (optional) ───────────────────────────────────────
# Sends alerts for: new registrations, admin logins, user disable/delete, impersonation.
# Use https://ntfy.sh/your-secret-topic or a self-hosted ntfy URL.
# Leave blank to disable notifications entirely.
NTFY_URL=
NTFY_TOKEN=
Reference in New Issue View Git Blame Copy Permalink