Rustelo/config/features/auth/example.toml

# Authentication Feature Configuration - Example
# Complete example showing all available authentication options

[features]
auth = true

# OAuth Configuration - Example with multiple providers
[oauth]
enabled = true

[oauth.google]
client_id = "your-google-client-id.apps.googleusercontent.com"
client_secret = "your-google-client-secret"
redirect_uri = "https://yourapp.com/auth/google/callback"

[oauth.github]
client_id = "your-github-client-id"
client_secret = "your-github-client-secret"
redirect_uri = "https://yourapp.com/auth/github/callback"

[oauth.microsoft]
client_id = "your-microsoft-client-id"
client_secret = "your-microsoft-client-secret"
redirect_uri = "https://yourapp.com/auth/microsoft/callback"

# JWT Configuration - Example with all options
[auth.jwt]
secret = "your-super-secure-jwt-secret-key-at-least-32-characters-long"
expiration = 3600  # 1 hour in seconds
refresh_token_expiration = 86400  # 24 hours in seconds
algorithm = "HS256"  # HS256, HS384, HS512, RS256, RS384, RS512
issuer = "rustelo-app"
audience = "rustelo-users"
not_before_leeway = 0  # seconds
expiration_leeway = 0  # seconds

# Password Policy - Example with balanced security
[auth.password]
min_length = 10
require_uppercase = true
require_lowercase = true
require_numbers = true
require_special_chars = true
max_age_days = 180  # 6 months
history_count = 8
complexity_score = 3  # 1-5 scale
dictionary_check = true
common_password_check = true

# Account Security - Example with comprehensive settings
[auth.security]
max_login_attempts = 5
lockout_duration = 900  # 15 minutes in seconds
session_timeout = 3600  # 1 hour in seconds
require_email_verification = true
password_reset_timeout = 3600  # 1 hour in seconds
enable_captcha = true
captcha_after_attempts = 3
ip_tracking = true
device_fingerprinting = true

# Two-Factor Authentication - Example with all options
[auth.two_factor]
enabled = true
backup_codes_count = 10
totp_issuer = "Rustelo App"
totp_digits = 6
totp_period = 30
totp_skew = 1  # Allow 1 period before/after
sms_enabled = true
email_enabled = true
app_enabled = true
hardware_key_enabled = false

# User Registration - Example with moderation
[auth.registration]
enabled = true
require_email_verification = true
auto_approve = false
default_role = "user"
allowed_domains = ["company.com", "partner.org"]
blocked_domains = ["tempmail.org", "10minutemail.com"]
require_invitation = false
invitation_expiry = 604800  # 7 days
username_min_length = 3
username_max_length = 30
username_regex = "^[a-zA-Z0-9_-]+$"

# Session Management - Example with comprehensive settings
[auth.sessions]
cleanup_interval = 1800  # 30 minutes in seconds
max_concurrent_sessions = 5
remember_me_duration = 2592000  # 30 days in seconds
session_storage = "database"  # "memory", "database", "redis"
secure_cookie = true
httponly_cookie = true
same_site = "strict"  # "strict", "lax", "none"
session_regeneration = true

# Rate Limiting - Example with tiered limits
[auth.rate_limiting]
login_attempts_per_minute = 10
registration_attempts_per_hour = 5
password_reset_attempts_per_hour = 5
oauth_attempts_per_minute = 15
api_calls_per_minute = 100
burst_limit = 20
enable_progressive_delay = true

# Role-Based Access Control - Example
[auth.rbac]
enabled = true
default_permissions = ["read_profile", "update_profile"]
admin_permissions = ["*"]
moderator_permissions = ["read_*", "update_content", "delete_content"]
user_permissions = ["read_profile", "update_profile", "create_content"]

# Audit Logging - Example
[auth.audit]
enabled = true
log_successful_logins = true
log_failed_logins = true
log_password_changes = true
log_role_changes = true
log_permission_changes = true
retention_days = 365
export_format = "json"

# Advanced Security Features - Example
[auth.security.advanced]
enable_bruteforce_protection = true
enable_ip_whitelist = false
whitelist_ips = ["192.168.1.0/24", "10.0.0.0/8"]
enable_geolocation_check = true
allowed_countries = ["US", "CA", "GB"]
suspicious_activity_threshold = 10
account_lockout_escalation = true
password_breach_check = true
device_trust_duration = 2592000  # 30 days

# Integration Settings - Example
[auth.integrations]
ldap_enabled = false
ldap_server = "ldap://ldap.company.com"
ldap_bind_dn = "cn=admin,dc=company,dc=com"
ldap_bind_password = "ldap-password"
ldap_search_base = "ou=users,dc=company,dc=com"
ldap_user_filter = "(&(objectClass=person)(uid={username}))"

saml_enabled = false
saml_entity_id = "rustelo-app"
saml_sso_url = "https://sso.company.com/saml/sso"
saml_certificate_path = "certs/saml.crt"

# Development and Testing - Example
[auth.development]
bypass_email_verification = false
allow_weak_passwords = false
log_auth_tokens = false
enable_test_users = false
mock_oauth_providers = false
chore: add config path 2025-07-07 23:13:01 +01:00			`# Authentication Feature Configuration - Example`
			`# Complete example showing all available authentication options`

			`[features]`
			`auth = true`

			`# OAuth Configuration - Example with multiple providers`
			`[oauth]`
			`enabled = true`

			`[oauth.google]`
			`client_id = "your-google-client-id.apps.googleusercontent.com"`
			`client_secret = "your-google-client-secret"`
			`redirect_uri = "https://yourapp.com/auth/google/callback"`

