PORT=3000

DATABASE_URL="mysql://root:password@localhost/FurryPlace"

# Only required for development
SHADOW_DATABASE_URL="mysql://root:password@localhost/FurryPlace_shadow"

JWT_SECRET="your-secret-key"

# Google OAuth
GOOGLE_CLIENT_ID="your-google-client-id"
GOOGLE_CLIENT_SECRET="your-google-client-secret"
GOOGLE_CALLBACK_URL="http://localhost:3000/auth/google/callback"

# Cookie configuration
COOKIE_SECURE=true
COOKIE_SAME_SITE=Strict
# Optional: set to your public domain if needed (e.g., example.com)
COOKIE_DOMAIN=

# Bot protection (Legacy - use new captcha config below)
TURNSTILE_SECRET_KEY="your-turnstile-secret"
# Development bypass token (set to empty in production)
TURNSTILE_BYPASS_TOKEN="turnstile-disabled"

# Captcha Configuration
# Supported providers: turnstile, hcaptcha, recaptcha-v2, recaptcha-v3, none
# Each verification point can use a different provider and be independently enabled/disabled

# Login Captcha (appears when logging in with existing account)
CAPTCHA_LOGIN_ENABLED=false
CAPTCHA_LOGIN_PROVIDER=turnstile
CAPTCHA_LOGIN_SECRET=your-secret-key
CAPTCHA_LOGIN_BYPASS_TOKEN=

# Registration Captcha (appears when creating new account)
CAPTCHA_REGISTER_ENABLED=false
CAPTCHA_REGISTER_PROVIDER=hcaptcha
CAPTCHA_REGISTER_SECRET=your-secret-key
CAPTCHA_REGISTER_BYPASS_TOKEN=

# Google OAuth Captcha (appears before OAuth flow)
CAPTCHA_GOOGLE_OAUTH_ENABLED=false
CAPTCHA_GOOGLE_OAUTH_PROVIDER=turnstile
CAPTCHA_GOOGLE_OAUTH_SECRET=your-secret-key
CAPTCHA_GOOGLE_OAUTH_BYPASS_TOKEN=

# Paint Captcha (appears when painting pixels)
CAPTCHA_PAINT_ENABLED=false
CAPTCHA_PAINT_PROVIDER=recaptcha-v3
CAPTCHA_PAINT_SECRET=your-secret-key
CAPTCHA_PAINT_BYPASS_TOKEN=
# Paint Captcha Interval: Require captcha every N paint actions (0 = always require, empty = always require)
# Example: 5 means captcha is required every 5 paint actions
CAPTCHA_PAINT_INTERVAL=5