# ── Bill Tracker — Environment Variables ──────────────────────────────────────
# Copy this file to .env and fill in your values before deploying.
# Docker Compose reads .env automatically.
# For direct Node.js: NODE_ENV=production node server.js (or use PM2).

# ── Server ─────────────────────────────────────────────────────────────────────
PORT=3000
NODE_ENV=production

# ── CSRF Cookie httpOnly Setting ──────────────────────────────────────────────
# CSRF cookie httpOnly setting (default: true)
# Set CSRF_HTTP_ONLY=false to allow JavaScript access for SPA CSRF patterns
# CSRF_HTTP_ONLY: "true" (secure, default - cookie not readable by JS)
# CSRF_HTTP_ONLY: "false" (SPA mode - allows JavaScript to read cookie)
#
# ── CSRF Cookie sameSite Setting ──────────────────────────────────────────────
# CSRF cookie sameSite setting (default: strict)
# Options: 'lax', 'strict', 'none'
# CSRF_SAME_SITE: "strict" (most secure - default)
# CSRF_SAME_SITE: "lax" (for SPA cross-site scenarios)
#
# ── CSRF Cookie secure Setting ───────────────────────────────────────────────
# CSRF cookie secure flag (default: true - HTTPS only)
# Set CSRF_SECURE=false for HTTP development (NOT recommended for production)
# CSRF_SECURE: "true" (HTTPS only - default)
# CSRF_SECURE: "false" (HTTP allowed - development only)
#
# ── CSRF Cookie Name ─────────────────────────────────────────────────────────
# CSRF cookie name (default: bt_csrf_token)
# Use CSRF_COOKIE_NAME to customize for multi-app deployments
# CSRF_COOKIE_NAME: "bt_csrf_token" (default)

# ── Data paths (used by both Docker and direct deployments) ───────────────────
# Docker: these are set in the Dockerfile; override here only if needed.
# Direct: set these to absolute paths on the server.
#
# DB_PATH=/opt/bill-tracker/data/db/bills.db
# BACKUP_PATH=/opt/bill-tracker/data/backups

# ── First-run admin account ────────────────────────────────────────────────────
# Set BOTH on first start to create the admin account automatically.
# Remove or comment out after the server has started once — they are not
# needed again. Open the web UI afterward to create your first user account.
#
# INIT_ADMIN_USER=admin
# INIT_ADMIN_PASS=changeme123