security: remove hardcoded admin credentials

- Remove hardcoded admin@local/admin123 from lib/auth.ts
- Enforce environment variable usage for admin authentication
- Add password strength validation (minimum 16 characters)
- Remove debug logging of MONGODB_URI from connection.ts

This addresses a critical security vulnerability where admin
credentials were exposed in source code.

Author: rishabh3562

.env.example

@@ -1,19 +1,79 @@
-# Example env vars; copy to .env.local or set in deployment
+# ToolBox Environment Variables
+# Copy this file to .env and fill in your values
+# NEVER commit .env to git!
 
-# Core
+# ==============================================================================
+# REQUIRED - App will not start without these
+# ==============================================================================
+
+# MongoDB connection string
+# Development: Use local MongoDB or Atlas free tier
+# Production: Use MongoDB Atlas or managed instance
 MONGODB_URI=mongodb://127.0.0.1:27017/toolbox
+
+# NextAuth configuration
+# Development: http://localhost:3000
+# Production: Your actual domain (e.g., https://toolbox.example.com)
 NEXTAUTH_URL=http://localhost:3000
-NEXTAUTH_SECRET=change-me
 
-# Dev admin (Credentials provider)
-ADMIN_EMAIL=admin@local
-ADMIN_PASSWORD=admin123
+# NextAuth secret for JWT signing
+# ⚠️  CRITICAL: Generate a strong random secret!
+# Run: openssl rand -base64 32
+# This must be at least 32 characters long
+NEXTAUTH_SECRET=
+
+# ==============================================================================
+# ADMIN CREDENTIALS - REQUIRED
+# ==============================================================================
+
+# Admin user email (used to log into /admin dashboard)
+ADMIN_EMAIL=
+
+# Admin password
+# ⚠️  SECURITY WARNING:
+# - MUST be at least 16 characters long
+# - Use a strong, randomly generated password
+# - Generate with: openssl rand -base64 24
+# - NEVER use default passwords like "admin123"
+ADMIN_PASSWORD=
 
-# Feature flags
-ENABLE_SPAM_CHECK=false
+# ==============================================================================
+# PRODUCTION REQUIRED - Optional in development
+# ==============================================================================
 
-# Optional providers
+# Upstash Redis (required for rate limiting in production)
+# Without this, rate limiting will not work in multi-instance deployments
+# Sign up at: https://upstash.com (free tier available)
 # UPSTASH_REDIS_REST_URL=
 # UPSTASH_REDIS_REST_TOKEN=
+
+# ==============================================================================
+# OPTIONAL FEATURES
+# ==============================================================================
+
+# Gemini AI API key (for AI-powered features)
+# Get your key at: https://makersuite.google.com/app/apikey
+# NEXT_PUBLIC_GEMINI_API_KEY=
+
+# Spam check feature (currently not implemented)
+# ENABLE_SPAM_CHECK=false
+
+# Akismet spam detection (if implementing spam check)
 # AKISMET_API_KEY=
 # AKISMET_SITE_URL=
+
+# ==============================================================================
+# SETUP CHECKLIST
+# ==============================================================================
+#
+# Before starting the app:
+# [ ] Copy this file to .env
+# [ ] Set MONGODB_URI (local or Atlas)
+# [ ] Generate NEXTAUTH_SECRET: openssl rand -base64 32
+# [ ] Set ADMIN_EMAIL to your email
+# [ ] Generate ADMIN_PASSWORD: openssl rand -base64 24
+# [ ] Set NEXTAUTH_URL to your domain (production) or localhost (dev)
+# [ ] (Production) Set up Upstash Redis and add credentials
+# [ ] Verify .env is in .gitignore
+#
+# ==============================================================================

README.md

@@ -82,37 +82,91 @@ Streamline your GitHub workflow with helpful utilities for repositories, issues,
 
 ### Installation
 
-1. Clone the repository:
+1. **Clone the repository:**
 
 ```bash
 git clone https://github.com/rishabh3562/ToolBox.git
 cd ToolBox
 ```
 
-2. Install dependencies:
+2. **Install dependencies:**
 
 ```bash
 npm install
 ```
 
-3. Set up environment variables:
+3. **Set up environment variables:**
 
 ```bash
 # Copy the example environment file
 cp .env.example .env
+```
+
+4. **Configure required environment variables in `.env`:**
+
+⚠️ **CRITICAL:** The following environment variables are **REQUIRED** for the app to start:
+
+```bash
+# MongoDB connection (required)
+MONGODB_URI=mongodb://127.0.0.1:27017/toolbox
+
+# NextAuth configuration (required)
+NEXTAUTH_URL=http://localhost:3000
+NEXTAUTH_SECRET=  # Generate with: openssl rand -base64 32
+
+# Admin credentials (required)
+ADMIN_EMAIL=your-email@example.com
+ADMIN_PASSWORD=  # Generate with: openssl rand -base64 24 (min 16 chars)
+```
+
+**Generate secure credentials:**
+
+```bash
+# Generate NextAuth secret (copy output to NEXTAUTH_SECRET)
+openssl rand -base64 32
 
-# Edit .env and add your actual values:
-# - MONGODB_URI: Your MongoDB connection string (optional)
-# - NEXT_PUBLIC_GEMINI_API_KEY: Your Gemini API key from https://makersuite.google.com/app/apikey (optional)
+# Generate admin password (copy output to ADMIN_PASSWORD)
+openssl rand -base64 24
 ```
 
