cmdb-insight/docs/AUTHENTICATION-ENV-VARS.md

# Authentication System Environment Variables

This document describes the new environment variables required for the authentication and authorization system.

## Application Branding

```env
# Application name displayed throughout the UI
APP_NAME=CMDB Insight

# Application tagline/subtitle displayed in header and login pages
APP_TAGLINE=Management console for Jira Assets

# Copyright text displayed in the footer (use {year} as placeholder for current year)
APP_COPYRIGHT=© {year} Zuyderland Medisch Centrum
```

**Note:** The `{year}` placeholder in `APP_COPYRIGHT` will be automatically replaced with the current year. If not set, defaults to `© {current_year} Zuyderland Medisch Centrum`.

## Email Configuration (Nodemailer)

```env
# SMTP Configuration
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your-email@example.com
SMTP_PASSWORD=your-password
SMTP_FROM=noreply@example.com
```

## Encryption

```env
# Encryption Key (32 bytes, base64 encoded)
# Generate with: openssl rand -base64 32
ENCRYPTION_KEY=your-32-byte-encryption-key-base64
```

## Local Authentication

```env
# Enable local authentication (email/password)
LOCAL_AUTH_ENABLED=true

# Allow public registration (optional, default: false)
REGISTRATION_ENABLED=false
```

## Password Requirements

```env
# Password minimum length
PASSWORD_MIN_LENGTH=8

# Password complexity requirements
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false
```

## Session Configuration

```env
# Session duration in hours
SESSION_DURATION_HOURS=24
```

## Initial Admin User

```env
# Create initial administrator user (optional)
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=SecurePassword123!
ADMIN_USERNAME=admin
ADMIN_DISPLAY_NAME=Administrator
```

## Complete Example

```env
# Email Configuration
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password
SMTP_FROM=noreply@example.com

# Encryption
ENCRYPTION_KEY=$(openssl rand -base64 32)

# Local Auth
LOCAL_AUTH_ENABLED=true
REGISTRATION_ENABLED=false

# Password Requirements
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBER=true
PASSWORD_REQUIRE_SPECIAL=false

# Session
SESSION_DURATION_HOURS=24

# Initial Admin
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=ChangeMe123!
ADMIN_USERNAME=admin
ADMIN_DISPLAY_NAME=Administrator
```

## Important Notes

### User-Specific Configuration (REMOVED from ENV)

The following environment variables have been **REMOVED** from the codebase and are **NOT** configurable via environment variables:

- `JIRA_PAT`: **Configure in User Settings > Jira PAT**
- `ANTHROPIC_API_KEY`: **Configure in User Settings > AI Settings**
- `OPENAI_API_KEY`: **Configure in User Settings > AI Settings**
- `TAVILY_API_KEY`: **Configure in User Settings > AI Settings**

**These are now user-specific settings only.** Each user must configure their own API keys in their profile settings. This provides:
- Better security (keys not in shared config files)
- Per-user API key management
- Individual rate limiting per user
- Better audit trails
- Encrypted storage in the database

### Required Configuration

- `SESSION_SECRET`: Should be a secure random string in production (generate with `openssl rand -base64 32`)
- `ENCRYPTION_KEY`: Must be exactly 32 bytes when base64 decoded (generate with `openssl rand -base64 32`)

### Application Branding

- The `{year}` placeholder in `APP_COPYRIGHT` will be automatically replaced with the current year