Rustelo/config/features/auth/prod.toml

# Authentication Feature Configuration - Production Environment
# Settings optimized for production security and performance

[features]
auth = true

# OAuth Configuration - Production
[oauth]
enabled = true

[oauth.google]
client_id = "${GOOGLE_CLIENT_ID}"
client_secret = "${GOOGLE_CLIENT_SECRET}"
redirect_uri = "${BASE_URL}/auth/google/callback"

[oauth.github]
client_id = "${GITHUB_CLIENT_ID}"
client_secret = "${GITHUB_CLIENT_SECRET}"
redirect_uri = "${BASE_URL}/auth/github/callback"

# JWT Configuration - Production
[auth.jwt]
secret = "${JWT_SECRET}"
expiration = 3600  # 1 hour in seconds
refresh_token_expiration = 86400  # 24 hours in seconds
algorithm = "HS256"
issuer = "rustelo-app"
audience = "rustelo-users"

# Password Policy - Strict for production
[auth.password]
min_length = 12
require_uppercase = true
require_lowercase = true
require_numbers = true
require_special_chars = true
max_age_days = 90
history_count = 12

# Account Security - Strict for production
[auth.security]
max_login_attempts = 3
lockout_duration = 1800  # 30 minutes in seconds
session_timeout = 1800  # 30 minutes in seconds
require_email_verification = true
password_reset_timeout = 1800  # 30 minutes in seconds

# Two-Factor Authentication - Enabled for production
[auth.two_factor]
enabled = true
backup_codes_count = 10
totp_issuer = "Rustelo App"
totp_digits = 6
totp_period = 30

# User Registration - Controlled for production
[auth.registration]
enabled = true
require_email_verification = true
auto_approve = false
default_role = "user"
allowed_domains = []  # Configure specific domains if needed

# Session Management - Secure for production
[auth.sessions]
cleanup_interval = 1800  # 30 minutes in seconds
max_concurrent_sessions = 3
remember_me_duration = 604800  # 7 days in seconds

# Rate Limiting - Strict for production
[auth.rate_limiting]
login_attempts_per_minute = 5
registration_attempts_per_hour = 3
password_reset_attempts_per_hour = 3

# Additional Production Security
[auth.security.advanced]
enable_bruteforce_protection = true
enable_ip_whitelist = false
whitelist_ips = []
enable_geolocation_check = false
suspicious_activity_threshold = 5
account_lockout_escalation = true
chore: add config path 2025-07-07 23:13:01 +01:00			`# Authentication Feature Configuration - Production Environment`
			`# Settings optimized for production security and performance`

			`[features]`
			`auth = true`

			`# OAuth Configuration - Production`
			`[oauth]`
			`enabled = true`

			`[oauth.google]`
			`client_id = "${GOOGLE_CLIENT_ID}"`
			`client_secret = "${GOOGLE_CLIENT_SECRET}"`
			`redirect_uri = "${BASE_URL}/auth/google/callback"`

			`[oauth.github]`
			`client_id = "${GITHUB_CLIENT_ID}"`
			`client_secret = "${GITHUB_CLIENT_SECRET}"`
			`redirect_uri = "${BASE_URL}/auth/github/callback"`

			`# JWT Configuration - Production`
			`[auth.jwt]`
			`secret = "${JWT_SECRET}"`
			`expiration = 3600 # 1 hour in seconds`
			`refresh_token_expiration = 86400 # 24 hours in seconds`
			`algorithm = "HS256"`
			`issuer = "rustelo-app"`
			`audience = "rustelo-users"`

			`# Password Policy - Strict for production`
			`[auth.password]`
			`min_length = 12`
			`require_uppercase = true`
			`require_lowercase = true`
			`require_numbers = true`
			`require_special_chars = true`
			`max_age_days = 90`
			`history_count = 12`

			`# Account Security - Strict for production`
			`[auth.security]`
			`max_login_attempts = 3`
			`lockout_duration = 1800 # 30 minutes in seconds`
			`session_timeout = 1800 # 30 minutes in seconds`
			`require_email_verification = true`
			`password_reset_timeout = 1800 # 30 minutes in seconds`

			`# Two-Factor Authentication - Enabled for production`
			`[auth.two_factor]`
			`enabled = true`
			`backup_codes_count = 10`
			`totp_issuer = "Rustelo App"`
			`totp_digits = 6`
			`totp_period = 30`

			`# User Registration - Controlled for production`
			`[auth.registration]`
			`enabled = true`
			`require_email_verification = true`
			`auto_approve = false`
			`default_role = "user"`
			`allowed_domains = [] # Configure specific domains if needed`

			`# Session Management - Secure for production`
			`[auth.sessions]`
			`cleanup_interval = 1800 # 30 minutes in seconds`
			`max_concurrent_sessions = 3`
			`remember_me_duration = 604800 # 7 days in seconds`

			`# Rate Limiting - Strict for production`
			`[auth.rate_limiting]`
			`login_attempts_per_minute = 5`
			`registration_attempts_per_hour = 3`
			`password_reset_attempts_per_hour = 3`

			`# Additional Production Security`
			`[auth.security.advanced]`
			`enable_bruteforce_protection = true`
			`enable_ip_whitelist = false`
			`whitelist_ips = []`
			`enable_geolocation_check = false`
			`suspicious_activity_threshold = 5`
			`account_lockout_escalation = true`