Ramadhan Sjamsani
3fff4b1c6e
Backend - payment_sessions → payment_requests rename across DB schema + 29 files - payment.service.js becomes product-agnostic owner: EventEmitter + Xendit wrapper + requestPayment / confirmPayment public API; legacy aliases retained for existing chat callers - Webhook handler at POST /api/shared/payment/webhooks/xendit, with constant-time token verification (8 vitest cases) - Server-driven pairing: payment.service emits payment_request.confirmed → pairing subscriber starts the blast. Legacy POST /chat/request still works during the cutover. - Reconciliation sweeper extended (re-emits events for confirmed rows with no chat session) - SIGTERM drain + startup reconciliation pass in server.js Customer app - waiting_payment_screen opens xendit_invoice_url via LaunchMode.inAppBrowserView - searching / no-bestie / targeted-waiting / pairing-notifier updated to consume the new payment_request_id contract - pending_payments_provider + bestie-unavailable dialog migrated Dev / testing - XENDIT_ENABLED=false is the safe default; .env.example documents the four new vars - backend/.dev/xendit-fake-webhook.sh exercises the handler without ngrok - 90/92 backend tests pass (two pre-existing session-timer flakes, unrelated); client_app analyzer clean - requirement/phase5-xendit-plan.md is the canonical reference Stage 8 (live E2E) blocked on Xendit test-mode keys. The dashboard's single-webhook-URL constraint will be worked around via a self-poll script next session. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
55 lines
1.6 KiB
Plaintext
55 lines
1.6 KiB
Plaintext
# Server
|
|
PUBLIC_PORT=3000
|
|
INTERNAL_PORT=3001
|
|
INTERNAL_HOST=127.0.0.1
|
|
|
|
# Database
|
|
DATABASE_URL=postgresql://user:password@localhost:5432/halobestie
|
|
|
|
# Valkey / Redis
|
|
VALKEY_URL=redis://localhost:6379
|
|
|
|
# Control center origin (for CORS + refresh-cookie). Comma-separated list allowed.
|
|
CC_ORIGIN=http://localhost:5173
|
|
|
|
# --- Auth (Phase 3.4) ---
|
|
|
|
# JWT access token signing key (HS256). Must be >= 32 chars.
|
|
AUTH_JWT_SECRET=replace-with-strong-random-32+char-secret
|
|
ACCESS_TOKEN_TTL_SECONDS=3600
|
|
REFRESH_TOKEN_TTL_DAYS=30
|
|
|
|
# Fazpass (OTP provider — TBD real values once docs are available)
|
|
FAZPASS_API_KEY=
|
|
FAZPASS_BASE_URL=
|
|
FAZPASS_WEBHOOK_SECRET=
|
|
|
|
# Google OAuth — comma-separated list of valid audience client IDs (Android, iOS).
|
|
GOOGLE_OAUTH_CLIENT_IDS=
|
|
|
|
# Apple Sign In
|
|
APPLE_SERVICES_ID=
|
|
APPLE_TEAM_ID=
|
|
APPLE_KEY_ID=
|
|
APPLE_PRIVATE_KEY=
|
|
|
|
# First super-admin (used by seed script)
|
|
ADMIN_EMAIL=admin@halobestie.com
|
|
ADMIN_PASSWORD=ChangeMe123!
|
|
|
|
# --- FCM (kept — only Messaging is used; Auth is self-managed) ---
|
|
# Path to Firebase service-account JSON (falls back to backend/firebase-service-account.json)
|
|
FIREBASE_SERVICE_ACCOUNT_PATH=
|
|
|
|
# --- Phase 5: Xendit (dev-safe defaults: integration disabled) ---
|
|
#
|
|
# Flip XENDIT_ENABLED=true in staging/prod once secret + webhook token are populated.
|
|
# When false, payment.service.js skips invoice creation and the dev/Maestro stub
|
|
# /internal/_test/force-confirm-payment plays the role of the webhook.
|
|
# See requirement/phase5-xendit-plan.md.
|
|
XENDIT_ENABLED=false
|
|
XENDIT_SECRET_KEY=
|
|
XENDIT_WEBHOOK_TOKEN=
|
|
XENDIT_SUCCESS_REDIRECT_URL=
|
|
XENDIT_FAILURE_REDIRECT_URL=
|