security hardening

2026-05-31 09:35:31 +02:00
parent d7d437a871
commit 01b4734477
31 changed files with 1234 additions and 238 deletions
@@ -16,8 +16,24 @@ ALLOWED_SHOP=linumiq-dev.myshopify.com
 # Must match `scopes` in shopify.app.dev.toml.
 SCOPES=read_orders,write_orders,read_all_orders,read_customers,read_companies,read_files,write_files

+# --- Secrets at rest ---
+# Field-level encryption key for secrets stored in the DB (SMTP password,
+# Shopify session access/refresh tokens). Must be base64 of exactly 32 bytes.
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
+DATA_ENCRYPTION_KEY=REPLACE_ME_BASE64_32_BYTES
+
+# Dedicated HMAC key for signing public GiroCode URLs. base64 of 32 bytes.
+# If unset, the app falls back to SHOPIFY_API_SECRET (kept for backward compat).
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
+GIROCODE_SIGNING_KEY=REPLACE_ME_BASE64_32_BYTES
+
 # --- Runtime ---
 NODE_ENV=production
 PORT=3000

 # DATABASE_URL is set in docker-compose.dev.yml (file:/data/prod.sqlite on the bind mount).
+
+# --- Email (optional) ---
+# Archival BCC for every invoice email. Off by default for privacy/GDPR.
+# Set to a single address or a comma-separated list to opt in.
+# INVOICE_BCC=archive@example.com