puffin-app/.env.example

# ========================================
# ENVIRONMENT VARIABLES TEMPLATE
# ========================================
# Copy this file to .env and fill in your actual values
# NEVER commit .env with real secrets to git!

# === Frontend Variables ===
VITE_API_BASE_URL=https://puffinoffset.com/api
VITE_WREN_API_TOKEN=your_wren_api_token_here
VITE_FORMSPREE_CONTACT_ID=your_formspree_contact_id
VITE_FORMSPREE_OFFSET_ID=your_formspree_offset_id
VITE_STRIPE_PUBLISHABLE_KEY=your_stripe_publishable_key_here

# === Backend Variables ===
NODE_ENV=production
PORT=3001
FRONTEND_URL=https://puffinoffset.com

# === Stripe Configuration ===
# Use sk_test_* keys for testing (no real charges)
# Use sk_live_* keys for production (real charges)
STRIPE_SECRET_KEY=your_stripe_secret_key_here
STRIPE_WEBHOOK_SECRET=your_stripe_webhook_secret_here

# === Wren API Configuration ===
WREN_API_TOKEN=your_wren_api_token_here
# Set to true for testing (no real offsets purchased)
# Set to false for production (real offsets purchased)
WREN_DRY_RUN=true

# === Database Configuration ===
DATABASE_PATH=/app/data/orders.db

# === NocoDB Configuration ===
NOCODB_BASE_URL=https://your-nocodb-instance.com
NOCODB_BASE_ID=your_base_id_here
NOCODB_API_KEY=your_nocodb_api_key_here
NOCODB_ORDERS_TABLE_ID=your_orders_table_id_here

# === Email Configuration ===
SMTP_HOST=mail.puffinoffset.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=noreply@puffinoffset.com
SMTP_PASSWORD=your_smtp_password_here
SMTP_FROM_NAME=Puffin Offset
SMTP_FROM_EMAIL=noreply@puffinoffset.com
ADMIN_EMAIL=matt@puffinoffset.com

# === Admin Portal Authentication ===
ADMIN_USERNAME=your_admin_username_here
ADMIN_PASSWORD=your_admin_password_here
JWT_SECRET=your_jwt_secret_key_here

# ========================================
# NOTES
# ========================================
#
# STRIPE TEST MODE:
# - Use sk_test_* and pk_test_* keys
# - Test card: 4242 4242 4242 4242 (any future date, any CVC)
# - No real money charged
#
# WREN DRY RUN:
# - WREN_DRY_RUN=true means no real carbon offsets purchased
# - Switch to false when ready for production
#
# PORT MAPPING:
# - PORT=3001 is the internal container port
# - Host exposes backend on port 3801 (3801:3001)
# - Frontend exposed on port 3800
#
Implement comprehensive Stripe security fixes and production deployment CRITICAL SECURITY FIXES: - Add webhook secret validation to prevent signature bypass - Implement idempotency protection across all webhook handlers - Add atomic database updates to prevent race conditions - Improve CORS security with origin validation and logging - Remove .env from git tracking to protect secrets STRIPE INTEGRATION: - Add support for checkout.session.expired webhook event - Add Stripe publishable key to environment configuration - Fix webhook handlers with proper idempotency checks - Update Order model with atomic updatePaymentAndStatus method - Add comprehensive logging for webhook processing DEPLOYMENT ARCHITECTURE: - Split into two Docker images (frontend-latest, backend-latest) - Update CI/CD to build separate frontend and backend images - Configure backend on port 3801 (internal 3001) - Add production-ready docker-compose.yml - Remove redundant docker-compose.portainer.yml - Update nginx configuration for both frontend and backend DOCUMENTATION: - Add PRODUCTION-SETUP.md with complete deployment guide - Add docs/stripe-security-fixes.md with security audit details - Add docs/stripe-checkout-sessions.md with integration docs - Add docs/stripe-webhooks.md with webhook configuration - Update .env.example with all required variables including Stripe publishable key CONFIGURATION: - Consolidate to single .env.example template - Update .gitignore to protect all .env variants - Add server/Dockerfile for backend container - Update DEPLOYMENT.md with new architecture 🔒 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-30 12:18:57 +01:00			`# ========================================`
			`# ENVIRONMENT VARIABLES TEMPLATE`
			`# ========================================`
			`# Copy this file to .env and fill in your actual values`
			`# NEVER commit .env with real secrets to git!`

			`# === Frontend Variables ===`
			`VITE_API_BASE_URL=https://puffinoffset.com/api`
			`VITE_WREN_API_TOKEN=your_wren_api_token_here`
			`VITE_FORMSPREE_CONTACT_ID=your_formspree_contact_id`
			`VITE_FORMSPREE_OFFSET_ID=your_formspree_offset_id`
			`VITE_STRIPE_PUBLISHABLE_KEY=your_stripe_publishable_key_here`

			`# === Backend Variables ===`
			`NODE_ENV=production`
			`PORT=3001`
			`FRONTEND_URL=https://puffinoffset.com`

			`# === Stripe Configuration ===`
			`# Use sk_test_* keys for testing (no real charges)`
			`# Use sk_live_* keys for production (real charges)`
			`STRIPE_SECRET_KEY=your_stripe_secret_key_here`
			`STRIPE_WEBHOOK_SECRET=your_stripe_webhook_secret_here`

			`# === Wren API Configuration ===`
			`WREN_API_TOKEN=your_wren_api_token_here`
			`# Set to true for testing (no real offsets purchased)`
			`# Set to false for production (real offsets purchased)`
			`WREN_DRY_RUN=true`

