Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Imjuanisss/proyecto-melika/llms.txt

Use this file to discover all available pages before exploring further.

MELIKA’s runtime behaviour is driven entirely by environment variables — no secrets are ever committed to the repository. Before starting either service you must define every required variable in the appropriate .env file (for local development) or in the Railway service dashboard (for production). This page catalogues every variable, shows example values, and walks through the Gmail OAuth2 credential flow that powers transactional email delivery.

Server environment variables

The Express backend reads these variables at startup. Missing required variables will cause the server to crash or silently degrade security-sensitive features.
VariableDescriptionExample valueRequired
PORTTCP port the Express server listens on. Railway injects this automatically; default is 3000 locally.3000No
DB_HOSTHostname of the PostgreSQL server.localhostYes
DB_PORTPort the PostgreSQL server listens on.5432Yes
DB_NAMEName of the PostgreSQL database.melika_dbYes
DB_USERPostgreSQL user with access to DB_NAME.postgresYes
DB_PASSWORDPassword for DB_USER.s3cr3tYes
JWT_SECRETSecret used to sign and verify JSON Web Tokens. Must be long and unpredictable. Rotating this value invalidates every active session.a8f3... (64+ random chars)Yes
FRONTEND_URLAllowed CORS origin for the production frontend. Must match the deployed client URL exactly — no trailing slash.https://melika-client.up.railway.appYes
EMAIL_USERGmail address that sends verification and notification emails via the Gmail API.noreply@yourapp.comYes
EMAIL_FROMDisplay name and address shown in the From header. Defaults to MELIKA Salud <EMAIL_USER> when omitted.MELIKA Salud <noreply@yourapp.com>No
GMAIL_CLIENT_IDOAuth2 client ID obtained from Google Cloud Console.1234567890-abc.apps.googleusercontent.comYes
GMAIL_CLIENT_SECRETOAuth2 client secret paired with GMAIL_CLIENT_ID.GOCSPX-...Yes
GMAIL_REFRESH_TOKENLong-lived OAuth2 refresh token used to mint access tokens for the Gmail API.1//04...Yes

Client environment variables

Vite injects variables prefixed with VITE_ into the browser bundle at build time. Any variable without this prefix is stripped from the bundle and will be undefined in the browser.
VariableDescriptionExample valueRequired
VITE_API_URLBase URL of the MELIKA backend. The React app appends API paths to this value. Must not have a trailing slash.https://melika-server.up.railway.appYes
Only variables prefixed with VITE_ are embedded in the browser bundle. Never place secrets (database passwords, JWT secrets, OAuth credentials) in client-side environment variables — they would be publicly visible in the compiled JavaScript.

Gmail OAuth2 setup

MELIKA uses Gmail’s OAuth2 flow instead of a plain SMTP password so that Google cannot block transactional email as “less secure app access”. Railway (and most cloud providers) also block outbound SMTP ports (25, 465, 587) at the network level — the Gmail API travels over HTTPS (port 443) and is never blocked. Follow these steps once to obtain the four Gmail-related variables.
1

Create a Google Cloud project

Go to console.cloud.google.com, click New Project, give it a name (e.g. melika-mail), and note the project ID.
2

Enable the Gmail API

In the project, navigate to APIs & Services → Library, search for Gmail API, and click Enable.
3

Create OAuth2 credentials

Go to APIs & Services → Credentials → Create Credentials → OAuth client ID. Choose Web application as the application type. Add https://developers.google.com/oauthplayground as an authorised redirect URI, then click Create. Copy the Client IDGMAIL_CLIENT_ID and Client SecretGMAIL_CLIENT_SECRET.
4

Obtain a refresh token

Open OAuth 2.0 Playground. Click the gear icon (OAuth2 configuration), enable Use your own OAuth credentials, and paste your Client ID and Client Secret. In Step 1, select https://mail.google.com/ from the Gmail API scopes and click Authorise APIs. Sign in with the EMAIL_USER address. In Step 2, click Exchange authorization code for tokens. Copy the Refresh tokenGMAIL_REFRESH_TOKEN.
Refresh tokens for Google Workspace accounts do not expire unless revoked. For personal Gmail accounts, tokens expire if unused for six months. Regenerate the token and update GMAIL_REFRESH_TOKEN if email delivery stops working.

CORS configuration

The server’s allowed-origins list is defined in server.js as:
server/src/server.js
const allowedOrigins = [
  'http://localhost:5173',
  'http://127.0.0.1:5173',
  process.env.FRONTEND_URL,
];
credentials: true is also set, which means the browser will include cookies and Authorization headers in cross-origin requests. Both constraints apply:
FRONTEND_URL must match the production frontend URL exactly — same scheme, same hostname, no trailing slash. For example, https://melika-client.up.railway.app and https://melika-client.up.railway.app/ are treated as different origins and the latter will be blocked.

JWT secret guidance

Use a cryptographically random string of at least 64 characters for JWT_SECRET. You can generate one with:
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
Rotating JWT_SECRET immediately invalidates every active user session — all logged-in users will be signed out. Schedule rotations during a maintenance window and communicate downtime in advance.

Example .env files

# Server — never commit this file
PORT=3000
DB_HOST=localhost
DB_PORT=5432
DB_NAME=melika_db
DB_USER=postgres
DB_PASSWORD=replace_with_db_password
JWT_SECRET=replace_with_64_plus_random_hex_chars
FRONTEND_URL=http://localhost:5173

EMAIL_USER=noreply@yourapp.com
EMAIL_FROM=MELIKA Salud <noreply@yourapp.com>
GMAIL_CLIENT_ID=1234567890-abc.apps.googleusercontent.com
GMAIL_CLIENT_SECRET=GOCSPX-xxxxxxxxxxxxxxxxxxxxxxxx
GMAIL_REFRESH_TOKEN=1//04xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Add both .env files to .gitignore before your first commit. Railway injects production values through its service dashboard, so .env files are only needed for local development.

Data protection — Colombia Ley 1581/2012

MELIKA stores datos sensibles de salud (clinical histories, diagnoses, prescriptions) which are classified as sensitive personal data under Colombia’s Ley 1581 de 2012 and its regulatory decree 1377 de 2013. Operators must:
  • Obtain explicit, informed consent from patients before collecting health data.
  • Store all database credentials and JWT_SECRET only in secure secret stores — never in source code or public repositories.
  • Restrict database access to the minimum set of users and services that require it.
  • Maintain an audit log of access to clinical histories (MELIKA’s logs_citas table partially satisfies this requirement).
  • Appoint a Responsable del Tratamiento and publish a Política de Tratamiento de Datos Personales accessible to all users.
  • Report data breaches to the Superintendencia de Industria y Comercio (SIC) within the timeframes established by the authority.

Build docs developers (and LLMs) love