The Express backend reads all runtime secrets and configuration values from aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Danielings/Pasantia-Proyecto/llms.txt
Use this file to discover all available pages before exploring further.
.env file located in the backend/ directory. The file is loaded at startup by config/env.js using dotenv, which resolves the path relative to the config module so the server always picks up the correct file regardless of which working directory it is launched from. Every variable is accessed through the env() helper, which trims accidental surrounding whitespace before returning the value.
Example .env file
The block below shows every variable the backend expects. Copy it to
backend/.env and fill in your real values before starting the server.
backend/.env
Firebase / Firestore
The variables below are taken directly from the service account JSON file you download from the Firebase console. The backend assembles them into aserviceAccount object inside config/firebase.js and initialises firebase-admin with cert().
The
private_key value contains literal newline characters in the JSON file.
When you copy it into .env, keep it as a single line with \n sequences
inside double quotes — the backend calls .replace(/\\n/g, "\n") to
restore the real newlines before passing the key to the Firebase SDK.The unique identifier of your Firebase project (e.g.
my-inventory-app-12345). Found under Project Settings → General → Project
ID in the Firebase console, and as the project_id field in the service
account JSON.The key ID of the service account’s RSA private key. Copied directly from the
private_key_id field in the service account JSON.The full RSA private key for the service account, including the
-----BEGIN RSA PRIVATE KEY----- header and footer. In .env the value must
be wrapped in double quotes with \n representing each newline; the backend
replaces \n with actual newlines at runtime.The service account’s email address (e.g.
firebase-adminsdk-xxxxx@project-id.iam.gserviceaccount.com). Used by
firebase-admin to authenticate API calls to Firestore.The numeric client ID of the service account. Found in the
client_id field
of the service account JSON.The URL of the service account’s X.509 public certificate. Found in the
client_x509_cert_url field of the service account JSON. This is a
googleapis.com URL that includes the URL-encoded service account email.JWT
JSON Web Tokens are signed and verified usingjsonwebtoken. The secret is
read directly from process.env.JWT_SECRET in both apis/usuarios.js (token
creation at login) and middleware/verificarToken.js (token validation on
every protected route).
The secret key used to sign and verify JWT access tokens. Must be a
cryptographically random string of at least 64 bytes. There is no default
value that is safe for production use.
SMTP / Email
The backend uses Nodemailer with the built-ingmail service preset to
send password-reset emails. Only a Gmail address and its corresponding app
password are required — host and port are configured automatically by the
gmail preset.
Gmail requires an App Password (not your normal account password) when
two-factor authentication is enabled, which is strongly recommended. Generate
one under Google Account → Security → App passwords.
The Gmail address that sends password-reset emails (e.g.
inventario@gmail.com). This address also appears in the From header of
every outbound message as "CANTV Inventario" <SMTP_USER>.The Gmail app password for
SMTP_USER. If either SMTP_USER or SMTP_PASS
is missing, the transporter is not created and any attempt to trigger a
password-reset email will throw an error at runtime.MySQL (password recovery)
MySQL stores user accounts and the temporary password-reset tokens that are created when a user requests a password recovery email. The connection pool inconfig/bd.js is created with a limit of 10 concurrent connections.
Hostname or IP address of the MySQL server. Defaults to
localhost when
running everything on one machine.MySQL username the backend uses to connect (e.g.
root or a dedicated
application user with least-privilege access).Password for
DB_USER. Leave empty only if MySQL is configured to allow
passwordless local connections — this is not recommended for production.Name of the MySQL database that contains the
usuarios table used for
authentication and password-recovery token storage (e.g. inventario).Application
Base URL of the React frontend. The backend appends
/nueva-password?token=…
to this value when building the password-reset link that is emailed to the
user. Set this to your production domain (e.g. https://inventario.example.com)
when deploying outside of localhost.