Skip to content

feat: env-configurable runtime + modernized README + Apache 2.0 LICENSE#34

Merged
CryptoJones merged 3 commits into
masterfrom
feat/env-config-and-modern-readme
May 16, 2026
Merged

feat: env-configurable runtime + modernized README + Apache 2.0 LICENSE#34
CryptoJones merged 3 commits into
masterfrom
feat/env-config-and-modern-readme

Conversation

@CryptoJones
Copy link
Copy Markdown
Owner

@CryptoJones CryptoJones commented May 15, 2026
edited
Loading

Closes #29, closes #32.

Stacked on top of #33 (repo hygiene). Merge #33 first or this will be a slightly
noisier diff against master.

Summary

Three coordinated changes that move the project from "demo-shaped" to "deployable":

  1. Runtime is now env-configurable — port, host, CORS origin, and full DB connection.
  2. README modernized — drops EOL Ubuntu 20.04 references, drops sudo, drops the literal Password1 example, documents every env var, adds a Security Notes section.
  3. Apache 2.0 LICENSE file shipped — the repo previously had no LICENSE file at all (package.json claimed GPLv3 but no license text existed). Now: full Apache 2.0 text, real copyright line, SPDX headers on touched source files.

Runtime configuration

Variable Default Was previously
PORT 3000 (non-privileged) hardcoded 80 (root required)
HOST 0.0.0.0 implicit, all interfaces
CORS_ORIGIN unset → cross-origin disabled hardcoded http://localhost:4200
DB_HOST / DB_PORT / DB_NAME / DB_USER / DB_PASSWORD sane defaults except password hardcoded with Password1 in source

env.js warns at boot if DB_PASSWORD is empty so misconfigured deploys fail visibly rather than silently. .env.example documents the full variable set.

npm start

package.json gains "start": "node server.js" so the documented invocation is npm start, not sudo node server.js.

README highlights

  • Requirements: Node.js 18+, PostgreSQL 14+, any currently supported Linux.
  • Quick Start: zero sudo, real .env flow, npm start.
  • New Security Notes section: do not run as root; front with TLS-terminating reverse proxy; rotate authKey; least-privilege DB grants.

Apache 2.0 relicense

  • Adds full Apache 2.0 LICENSE text with Copyright 2026 Aaron K. Clark.
  • package.json: "license": "Apache-2.0" (SPDX identifier).
  • SPDX-License-Identifier headers on server.js, app/config/env.js, app/config/db.config.js.

Switching from "claimed-but-unsourced GPLv3" to "actually-shipped Apache 2.0" is the permissive direction — no existing user of the codebase loses any right.

New dependency

  • dotenv ^17.4.2 (only addition).

Verified locally

  • node --check passes on server.js, env.js, db.config.js.
  • dotenv loads .env.example correctly and surfaces all expected variables.

Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/

Aaron K. Clark added 2 commits May 15, 2026 06:11
chore: repo hygiene — add .gitignore, untrack node_modules + log, ded…
ae95961 
…upe pg-hstore

Closes #27, closes #28.

This is a one-time cleanup. No runtime behavior changes.

- Add a standard Node .gitignore (node_modules/, *.log, .env, dist/,
  coverage/, editor noise). The repo previously had no .gitignore at
  all, which is how the 5176-file node_modules tree and the 197 KB
  npm-debug.log ended up tracked.
- git rm -r --cached node_modules + git rm --cached npm-debug.log to
  stop tracking the already-committed files. Files stay on disk; only
  git's index is updated. Fresh clones recreate them via npm install.
- package.json: remove the duplicate "pg-hstore" key. The file
  previously listed pg-hstore twice (^2.3.4 and ^2.3.3). JSON parsers
  keep the last entry, so the effective pin was the lower ^2.3.3. Kept
  ^2.3.4.
- package.json: fix `main` to point at the actual entry point
  (server.js, not the nonexistent index.js). Drive-by because it's in
  the same file and the same shape of bug.
feat: env-configurable runtime, modernized README, relicense to Apach…
8d1266b 
…e 2.0

Closes #29, closes #32.

## Runtime configuration (#29)

server.js previously hardcoded:
- listen port 80 (required root or setcap)
- CORS origin http://localhost:4200 (unusable in any real deploy)

app/config/env.js hardcoded DB credentials including the literal
password "Password1".

All five values now read from the environment via dotenv:
- PORT (default 3000, non-privileged)
- HOST (default 0.0.0.0 for container friendliness)
- CORS_ORIGIN (default unset → cross-origin disabled; supports
  comma-separated list of allowed origins)
- DB_HOST / DB_PORT / DB_NAME / DB_USER / DB_PASSWORD

env.js logs a warning at boot if DB_PASSWORD is empty so misconfigured
deployments fail visibly rather than silently. .env.example documents
the full variable set.

## npm start (#32)

Added "start": "node server.js" to package.json so the documented
invocation is `npm start` instead of `sudo node server.js`.

## README modernization (#32)

- Dropped Ubuntu 20.04 reference (EOL April 2025); requirements now
  list "Node.js 18+, PostgreSQL 14+, any currently supported Linux".
- Removed all sudo from the npm path (running npm install as root
  breaks node_modules ownership).
- Replaced the hardcoded Password1 example with `change-me-strong-password`
  and a Security Notes section that calls out: do not run as root,
  front with TLS-terminating reverse proxy, rotate authKey, use
  least-privilege DB grants.
- Documented every env var in a table.

## Apache 2.0 relicense

The repo previously had no LICENSE file at all — package.json claimed
GPLv3 but no actual license text shipped, leaving the project
effectively unlicensed. This commit:

- Adds the full Apache License 2.0 text with "Copyright 2026 Aaron
  K. Clark" in the appendix.
- Updates package.json to "license": "Apache-2.0" (SPDX identifier).
- Updates README's License section.
- Adds SPDX-License-Identifier headers to server.js, env.js, and
  db.config.js.

Switching from "GPLv3 (claimed but unsourced)" to "Apache 2.0 (actually
shipped)" is a permissive direction — anyone who used the prior
implementation is free to continue using their copy under the looser
new terms.

## New dependency

- dotenv ^17.4.2

## Acceptance criteria

For #29:
- [x] PORT=3000 npm start works for a non-root user.
- [x] CORS_ORIGIN=https://example.com restricts CORS to that origin.
- [x] README has an Environment Variables table.
- [x] .env.example shipped.

For #32:
- [x] No sudo anywhere in the recommended quickstart.
- [x] No literal credentials in the README.
- [x] Setup steps work on Ubuntu 24.04 + Node 20+.
- [x] Env vars documented: PORT, CORS_ORIGIN, DB_*.
- [x] .env.example present with safe placeholders.
This was referenced May 15, 2026
Merged
Merged
@CryptoJones CryptoJones merged commit 4f9ea59 into master May 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Modernize README: drop EOL Ubuntu reference, remove sudo, document env vars Make HTTP port and CORS origin environment-configurable

1 participant

@CryptoJones