# Authentication Feature Configuration - Example
# Complete example showing all available authentication options

[features]
auth = true

# OAuth Configuration - Example with multiple providers
[oauth]
enabled = true

[oauth.google]
client_id = "your-google-client-id.apps.googleusercontent.com"
client_secret = "your-google-client-secret"
redirect_uri = "https://yourapp.com/auth/google/callback"

[oauth.github]
client_id = "your-github-client-id"
client_secret = "your-github-client-secret"
redirect_uri = "https://yourapp.com/auth/github/callback"

[oauth.microsoft]
client_id = "your-microsoft-client-id"
client_secret = "your-microsoft-client-secret"
redirect_uri = "https://yourapp.com/auth/microsoft/callback"

# JWT Configuration - Example with all options
[auth.jwt]
secret = "your-super-secure-jwt-secret-key-at-least-32-characters-long"
expiration = 3600  # 1 hour in seconds
refresh_token_expiration = 86400  # 24 hours in seconds
algorithm = "HS256"  # HS256, HS384, HS512, RS256, RS384, RS512
issuer = "rustelo-app"
audience = "rustelo-users"
not_before_leeway = 0  # seconds
expiration_leeway = 0  # seconds

# Password Policy - Example with balanced security
[auth.password]
min_length = 10
require_uppercase = true
require_lowercase = true
require_numbers = true
require_special_chars = true
max_age_days = 180  # 6 months
history_count = 8
complexity_score = 3  # 1-5 scale
dictionary_check = true
common_password_check = true

# Account Security - Example with comprehensive settings
[auth.security]
max_login_attempts = 5
lockout_duration = 900  # 15 minutes in seconds
session_timeout = 3600  # 1 hour in seconds
require_email_verification = true
password_reset_timeout = 3600  # 1 hour in seconds
enable_captcha = true
captcha_after_attempts = 3
ip_tracking = true
device_fingerprinting = true

# Two-Factor Authentication - Example with all options
[auth.two_factor]
enabled = true
backup_codes_count = 10
totp_issuer = "Rustelo App"
totp_digits = 6
totp_period = 30
totp_skew = 1  # Allow 1 period before/after
sms_enabled = true
email_enabled = true
app_enabled = true
hardware_key_enabled = false

# User Registration - Example with moderation
[auth.registration]
enabled = true
require_email_verification = true
auto_approve = false
default_role = "user"
allowed_domains = ["company.com", "partner.org"]
blocked_domains = ["tempmail.org", "10minutemail.com"]
require_invitation = false
invitation_expiry = 604800  # 7 days
username_min_length = 3
username_max_length = 30
username_regex = "^[a-zA-Z0-9_-]+$"

# Session Management - Example with comprehensive settings
[auth.sessions]
cleanup_interval = 1800  # 30 minutes in seconds
max_concurrent_sessions = 5
remember_me_duration = 2592000  # 30 days in seconds
session_storage = "database"  # "memory", "database", "redis"
secure_cookie = true
httponly_cookie = true
same_site = "strict"  # "strict", "lax", "none"
session_regeneration = true

# Rate Limiting - Example with tiered limits
[auth.rate_limiting]
login_attempts_per_minute = 10
registration_attempts_per_hour = 5
password_reset_attempts_per_hour = 5
oauth_attempts_per_minute = 15
api_calls_per_minute = 100
burst_limit = 20
enable_progressive_delay = true

# Role-Based Access Control - Example
[auth.rbac]
enabled = true
default_permissions = ["read_profile", "update_profile"]
admin_permissions = ["*"]
moderator_permissions = ["read_*", "update_content", "delete_content"]
user_permissions = ["read_profile", "update_profile", "create_content"]

# Audit Logging - Example
[auth.audit]
enabled = true
log_successful_logins = true
log_failed_logins = true
log_password_changes = true
log_role_changes = true
log_permission_changes = true
retention_days = 365
export_format = "json"

# Advanced Security Features - Example
[auth.security.advanced]
enable_bruteforce_protection = true
enable_ip_whitelist = false
whitelist_ips = ["192.168.1.0/24", "10.0.0.0/8"]
enable_geolocation_check = true
allowed_countries = ["US", "CA", "GB"]
suspicious_activity_threshold = 10
account_lockout_escalation = true
password_breach_check = true
device_trust_duration = 2592000  # 30 days

# Integration Settings - Example
[auth.integrations]
ldap_enabled = false
ldap_server = "ldap://ldap.company.com"
ldap_bind_dn = "cn=admin,dc=company,dc=com"
ldap_bind_password = "ldap-password"
ldap_search_base = "ou=users,dc=company,dc=com"
ldap_user_filter = "(&(objectClass=person)(uid={username}))"

saml_enabled = false
saml_entity_id = "rustelo-app"
saml_sso_url = "https://sso.company.com/saml/sso"
saml_certificate_path = "certs/saml.crt"

# Development and Testing - Example
[auth.development]
bypass_email_verification = false
allow_weak_passwords = false
log_auth_tokens = false
enable_test_users = false
mock_oauth_providers = false