155 lines
4.3 KiB
YAML
155 lines
4.3 KiB
YAML
imports:
|
|
- time
|
|
|
|
docs:
|
|
title: Authentication
|
|
|
|
props:
|
|
- name: logEnabled
|
|
type: bool
|
|
description: |-
|
|
Enable extra logging for authentication flows
|
|
|
|
- name: secret
|
|
env: AUTH_JWT_SECRET
|
|
default: getSecretFromEnv("jwt secret")
|
|
description: |-
|
|
Secret used for signing JWT tokens.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables.
|
|
Generated secret will change if you change any of these variables.
|
|
====
|
|
|
|
- name: expiry
|
|
type: time.Duration
|
|
env: AUTH_JWT_EXPIRY
|
|
default: time.Hour * 24 * 30
|
|
description: Experation time for the auth JWT tokens.
|
|
|
|
- name: externalRedirectURL
|
|
default: fullURL("/auth/external/{provider}/callback")
|
|
description: |-
|
|
Redirect URL to be sent with OAuth2 authentication request to provider
|
|
|
|
`{provider}` placeholder is replaced with the actual value when used.
|
|
|
|
- name: externalCookieSecret
|
|
default: getSecretFromEnv("external cookie secret")
|
|
description: |-
|
|
Secret used for securing cookies
|
|
|
|
[IMPORTANT]
|
|
====
|
|
If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables.
|
|
Generated secret will change if you change any of these variables.
|
|
====
|
|
|
|
- name: baseURL
|
|
default: fullURL("/auth")
|
|
description: |-
|
|
Frontend base URL. Must be an absolute URL, with the domain.
|
|
This is used for some redirects and links in auth emails.
|
|
|
|
- name: sessionCookieName
|
|
default: "session"
|
|
description: |-
|
|
Session cookie name
|
|
|
|
- name: sessionCookiePath
|
|
default: pathPrefix("/auth")
|
|
description: |-
|
|
Session cookie path
|
|
|
|
- name: sessionCookieDomain
|
|
default: guessHostname()
|
|
description: |-
|
|
Session cookie domain
|
|
|
|
- name: sessionCookieSecure
|
|
type: bool
|
|
default: isSecure()
|
|
description: |-
|
|
Defaults to true when HTTPS is used. Corteza will try to guess the this setting by
|
|
|
|
- name: sessionLifetime
|
|
type: time.Duration
|
|
default: 24 * time.Hour
|
|
description: |-
|
|
How long do we keep the temporary session
|
|
|
|
- name: sessionPermLifetime
|
|
type: time.Duration
|
|
default: 360 * 24 * time.Hour
|
|
description: |-
|
|
How long do we keep the permanent session
|
|
|
|
- name: garbageCollectorInterval
|
|
type: time.Duration
|
|
default: 15 * time.Minute
|
|
description: |-
|
|
How often are expired sessions and tokens purged from the database
|
|
|
|
- name: requestRateLimit
|
|
type: int
|
|
default: 30
|
|
description: |-
|
|
How many requests from a cerain IP address are allowed in a time window.
|
|
Set to zero to disable
|
|
|
|
- name: requestRateWindowLength
|
|
type: time.Duration
|
|
default: time.Minute
|
|
description: |-
|
|
How many requests from a cerain IP address are allowed in a time window
|
|
|
|
- name: csrfSecret
|
|
default: getSecretFromEnv("csrf secret")
|
|
description: |-
|
|
Secret used for securing CSRF protection
|
|
|
|
[IMPORTANT]
|
|
====
|
|
If secret is not set, system auto-generates one from DB_DSN and HOSTNAME environment variables.
|
|
Generated secret will change if you change any of these variables.
|
|
====
|
|
|
|
- name: csrfFieldName
|
|
default: "same-site-authenticity-token"
|
|
description: |-
|
|
Form field name used for CSRF protection
|
|
|
|
|
|
- name: csrfCookieName
|
|
default: "same-site-authenticity-token"
|
|
description: |-
|
|
Cookie name used for CSRF protection
|
|
|
|
- name: defaultClient
|
|
default: "corteza-webapp"
|
|
description: |
|
|
Handle for OAuth2 client used for automatic redirect from /auth/oauth2/go endpoint.
|
|
|
|
This simplifies configuration for OAuth2 flow for Corteza Web applications as it removes
|
|
the need to suply redirection URL and client ID (oauth2/go endpoint does that internally)
|
|
|
|
- name: assetsPath
|
|
default: ""
|
|
description: |-
|
|
Path to js, css, images and template source files
|
|
|
|
When corteza starts, if path exists it tries to load template files from it.
|
|
If not it uses statically embedded files.
|
|
|
|
When empty path is set (default value), embedded files are used.
|
|
|
|
|
|
- name: developmentMode
|
|
type: bool
|
|
description: |-
|
|
When enabled, corteza reloads template before every execution.
|
|
Enable this for debugging or when developing auth templates.
|
|
|
|
Should be disabled in production where templates do not change between server restarts.
|