From 927349e1d2a8e637ababf0dd7306196ce89a0b28 Mon Sep 17 00:00:00 2001
From: Knee Cola <kneecola@duck.com>
Date: Mon, 8 Dec 2025 01:20:55 +0100
Subject: [PATCH] feat: add share link security environment variables to Docker
 configs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes:
- Add SHARE_LINK_SECRET (production secret, 64-char hex)
- Add SHARE_TTL_INITIAL_DAYS=10 (days before first tenant visit)
- Add SHARE_TTL_AFTER_VISIT_HOURS=1 (hours after tenant visits)
- Add UPLOAD_RATE_LIMIT_PER_IP=5 (max uploads per IP)
- Add UPLOAD_RATE_LIMIT_WINDOW_MS=3600000 (1 hour rate limit window)

Updated both:
- docker-compose-standalone.yaml
- docker-compose-swarm.yml

Production SHARE_LINK_SECRET generated with: openssl rand -hex 32

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 docker-compose-standalone.yaml | 7 +++++++
 docker-compose-swarm.yml       | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/docker-compose-standalone.yaml b/docker-compose-standalone.yaml
index 3af0c4b..55bfd31 100644
--- a/docker-compose-standalone.yaml
+++ b/docker-compose-standalone.yaml
@@ -29,6 +29,13 @@ services:
       HOSTNAME: rezije.app # IP address at which the server will be listening (0.0.0.0 = listen on all addresses)
       NEXTAUTH_URL: https://rezije.app # URL next-auth will use while redirecting user during authentication (if not set - will use HOSTNAME)
       PORT: ${PORT:-80}
+      # Share link security
+      SHARE_LINK_SECRET: ef68362357315d5decb27d24ff9abdb4a02a3351cd2899f79bf238dce0fe08c5
+      SHARE_TTL_INITIAL_DAYS: 10
+      SHARE_TTL_AFTER_VISIT_HOURS: 1
+      # Upload rate limiting
+      UPLOAD_RATE_LIMIT_PER_IP: 5
+      UPLOAD_RATE_LIMIT_WINDOW_MS: 3600000
     container_name: evidencija-rezija__web-app
     restart: unless-stopped  # u slučaju rušenja containera pokušavaj ga pokrenuti dok ne uspije = BESKONAČNO
     depends_on:
diff --git a/docker-compose-swarm.yml b/docker-compose-swarm.yml
index 87decb0..bd6d34f 100644
--- a/docker-compose-swarm.yml
+++ b/docker-compose-swarm.yml
@@ -29,6 +29,13 @@ services:
       HOSTNAME: rezije.app # IP address at which the server will be listening (0.0.0.0 = listen on all addresses)
       NEXTAUTH_URL: https://rezije.app # URL next-auth will use while redirecting user during authentication (if not set - will use HOSTNAME)
       PORT: ${PORT:-80}
+      # Share link security
+      SHARE_LINK_SECRET: ef68362357315d5decb27d24ff9abdb4a02a3351cd2899f79bf238dce0fe08c5
+      SHARE_TTL_INITIAL_DAYS: 10
+      SHARE_TTL_AFTER_VISIT_HOURS: 1
+      # Upload rate limiting
+      UPLOAD_RATE_LIMIT_PER_IP: 5
+      UPLOAD_RATE_LIMIT_WINDOW_MS: 3600000
     deploy:
       # u slucaju rušenja kontejnera čekamo 5s i dižemo novi kontejner => ako se i on sruši opet ceka 5s i pokusava ponovno (tako 5 puta)
       restart_policy: