Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/BladimirGS/judicial-backend/llms.txt

Use this file to discover all available pages before exploring further.

Judicial Backend reads all runtime configuration from environment variables loaded by dotenv at startup (via src/config/envs.ts). Values are parsed, type-coerced, and validated before the HTTP server binds to any port — if a required variable is absent the process exits immediately with a fatal log message. This page documents every variable, its type, default value, and effect on the running system.
The variables DB_HOST, DB_USER, DB_PASSWORD, DB_NAME, EXTERNAL_AUTH_URL, JWT_ISSUER, and JWT_AUDIENCE are required. If any one of them resolves to an empty string at boot, the application calls process.exit(1) and will not start. There is no graceful fallback.

Example .env file

The following is a complete, annotated environment file you can use as a starting point. Copy it from .env.example and fill in the values for your environment: 
# ─── Server ──────────────────────────────────────────────────────────────────
PORT=4000
NODE_ENV=development        # development | production | test
LOG_LEVEL=debug             # debug | info | warn | error | silent

# ─── Database (MSSQL) ────────────────────────────────────────────────────────
DB_PORT=1433
DB_HOST=localhost
DB_USER=sa
DB_PASSWORD=YourStrong!Passw0rd
DB_NAME=judicial_db

# ─── External Authentication (BFF) ───────────────────────────────────────────
EXTERNAL_AUTH_URL=https://auth.yourdomain.internal
JWT_ISSUER=https://auth.yourdomain.internal
JWT_AUDIENCE=judicial-backend
ID_SISTEMA=1

# ─── CORS & Cookies ──────────────────────────────────────────────────────────
CORS_ORIGINS=http://localhost:4200,http://localhost:3000
COOKIE_SAME_SITE=none
COOKIE_SECURE=true

# ─── Rate Limiting ────────────────────────────────────────────────────────────
RATE_LIMIT_WINDOW_MS=900000   # 15 minutes in milliseconds
RATE_LIMIT_MAX=100            # global max requests per window
RATE_LIMIT_AUTH_MAX=20        # max requests to /api/auth per window

Server

PORT
number
default:"4000"
The TCP port the Express HTTP server listens on. Parsed as an integer. In production environments this is typically set by the platform (e.g. an Azure App Service or Docker container) rather than hardcoded.
NODE_ENV
string
default:"development"
Controls environment-specific behaviour across the stack. Accepted values are development, production, and test. Setting production disables morgan request logging verbosity and may affect third-party library internals (e.g. error stack suppression).
LOG_LEVEL
string
default:"debug"
Minimum log severity emitted by the Pino logger. Accepted values in ascending order of severity: debug, info, warn, error, silent. Use silent in test suites to suppress all log output. Defaults to debug when not set, which surfaces detailed diagnostic messages useful during development.

Database (MSSQL)

These five variables configure the TypeORM data source that connects to Microsoft SQL Server via the mssql / tedious driver. All are required except DB_PORT.
DB_HOST
string
required
Hostname or IP address of the SQL Server instance. Examples: localhost, 10.0.0.5, myserver.database.windows.net. Required — the app exits if empty.
DB_PORT
number
default:"1433"
TCP port SQL Server listens on. The default 1433 is the standard SQL Server port. Change this if your instance uses a named instance or a non-standard port.
DB_USER
string
required
SQL Server login username (SQL authentication). For Azure SQL, this is typically in the form username@servername. Required — the app exits if empty.
DB_PASSWORD
string
required
Password for DB_USER. Store this in a secrets manager (Azure Key Vault, HashiCorp Vault, etc.) in production — never commit it to source control. Required — the app exits if empty.
DB_NAME
string
required
Name of the target database within the SQL Server instance. The TypeORM data source connects directly to this database at startup. Required — the app exits if empty.

External Authentication (BFF)

Judicial Backend delegates credential validation to an external identity service. These variables tell the application where to find that service and how to validate the JWTs it issues.
EXTERNAL_AUTH_URL, JWT_ISSUER, and JWT_AUDIENCE are all required. If any is missing the application calls process.exit(1) at boot. Additionally, the protect middleware dynamically fetches the JWKS public-key set from EXTERNAL_AUTH_URL/api/AuthJWT/GetJwks on each new kid — the external auth service must be reachable at all times for JWT validation to succeed.
EXTERNAL_AUTH_URL
string
required
Base URL of the external identity API, without a trailing slash. The application appends the following paths automatically:
  • POST /api/Auth/Login — credential exchange
  • POST /api/Auth/RefreshToken — access token renewal
  • GET /api/AuthJWT/GetJwks — public key discovery (JWKS)
Example: https://auth.yourdomain.internal
JWT_ISSUER
string
required
The expected iss (issuer) claim in every access token. The protect middleware passes this to jsonwebtoken.verify() and rejects any token whose iss does not match exactly. Must equal the value the external auth service embeds in its JWTs. Required — the app exits if empty.
JWT_AUDIENCE
string
required
The expected aud (audience) claim in every access token. Verified alongside JWT_ISSUER on every request to a protected route. Must equal the audience the external auth service encodes in the JWT payload. Required — the app exits if empty.
ID_SISTEMA
number
default:"0"
A numeric system identifier forwarded to the external auth service as part of the login request body. This allows the identity provider to scope permissions to this specific application. Parsed as an integer; defaults to 0 if not set.

CORS & Cookies

CORS_ORIGINS
string
default:"(reflect request origin)"
Comma-separated list of allowed CORS origins. The value is split on , and each entry is trimmed before being passed to the cors middleware’s origin option. Example:
CORS_ORIGINS=http://localhost:4200,https://app.yourdomain.com
If this variable is empty or not set, the middleware falls back to echoing the request’s Origin header — effectively allowing any origin. Always set an explicit allow-list in production.
COOKIE_SAME_SITE
string
default:"none"
The SameSite attribute applied to the refresh-token cookie. Accepted values: none, lax, strict.
  • none — required when the front-end and API are on different origins (cross-site); must be paired with COOKIE_SECURE=true.
  • lax — permits cookies on top-level navigations; suitable for same-site deployments.
  • strict — cookies are never sent cross-site; most restrictive.
The default none matches the typical Angular front-end / Express API split-origin setup.
COOKIE_SECURE
boolean
default:"true"
Controls whether the Secure flag is set on cookies. Parsed as a boolean: the value "false" (string) disables the flag; anything else (including the absence of the variable) keeps it enabled.Set to false only in local development where HTTPS is not available. Always keep true in production — browsers will block SameSite=none cookies without the Secure flag.

Rate Limiting

Judicial Backend applies two independent express-rate-limit limiters. The global limiter covers all routes under /api; the auth limiter applies an additional, tighter cap specifically to /api/auth/* to slow credential-stuffing attacks.
RATE_LIMIT_WINDOW_MS
number
default:"900000"
The duration of the sliding rate-limit window in milliseconds. The default 900000 equals 15 minutes. Both the global and auth limiters share this window duration.
900000 ms = 15 minutes
RATE_LIMIT_MAX
number
default:"100"
Maximum number of requests a single IP address may make within one window across all API routes. Once exceeded, the limiter returns 429 Too Many Requests until the window resets.
RATE_LIMIT_AUTH_MAX
number
default:"20"
Maximum number of requests a single IP address may make to /api/auth/* routes within one window. This tighter limit (default: 20) reduces the blast radius of automated login attempts. It applies in addition to the global limiter — whichever threshold is hit first triggers a 429 response.

Build docs developers (and LLMs) love

Get started for freeTalk to us