Configuration
1. Environment Variables
Source:
EnvironmentKeysin@nx/core/src/common/environments.ts. Service reads viaapplicationEnvironment.get<T>(key).
Core runtime
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_PORT | number | 3000 | HTTP listen port | |
APP_ENV_HOST | string | 0.0.0.0 | Bind address | |
APP_ENV_BASE_PATH | string | /v1/api/identity | Route prefix | |
APP_ENV_NODE_ID | number | — | ✓ | Snowflake worker ID — must be 1 for identity |
APP_ENV_LOG_LEVEL | info|debug|warn|error | info | — | |
APP_ENV_NODE_ENV | string | development | dotenv-flow loader | |
RUN_MODE | migrate|server | migrate switches to migration entry |
Database
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_DB_URL | string | — | ✓ | PostgreSQL connection URL |
APP_ENV_DB_POOL_MAX | number | 10 | — |
Redis (OTP + auth cache)
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_REDIS_HOST | string | — | ✓ | OTP requires Redis; auth cache is optional |
APP_ENV_REDIS_PORT | number | 6379 | — | |
APP_ENV_REDIS_PASSWORD | string | — | — | |
APP_ENV_REDIS_DB | number | 0 | — |
JWKS / Token signing
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_APPLICATION_SECRET | string | — | ✓ | Used by CryptoUtility for AES-256-GCM (encrypts mail/SMS configs) |
APP_ENV_JWKS_PRIVATE_KEY (or k8s secret) | PEM | — | ✓ | ES256 private key for signing JWTs |
APP_ENV_JWKS_PUBLIC_KEY (or k8s secret) | PEM | — | ✓ | Counterpart published at /jw-certs |
Exact env-var names depend on
@nx/core/IssuerApplicationconfiguration. Consult@nx/coreJWT helper for the canonical names.
Mail (SMTP)
| Name | Type | Default | Description |
|---|---|---|---|
APP_ENV_SMTP_HOST | string | smtp.gmail.com | SMTP server |
APP_ENV_SMTP_PORT | number | 587 | — |
APP_ENV_SMTP_USERNAME | string | — | — |
APP_ENV_SMTP_PASSWORD | string | — | — |
WebSocket
| Name | Type | Default | Description |
|---|---|---|---|
APP_ENV_WEBSOCKET_REDIS_MODE | SINGLE|CLUSTER | SINGLE | Single-instance vs Redis Cluster mode for WS emitter |
2. Feature Flags
| Flag | Storage | Default | Description |
|---|---|---|---|
| OTP enabled per channel | Configuration row | enabled | Toggle email vs phone OTP |
| Mail templates per merchant | Configuration per merchantId | global | Override system templates |
3. Seeded Data
7 migration processes in
src/migrations/processes/. Run on bootstrap.
| File | Scope | Notes |
|---|---|---|
identity-0001-seed-roles.ts | 6 system roles | SUPER_ADMIN, ADMIN, OPERATOR, OWNER, EMPLOYEE, CUSTOMER (immutable) |
identity-0002-seed-users.ts | Default admin/test users | Dev convenience |
identity-0003-seed-table-configurations.ts | OTP/mail/password defaults in Configuration | OTP TTLs, attempt limits, lockout |
identity-0004-seed-mail-configurations.ts | Mail templates (verify-email, forgot-password, welcome, password-changed × en/vi) | 8 rows |
identity-0005-seed-permissions.ts | All IdentityPermissions | Per-controller CRUD permissions; alwaysRun=true |
identity-0006-seed-sms-configurations.ts | VN Pay SMS provider config | encrypted |
identity-0007-seed-sms-templates.ts | SMS templates (phone-auth, add-phone × en/vi) | 4 rows |
4. Configuration Table Usage
Identity reads/writes:
| Configuration kind | Group | Encryption | Read by |
|---|---|---|---|
| Mail validation defaults (CODE_LENGTH, CODE_EXPIRY, etc.) | MAIL_VALIDATION | — | MailValidationFields constants |
| Mail templates | MAIL | — | MailTemplateService |
| OTP policy | OTP | — | BaseOTPBasedMFAService |
| SMS templates | SMS | — | SmsTemplateService |
| SMS provider credentials | SMS_PARAMETER_CONFIGURE | AES-256-GCM | MQSMSComponent |
Templates can be overridden per-merchant via
(group, code, principalId, principalType)partial unique index.