			`[oauth.github]`
			`client_id = "your-github-client-id"`
			`client_secret = "your-github-client-secret"`
			`redirect_uri = "https://yourapp.com/auth/github/callback"`

			`[oauth.microsoft]`
			`client_id = "your-microsoft-client-id"`
			`client_secret = "your-microsoft-client-secret"`
			`redirect_uri = "https://yourapp.com/auth/microsoft/callback"`

			`# JWT Configuration - Example with all options`
			`[auth.jwt]`
			`secret = "your-super-secure-jwt-secret-key-at-least-32-characters-long"`
			`expiration = 3600 # 1 hour in seconds`
			`refresh_token_expiration = 86400 # 24 hours in seconds`
			`algorithm = "HS256" # HS256, HS384, HS512, RS256, RS384, RS512`
			`issuer = "rustelo-app"`
			`audience = "rustelo-users"`
			`not_before_leeway = 0 # seconds`
			`expiration_leeway = 0 # seconds`

			`# Password Policy - Example with balanced security`
			`[auth.password]`
			`min_length = 10`
			`require_uppercase = true`
			`require_lowercase = true`
			`require_numbers = true`
			`require_special_chars = true`
			`max_age_days = 180 # 6 months`
			`history_count = 8`
			`complexity_score = 3 # 1-5 scale`
			`dictionary_check = true`
			`common_password_check = true`

			`# Account Security - Example with comprehensive settings`
			`[auth.security]`
			`max_login_attempts = 5`
			`lockout_duration = 900 # 15 minutes in seconds`
			`session_timeout = 3600 # 1 hour in seconds`
			`require_email_verification = true`
			`password_reset_timeout = 3600 # 1 hour in seconds`
			`enable_captcha = true`
			`captcha_after_attempts = 3`
			`ip_tracking = true`
			`device_fingerprinting = true`

			`# Two-Factor Authentication - Example with all options`
			`[auth.two_factor]`
			`enabled = true`
			`backup_codes_count = 10`
			`totp_issuer = "Rustelo App"`
			`totp_digits = 6`
			`totp_period = 30`
			`totp_skew = 1 # Allow 1 period before/after`
			`sms_enabled = true`
			`email_enabled = true`
			`app_enabled = true`
			`hardware_key_enabled = false`

			`# User Registration - Example with moderation`
			`[auth.registration]`
			`enabled = true`
			`require_email_verification = true`
			`auto_approve = false`
			`default_role = "user"`
			`allowed_domains = ["company.com", "partner.org"]`
			`blocked_domains = ["tempmail.org", "10minutemail.com"]`
			`require_invitation = false`
			`invitation_expiry = 604800 # 7 days`
			`username_min_length = 3`
			`username_max_length = 30`
			`username_regex = "^[a-zA-Z0-9_-]+$"`

			`# Session Management - Example with comprehensive settings`
			`[auth.sessions]`
			`cleanup_interval = 1800 # 30 minutes in seconds`
			`max_concurrent_sessions = 5`
			`remember_me_duration = 2592000 # 30 days in seconds`
			`session_storage = "database" # "memory", "database", "redis"`
			`secure_cookie = true`
			`httponly_cookie = true`
			`same_site = "strict" # "strict", "lax", "none"`
			`session_regeneration = true`

			`# Rate Limiting - Example with tiered limits`
			`[auth.rate_limiting]`
			`login_attempts_per_minute = 10`
			`registration_attempts_per_hour = 5`
			`password_reset_attempts_per_hour = 5`
			`oauth_attempts_per_minute = 15`
			`api_calls_per_minute = 100`
			`burst_limit = 20`
			`enable_progressive_delay = true`

			`# Role-Based Access Control - Example`
			`[auth.rbac]`
			`enabled = true`
			`default_permissions = ["read_profile", "update_profile"]`
			`admin_permissions = ["*"]`
			`moderator_permissions = ["read_*", "update_content", "delete_content"]`
			`user_permissions = ["read_profile", "update_profile", "create_content"]`

			`# Audit Logging - Example`
			`[auth.audit]`
			`enabled = true`
			`log_successful_logins = true`
			`log_failed_logins = true`
			`log_password_changes = true`
			`log_role_changes = true`
			`log_permission_changes = true`
			`retention_days = 365`
			`export_format = "json"`

			`# Advanced Security Features - Example`
			`[auth.security.advanced]`
			`enable_bruteforce_protection = true`
			`enable_ip_whitelist = false`
			`whitelist_ips = ["192.168.1.0/24", "10.0.0.0/8"]`
			`enable_geolocation_check = true`
			`allowed_countries = ["US", "CA", "GB"]`
			`suspicious_activity_threshold = 10`
			`account_lockout_escalation = true`
			`password_breach_check = true`
			`device_trust_duration = 2592000 # 30 days`

			`# Integration Settings - Example`
			`[auth.integrations]`
			`ldap_enabled = false`
			`ldap_server = "ldap://ldap.company.com"`
			`ldap_bind_dn = "cn=admin,dc=company,dc=com"`
			`ldap_bind_password = "ldap-password"`
			`ldap_search_base = "ou=users,dc=company,dc=com"`
			`ldap_user_filter = "(&(objectClass=person)(uid={username}))"`

			`saml_enabled = false`
			`saml_entity_id = "rustelo-app"`
			`saml_sso_url = "https://sso.company.com/saml/sso"`
			`saml_certificate_path = "certs/saml.crt"`

			`# Development and Testing - Example`
			`[auth.development]`
			`bypass_email_verification = false`
			`allow_weak_passwords = false`
			`log_auth_tokens = false`
			`enable_test_users = false`
			`mock_oauth_providers = false`