puffin-app/.env.example

# ========================================
# ENVIRONMENT VARIABLES TEMPLATE
# ========================================
# Copy this file to .env and fill in your actual values
# NEVER commit .env with real secrets to git!

# === Frontend Variables ===
VITE_API_BASE_URL=https://puffinoffset.com/api
VITE_WREN_API_TOKEN=your_wren_api_token_here
VITE_FORMSPREE_CONTACT_ID=your_formspree_contact_id
VITE_FORMSPREE_OFFSET_ID=your_formspree_offset_id
VITE_STRIPE_PUBLISHABLE_KEY=your_stripe_publishable_key_here

# === Backend Variables ===
NODE_ENV=production
PORT=3001
FRONTEND_URL=https://puffinoffset.com

# === Stripe Configuration ===
# Use sk_test_* keys for testing (no real charges)
# Use sk_live_* keys for production (real charges)
STRIPE_SECRET_KEY=your_stripe_secret_key_here
STRIPE_WEBHOOK_SECRET=your_stripe_webhook_secret_here

# === Wren API Configuration ===
WREN_API_TOKEN=your_wren_api_token_here
# Set to true for testing (no real offsets purchased)
# Set to false for production (real offsets purchased)
WREN_DRY_RUN=true

# === Database Configuration ===
DATABASE_PATH=/app/data/orders.db

# ========================================
# NOTES
# ========================================
#
# STRIPE TEST MODE:
# - Use sk_test_* and pk_test_* keys
# - Test card: 4242 4242 4242 4242 (any future date, any CVC)
# - No real money charged
#
# WREN DRY RUN:
# - WREN_DRY_RUN=true means no real carbon offsets purchased
# - Switch to false when ready for production
#
# PORT MAPPING:
# - PORT=3001 is the internal container port
# - Host exposes backend on port 3801 (3801:3001)
# - Frontend exposed on port 3800
#
Implement comprehensive Stripe security fixes and production deployment CRITICAL SECURITY FIXES: - Add webhook secret validation to prevent signature bypass - Implement idempotency protection across all webhook handlers - Add atomic database updates to prevent race conditions - Improve CORS security with origin validation and logging - Remove .env from git tracking to protect secrets STRIPE INTEGRATION: - Add support for checkout.session.expired webhook event - Add Stripe publishable key to environment configuration - Fix webhook handlers with proper idempotency checks - Update Order model with atomic updatePaymentAndStatus method - Add comprehensive logging for webhook processing DEPLOYMENT ARCHITECTURE: - Split into two Docker images (frontend-latest, backend-latest) - Update CI/CD to build separate frontend and backend images - Configure backend on port 3801 (internal 3001) - Add production-ready docker-compose.yml - Remove redundant docker-compose.portainer.yml - Update nginx configuration for both frontend and backend DOCUMENTATION: - Add PRODUCTION-SETUP.md with complete deployment guide - Add docs/stripe-security-fixes.md with security audit details - Add docs/stripe-checkout-sessions.md with integration docs - Add docs/stripe-webhooks.md with webhook configuration - Update .env.example with all required variables including Stripe publishable key CONFIGURATION: - Consolidate to single .env.example template - Update .gitignore to protect all .env variants - Add server/Dockerfile for backend container - Update DEPLOYMENT.md with new architecture 🔒 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-30 12:18:57 +01:00			`# ========================================`
			`# ENVIRONMENT VARIABLES TEMPLATE`
			`# ========================================`
			`# Copy this file to .env and fill in your actual values`
			`# NEVER commit .env with real secrets to git!`

			`# === Frontend Variables ===`
			`VITE_API_BASE_URL=https://puffinoffset.com/api`
			`VITE_WREN_API_TOKEN=your_wren_api_token_here`
			`VITE_FORMSPREE_CONTACT_ID=your_formspree_contact_id`
			`VITE_FORMSPREE_OFFSET_ID=your_formspree_offset_id`
			`VITE_STRIPE_PUBLISHABLE_KEY=your_stripe_publishable_key_here`

			`# === Backend Variables ===`
			`NODE_ENV=production`
			`PORT=3001`
			`FRONTEND_URL=https://puffinoffset.com`

			`# === Stripe Configuration ===`
			`# Use sk_test_* keys for testing (no real charges)`
			`# Use sk_live_* keys for production (real charges)`
			`STRIPE_SECRET_KEY=your_stripe_secret_key_here`
			`STRIPE_WEBHOOK_SECRET=your_stripe_webhook_secret_here`

			`# === Wren API Configuration ===`
			`WREN_API_TOKEN=your_wren_api_token_here`
			`# Set to true for testing (no real offsets purchased)`
			`# Set to false for production (real offsets purchased)`
			`WREN_DRY_RUN=true`

			`# === Database Configuration ===`
			`DATABASE_PATH=/app/data/orders.db`

			`# ========================================`
			`# NOTES`
			`# ========================================`
			`#`
			`# STRIPE TEST MODE:`
			`# - Use sk_test_* and pk_test_* keys`
			`# - Test card: 4242 4242 4242 4242 (any future date, any CVC)`
			`# - No real money charged`
			`#`
			`# WREN DRY RUN:`
			`# - WREN_DRY_RUN=true means no real carbon offsets purchased`
			`# - Switch to false when ready for production`
			`#`
			`# PORT MAPPING:`
			`# - PORT=3001 is the internal container port`
			`# - Host exposes backend on port 3801 (3801:3001)`
			`# - Frontend exposed on port 3800`
			`#`