Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Danielings/Pasantia-Proyecto/llms.txt

Use this file to discover all available pages before exploring further.

The Express backend reads all runtime secrets and configuration values from a .env file located in the backend/ directory. The file is loaded at startup by config/env.js using dotenv, which resolves the path relative to the config module so the server always picks up the correct file regardless of which working directory it is launched from. Every variable is accessed through the env() helper, which trims accidental surrounding whitespace before returning the value.
Never commit your .env file to version control. Add backend/.env to your .gitignore immediately after creating it. Leaking Firebase private keys, JWT secrets, or SMTP credentials can fully compromise your application and your users’ accounts.

Example .env file

The block below shows every variable the backend expects. Copy it to backend/.env and fill in your real values before starting the server.
backend/.env
# ── Firebase / Firestore ──────────────────────────────────────────────────────
project_id=your-firebase-project-id
private_key_id=abc123def456
private_key="-----BEGIN RSA PRIVATE KEY-----\nMIIE...\n-----END RSA PRIVATE KEY-----\n"
client_email=firebase-adminsdk-xxxxx@your-project.iam.gserviceaccount.com
client_id=123456789012345678901
client_x509_cert_url=https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-xxxxx%40your-project.iam.gserviceaccount.com

# ── JWT ───────────────────────────────────────────────────────────────────────
JWT_SECRET=replace_with_a_long_random_hex_string

# ── SMTP (Gmail) ──────────────────────────────────────────────────────────────
SMTP_USER=your-address@gmail.com
SMTP_PASS=your-gmail-app-password

# ── MySQL (password recovery) ─────────────────────────────────────────────────
DB_HOST=localhost
DB_USER=root
DB_PASSWORD=your_mysql_password
DB_NAME=inventario

# ── Application ───────────────────────────────────────────────────────────────
FRONTEND_URL=http://localhost:5173

Firebase / Firestore

The variables below are taken directly from the service account JSON file you download from the Firebase console. The backend assembles them into a serviceAccount object inside config/firebase.js and initialises firebase-admin with cert().
The private_key value contains literal newline characters in the JSON file. When you copy it into .env, keep it as a single line with \n sequences inside double quotes — the backend calls .replace(/\\n/g, "\n") to restore the real newlines before passing the key to the Firebase SDK.
project_id
string
required
The unique identifier of your Firebase project (e.g. my-inventory-app-12345). Found under Project Settings → General → Project ID in the Firebase console, and as the project_id field in the service account JSON.
private_key_id
string
required
The key ID of the service account’s RSA private key. Copied directly from the private_key_id field in the service account JSON.
private_key
string
required
The full RSA private key for the service account, including the -----BEGIN RSA PRIVATE KEY----- header and footer. In .env the value must be wrapped in double quotes with \n representing each newline; the backend replaces \n with actual newlines at runtime.
client_email
string
required
The service account’s email address (e.g. firebase-adminsdk-xxxxx@project-id.iam.gserviceaccount.com). Used by firebase-admin to authenticate API calls to Firestore.
client_id
string
required
The numeric client ID of the service account. Found in the client_id field of the service account JSON.
client_x509_cert_url
string
required
The URL of the service account’s X.509 public certificate. Found in the client_x509_cert_url field of the service account JSON. This is a googleapis.com URL that includes the URL-encoded service account email.

JWT

JSON Web Tokens are signed and verified using jsonwebtoken. The secret is read directly from process.env.JWT_SECRET in both apis/usuarios.js (token creation at login) and middleware/verificarToken.js (token validation on every protected route).
The backend falls back to the hard-coded string "lol" when JWT_SECRET is not set. This default must never be used in production — any attacker who knows the fallback can forge authentication tokens and gain full access to the API.
JWT_SECRET
string
required
The secret key used to sign and verify JWT access tokens. Must be a cryptographically random string of at least 64 bytes. There is no default value that is safe for production use.
Generate a secure value with Node.js — no extra dependencies needed:
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
Paste the output as the value of JWT_SECRET in your .env file.

SMTP / Email

The backend uses Nodemailer with the built-in gmail service preset to send password-reset emails. Only a Gmail address and its corresponding app password are required — host and port are configured automatically by the gmail preset.
Gmail requires an App Password (not your normal account password) when two-factor authentication is enabled, which is strongly recommended. Generate one under Google Account → Security → App passwords.
SMTP_USER
string
required
The Gmail address that sends password-reset emails (e.g. inventario@gmail.com). This address also appears in the From header of every outbound message as "CANTV Inventario" <SMTP_USER>.
SMTP_PASS
string
required
The Gmail app password for SMTP_USER. If either SMTP_USER or SMTP_PASS is missing, the transporter is not created and any attempt to trigger a password-reset email will throw an error at runtime.

MySQL (password recovery)

MySQL stores user accounts and the temporary password-reset tokens that are created when a user requests a password recovery email. The connection pool in config/bd.js is created with a limit of 10 concurrent connections.
DB_HOST
string
default:"localhost"
Hostname or IP address of the MySQL server. Defaults to localhost when running everything on one machine.
DB_USER
string
required
MySQL username the backend uses to connect (e.g. root or a dedicated application user with least-privilege access).
DB_PASSWORD
string
required
Password for DB_USER. Leave empty only if MySQL is configured to allow passwordless local connections — this is not recommended for production.
DB_NAME
string
required
Name of the MySQL database that contains the usuarios table used for authentication and password-recovery token storage (e.g. inventario).

Application

FRONTEND_URL
string
default:"http://localhost:5173"
Base URL of the React frontend. The backend appends /nueva-password?token=… to this value when building the password-reset link that is emailed to the user. Set this to your production domain (e.g. https://inventario.example.com) when deploying outside of localhost.

Build docs developers (and LLMs) love