-4. Run the development server:
+**Optional but recommended for production:**
+
+```bash
+# Upstash Redis (required for rate limiting in production)
+# Sign up at: https://upstash.com (free tier available)
+UPSTASH_REDIS_REST_URL=https://your-redis.upstash.io
+UPSTASH_REDIS_REST_TOKEN=your-token
+
+# Gemini AI (for AI-powered features)
+NEXT_PUBLIC_GEMINI_API_KEY=your-key  # Get from https://makersuite.google.com/app/apikey
+```
+
+5. **Verify your configuration:**
+
+The app will automatically validate your environment variables on startup. If anything is missing or misconfigured, you'll see helpful error messages.
+
+6. **Run the development server:**
 
 ```bash
 npm run dev
 ```
 
-5. Open [http://localhost:3000](http://localhost:3000) in your browser
+7. **Open [http://localhost:3000](http://localhost:3000) in your browser**
+
+8. **Access admin dashboard at [http://localhost:3000/login](http://localhost:3000/login)**
+   - Use the `ADMIN_EMAIL` and `ADMIN_PASSWORD` you set in `.env`
+
+### 🔒 Security Checklist
+
+Before deploying to production, ensure:
+
+- [ ] `NEXTAUTH_SECRET` is at least 32 characters and randomly generated
+- [ ] `ADMIN_PASSWORD` is at least 16 characters and randomly generated
+- [ ] `.env` file is in `.gitignore` (it is by default)
+- [ ] No credentials are hardcoded in source code
+- [ ] Redis (Upstash) is configured for production deployments
+- [ ] `NEXTAUTH_URL` is set to your actual domain in production
+- [ ] MongoDB uses Atlas or managed instance (not localhost) in production
 
 ## 📦 Build & Deploy
 

instrumentation.ts

@@ -0,0 +1,13 @@
+/**
+ * Next.js Instrumentation Hook
+ * Runs once when the server starts (before any requests)
+ * See: https://nextjs.org/docs/app/building-your-application/optimizing/instrumentation
+ */
+
+export async function register() {
+  // Only run on server
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    const { initializeServer } = await import('./lib/config/init');
+    initializeServer();
+  }
+}

lib/auth.ts

@@ -14,17 +14,24 @@ export const authOptions: NextAuthOptions = {
         const email = credentials?.email?.toLowerCase();
         const password = credentials?.password || '';
 
-        // TEMP: hardcoded accounts (no DB)
-        const hardcoded = [
-          { email: 'admin@local', password: 'admin123', id: 'admin', name: 'Admin', isAdmin: true },
-        ];
-        const match = hardcoded.find(u => u.email === email && u.password === password);
-        if (match) return match as any;
-
-        // Optional env-based admin fallback
+        // Environment-based admin authentication
         const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
-        const adminPassword = process.env.ADMIN_PASSWORD || '';
-        if (email && password && adminEmail && adminPassword && email === adminEmail && password === adminPassword) {
+        const adminPassword = process.env.ADMIN_PASSWORD;
+
+        // Validate that admin credentials are properly configured
+        if (!adminEmail || !adminPassword) {
+          console.error('❌ ADMIN_EMAIL and ADMIN_PASSWORD must be set in environment variables');
+          return null;
+        }
+
+        // Enforce minimum password length for security
+        if (adminPassword.length < 16) {
+          console.error('❌ ADMIN_PASSWORD must be at least 16 characters long');
+          return null;
+        }
+
+        // Verify credentials
+        if (email && password && email === adminEmail && password === adminPassword) {
           return { id: 'admin', name: 'Admin', email: adminEmail, isAdmin: true } as any;
         }
 

lib/config/init.ts

@@ -0,0 +1,39 @@
+/**
+ * Server initialization
+ * Runs validation checks when the server starts
+ */
+
+import { validateEnvOrThrow, printEnvStatus } from './validateEnv';
+
+let initialized = false;
+
+/**
+ * Initialize server - runs once on startup
+ */
+export function initializeServer() {
+  // Only run once
+  if (initialized) return;
+
+  console.log('\n🚀 Initializing ToolBox Server...\n');
+
+  try {
+    // Validate environment variables
+    validateEnvOrThrow();
+
+    // Print environment status in development
+    if (process.env.NODE_ENV === 'development') {
+      printEnvStatus();
+    }
+
+    initialized = true;
+    console.log('✅ Server initialization complete\n');
+  } catch (error) {
+    console.error('\n❌ Server initialization failed:', error);
+    throw error;
+  }
+}
+
+// Auto-run on server (not in browser)
+if (typeof window === 'undefined') {
+  initializeServer();
+}