# Authentication Feature Configuration - Production Environment
# Settings optimized for production security and performance

[features]
auth = true

# OAuth Configuration - Production
[oauth]
enabled = true

[oauth.google]
client_id = "${GOOGLE_CLIENT_ID}"
client_secret = "${GOOGLE_CLIENT_SECRET}"
redirect_uri = "${BASE_URL}/auth/google/callback"

[oauth.github]
client_id = "${GITHUB_CLIENT_ID}"
client_secret = "${GITHUB_CLIENT_SECRET}"
redirect_uri = "${BASE_URL}/auth/github/callback"

# JWT Configuration - Production
[auth.jwt]
secret = "${JWT_SECRET}"
expiration = 3600  # 1 hour in seconds
refresh_token_expiration = 86400  # 24 hours in seconds
algorithm = "HS256"
issuer = "rustelo-app"
audience = "rustelo-users"

# Password Policy - Strict for production
[auth.password]
min_length = 12
require_uppercase = true
require_lowercase = true
require_numbers = true
require_special_chars = true
max_age_days = 90
history_count = 12

# Account Security - Strict for production
[auth.security]
max_login_attempts = 3
lockout_duration = 1800  # 30 minutes in seconds
session_timeout = 1800  # 30 minutes in seconds
require_email_verification = true
password_reset_timeout = 1800  # 30 minutes in seconds

# Two-Factor Authentication - Enabled for production
[auth.two_factor]
enabled = true
backup_codes_count = 10
totp_issuer = "Rustelo App"
totp_digits = 6
totp_period = 30

# User Registration - Controlled for production
[auth.registration]
enabled = true
require_email_verification = true
auto_approve = false
default_role = "user"
allowed_domains = []  # Configure specific domains if needed

# Session Management - Secure for production
[auth.sessions]
cleanup_interval = 1800  # 30 minutes in seconds
max_concurrent_sessions = 3
remember_me_duration = 604800  # 7 days in seconds

# Rate Limiting - Strict for production
[auth.rate_limiting]
login_attempts_per_minute = 5
registration_attempts_per_hour = 3
password_reset_attempts_per_hour = 3

# Additional Production Security
[auth.security.advanced]
enable_bruteforce_protection = true
enable_ip_whitelist = false
whitelist_ips = []
enable_geolocation_check = false
suspicious_activity_threshold = 5
account_lockout_escalation = true