Skip to main content

Environment Variables

The application uses environment variables for configuration. Copy .env.example to .env and configure the following sections:

Server Configuration

# Server port
PORT=3000

# Allowed CORS origins (comma-separated)
CORS_ORIGINS=http://localhost:8100

# Runtime environment
NODE_ENV=development
In production, set NODE_ENV=production to enable production optimizations.

Database Configuration

# PostgreSQL connection
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=your_password
DB_NAME=rodando

# Database behavior
DB_SYNCHRONIZE=true
DB_LOGGING=true
RUN_MIGRATIONS=true
MODE=DEV
Never use DB_SYNCHRONIZE=true in production! It can cause data loss. Use migrations instead.
Configuration options:
VariableDescriptionDefault
DB_HOSTDatabase server hostnamelocalhost
DB_PORTDatabase server port5432
DB_USERDatabase usernamepostgres
DB_PASSWORDDatabase password-
DB_NAMEDatabase namerodando
DB_SYNCHRONIZEAuto-sync schema (dev only)false
DB_LOGGINGEnable SQL query loggingfalse
RUN_MIGRATIONSRun migrations on startupfalse

JWT Configuration

# Access Token
JWT_ACCESS_SECRET=7Uuokmo0vGuAK8wNGMG2TBCQxSY8fLTd
JWT_ACCESS_EXPIRES_IN=15m

# Refresh Token
JWT_REFRESH_SECRET=FtO2UvkmNi2AMtlBVefMRxpWbvY5XpwV
JWT_REFRESH_EXPIRES_IN=7d

# Optional but recommended
JWT_ISSUER=nest-uber-app-backend
JWT_AUDIENCE=nest-uber-app-frontend
Generate strong, unique secrets for production! Never use the example values.
Token configuration:
  • Access Token: Short-lived token for API requests (e.g., 15 minutes)
  • Refresh Token: Long-lived token for obtaining new access tokens (e.g., 7 days)
  • Issuer: Identifies who issued the token
  • Audience: Identifies the intended recipient
COOKIE_DOMAIN=
COOKIE_PATH=/
COOKIE_SECURE=false
COOKIE_SAME_SITE=lax
COOKIE_HTTP_ONLY=true
Set COOKIE_SECURE=true in production when using HTTPS.

Rate Limiting

# Throttling configuration
RATE_LIMIT_TTL=60        # Time window in seconds
RATE_LIMIT_MAX=10        # Max requests per window
These settings protect your API from abuse by limiting the number of requests a client can make.

Security Configuration

# Bcrypt password hashing
BCRYPT_SALT_ROUNDS=12

# Driver availability tracking
DA_PRESENCE_TTL_SEC=120   # Offline after 120s without ping
DA_SWEEP_BATCH=1000       # Batch size for presence sweeps
Security best practices:
  • Higher BCRYPT_SALT_ROUNDS = more secure but slower (10-12 recommended)
  • Adjust DA_PRESENCE_TTL_SEC based on your WebSocket ping interval

Swagger Documentation

# Enable/disable Swagger UI
SWAGGER_ENABLED=true
SWAGGER_ENABLE_AUTH=true
SWAGGER_ENABLE_USERS=true

# Main API documentation
SWAGGER_TITLE_API=Uber-app-backend
SWAGGER_VERSION_API=1.0

# Auth documentation
SWAGGER_TITLE_DOCS_AUTH=Authentication
SWAGGER_VERSION_DOCS_AUTH=1.0-auth
SWAGGER_PATH_DOCS_AUTH=docs/auth

# Users documentation
SWAGGER_TITLE_DOCS_USERS=Users
SWAGGER_VERSION_DOCS_USERS=1.0-users
SWAGGER_PATH_DOCS_USERS=docs/users
Disable Swagger in production for security: SWAGGER_ENABLED=false

Configuration Validation

The application validates environment variables on startup using Joi schema validation. If required variables are missing or invalid, the application will fail to start with a descriptive error. Required variables:
  • DB_HOST
  • DB_USER
  • DB_PASSWORD
  • DB_NAME

CORS Configuration

CORS is configured in main.ts to allow requests from specific origins: 
CORS_ORIGINS=http://localhost:8100,https://app.example.com
Multiple origins can be specified by separating them with commas. CORS settings:
  • Allowed methods: GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS
  • Credentials: Enabled (supports cookies and authentication)
  • Max age: 86400 seconds (24 hours)

Environment-Specific Configuration

NODE_ENV=development
DB_SYNCHRONIZE=true
DB_LOGGING=true
SWAGGER_ENABLED=true
COOKIE_SECURE=false

Next Steps

Database Setup

Configure database and run migrations

WebSockets

Set up real-time communication

Build docs developers (and LLMs) love

Get started for freeTalk to us