			`# === Database Configuration ===`
			`DATABASE_PATH=/app/data/orders.db`

Add NocoDB integration for order management with comprehensive Stripe webhook logging Features: - Complete NocoDB schema with 42 fields supporting B2B and B2C customers - Server-side NocoDB client (REST API integration) - Stripe session data mapper with automatic field mapping - Enhanced webhook handler with comprehensive logging - Automatic order creation in NocoDB after payment - Fulfillment data updates with Wren order IDs - Support for business customers (VAT/EIN, business names) - Complete billing address capture - Non-blocking error handling (webhook succeeds even if NocoDB fails) Files Added: - server/utils/nocodbClient.js - NocoDB REST API client - server/utils/nocodbMapper.js - Stripe to NocoDB data mapper - docs/NOCODB_SCHEMA.md - Complete field reference (42 columns) - docs/NOCODB_INTEGRATION_GUIDE.md - Testing and deployment guide - docs/TESTING_STRIPE_WEBHOOK.md - Webhook testing instructions - docs/STRIPE_INTEGRATION_SUMMARY.md - Project overview Files Modified: - server/routes/webhooks.js - Added NocoDB integration and enhanced logging - src/types.ts - Updated OrderRecord interface with new fields - src/api/nocodbClient.ts - Added createOrder() method - .env.example - Added NocoDB configuration template Schema includes: - Payment tracking (Stripe session/intent/customer IDs, amounts, fees) - Carbon offset details (tons, portfolio, Wren order ID) - Customer information (name, email, phone, business name) - Tax ID collection (VAT, EIN, etc.) - Complete billing address - Optional vessel/trip details for yacht calculations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-03 16:35:15 +01:00			`# === NocoDB Configuration ===`
			`NOCODB_BASE_URL=https://your-nocodb-instance.com`
			`NOCODB_BASE_ID=your_base_id_here`
			`NOCODB_API_KEY=your_nocodb_api_key_here`
			`NOCODB_ORDERS_TABLE_ID=your_orders_table_id_here`

Update admin email to matt@puffinoffset.com - Update default admin email from admin@ to matt@puffinoffset.com - Add ADMIN_EMAIL environment variable to docker-compose.yml - Add complete Email Configuration section to .env.example - Admin email receives contact form submissions and order notifications 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-31 21:01:57 +01:00			`# === Email Configuration ===`
			`SMTP_HOST=mail.puffinoffset.com`
			`SMTP_PORT=587`
			`SMTP_SECURE=false`
			`SMTP_USER=noreply@puffinoffset.com`
			`SMTP_PASSWORD=your_smtp_password_here`
			`SMTP_FROM_NAME=Puffin Offset`
			`SMTP_FROM_EMAIL=noreply@puffinoffset.com`
			`ADMIN_EMAIL=matt@puffinoffset.com`

Add admin credentials to env.example and update copyright to 2025 - Add ADMIN_USERNAME, ADMIN_PASSWORD, and JWT_SECRET to .env.example - Update copyright year from 2024 to 2025 in admin login page - Update copyright year from 2024 to 2025 in footer component 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-03 22:12:45 +01:00			`# === Admin Portal Authentication ===`
			`ADMIN_USERNAME=your_admin_username_here`
			`ADMIN_PASSWORD=your_admin_password_here`
			`JWT_SECRET=your_jwt_secret_key_here`

Implement comprehensive Stripe security fixes and production deployment CRITICAL SECURITY FIXES: - Add webhook secret validation to prevent signature bypass - Implement idempotency protection across all webhook handlers - Add atomic database updates to prevent race conditions - Improve CORS security with origin validation and logging - Remove .env from git tracking to protect secrets STRIPE INTEGRATION: - Add support for checkout.session.expired webhook event - Add Stripe publishable key to environment configuration - Fix webhook handlers with proper idempotency checks - Update Order model with atomic updatePaymentAndStatus method - Add comprehensive logging for webhook processing DEPLOYMENT ARCHITECTURE: - Split into two Docker images (frontend-latest, backend-latest) - Update CI/CD to build separate frontend and backend images - Configure backend on port 3801 (internal 3001) - Add production-ready docker-compose.yml - Remove redundant docker-compose.portainer.yml - Update nginx configuration for both frontend and backend DOCUMENTATION: - Add PRODUCTION-SETUP.md with complete deployment guide - Add docs/stripe-security-fixes.md with security audit details - Add docs/stripe-checkout-sessions.md with integration docs - Add docs/stripe-webhooks.md with webhook configuration - Update .env.example with all required variables including Stripe publishable key CONFIGURATION: - Consolidate to single .env.example template - Update .gitignore to protect all .env variants - Add server/Dockerfile for backend container - Update DEPLOYMENT.md with new architecture 🔒 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-30 12:18:57 +01:00			`# ========================================`
			`# NOTES`
			`# ========================================`
			`#`
			`# STRIPE TEST MODE:`
			`# - Use sk_test_* and pk_test_* keys`
			`# - Test card: 4242 4242 4242 4242 (any future date, any CVC)`
			`# - No real money charged`
			`#`
			`# WREN DRY RUN:`
			`# - WREN_DRY_RUN=true means no real carbon offsets purchased`
			`# - Switch to false when ready for production`
			`#`
			`# PORT MAPPING:`
			`# - PORT=3001 is the internal container port`
			`# - Host exposes backend on port 3801 (3801:3001)`
			`# - Frontend exposed on port 3800`
			`#`