diff --git a/.env.example b/.env.example index 1886d22..517ac38 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,5 @@ -# App -NUXT_SESSION_SECRET=change-me +# App — session sealing key for nuxt-auth-utils (must be ≥32 chars) +NUXT_SESSION_PASSWORD=change-me-to-a-long-random-string-min-32-chars # Database (Postgres) — Coolify-managed in prod, docker-compose in dev DATABASE_URL=postgres://andon:andon@localhost:5432/andon @@ -9,10 +9,13 @@ POSTGRES_USER=andon POSTGRES_PASSWORD=andon POSTGRES_DB=andon -# Google OAuth (Task 9) — restricted to the theodo.com hosted domain -GOOGLE_CLIENT_ID= -GOOGLE_CLIENT_SECRET= -GOOGLE_REDIRECT_URI= +# Google OAuth (Task 9) — nuxt-auth-utils reads these exact names. Access is +# restricted server-side to verified @theodo.com emails (the `hd` claim is not +# trusted on its own). REDIRECT_URL must match an Authorized redirect URI in the +# Google Cloud console (defaults to /auth/google/callback if unset). +NUXT_OAUTH_GOOGLE_CLIENT_ID= +NUXT_OAUTH_GOOGLE_CLIENT_SECRET= +NUXT_OAUTH_GOOGLE_REDIRECT_URL= # Web Push / VAPID (Task 10) VAPID_PUBLIC_KEY= diff --git a/README.md b/README.md index 2b08d1a..88f8e7f 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,10 @@ migrate step is needed. 1. Point Coolify at this repo; it builds the production `Dockerfile`. 2. Create a **managed Postgres** in Coolify (automatic backups — [ADR 0003](./docs/adr/0003-use-coolify-managed-postgres-over-sqlite.md)) and set `DATABASE_URL` to it. _(Alternatively deploy `docker-compose.yml`, which bundles a Postgres service.)_ -3. Set the env vars from [`.env.example`](./.env.example) (`NUXT_SESSION_SECRET`, - Google OAuth, VAPID) and route `andon.apoena.dev` to the service. +3. Set the env vars from [`.env.example`](./.env.example) (`NUXT_SESSION_PASSWORD`, + `NUXT_OAUTH_GOOGLE_*`, VAPID) and route `andon.apoena.dev` to the service. Add + `https://andon.apoena.dev/auth/google/callback` as an Authorized redirect URI + in the Google Cloud OAuth client. 4. **Enable Coolify's autodeploy** so it builds and deploys on every push to `main`. Protect `main` with required PR review + CI so only vetted commits reach production. diff --git a/app/layouts/default.vue b/app/layouts/default.vue index 334d9db..d6e8677 100644 --- a/app/layouts/default.vue +++ b/app/layouts/default.vue @@ -1,6 +1,12 @@