515c9343f4
Some checks failed
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Security Audit (push) Has been cancelled
CI/CD Pipeline / Build Docker Image (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Performance Benchmarks (push) Has been cancelled
CI/CD Pipeline / Cleanup (push) Has been cancelled
162 lines
4.7 KiB
TOML
162 lines
4.7 KiB
TOML
# Authentication Feature Configuration - Example
|
|
# Complete example showing all available authentication options
|
|
|
|
[features]
|
|
auth = true
|
|
|
|
# OAuth Configuration - Example with multiple providers
|
|
[oauth]
|
|
enabled = true
|
|
|
|
[oauth.google]
|
|
client_id = "your-google-client-id.apps.googleusercontent.com"
|
|
client_secret = "your-google-client-secret"
|
|
redirect_uri = "https://yourapp.com/auth/google/callback"
|
|
|
|
[oauth.github]
|
|
client_id = "your-github-client-id"
|
|
client_secret = "your-github-client-secret"
|
|
redirect_uri = "https://yourapp.com/auth/github/callback"
|
|
|
|
[oauth.microsoft]
|
|
client_id = "your-microsoft-client-id"
|
|
client_secret = "your-microsoft-client-secret"
|
|
redirect_uri = "https://yourapp.com/auth/microsoft/callback"
|
|
|
|
# JWT Configuration - Example with all options
|
|
[auth.jwt]
|
|
secret = "your-super-secure-jwt-secret-key-at-least-32-characters-long"
|
|
expiration = 3600 # 1 hour in seconds
|
|
refresh_token_expiration = 86400 # 24 hours in seconds
|
|
algorithm = "HS256" # HS256, HS384, HS512, RS256, RS384, RS512
|
|
issuer = "rustelo-app"
|
|
audience = "rustelo-users"
|
|
not_before_leeway = 0 # seconds
|
|
expiration_leeway = 0 # seconds
|
|
|
|
# Password Policy - Example with balanced security
|
|
[auth.password]
|
|
min_length = 10
|
|
require_uppercase = true
|
|
require_lowercase = true
|
|
require_numbers = true
|
|
require_special_chars = true
|
|
max_age_days = 180 # 6 months
|
|
history_count = 8
|
|
complexity_score = 3 # 1-5 scale
|
|
dictionary_check = true
|
|
common_password_check = true
|
|
|
|
# Account Security - Example with comprehensive settings
|
|
[auth.security]
|
|
max_login_attempts = 5
|
|
lockout_duration = 900 # 15 minutes in seconds
|
|
session_timeout = 3600 # 1 hour in seconds
|
|
require_email_verification = true
|
|
password_reset_timeout = 3600 # 1 hour in seconds
|
|
enable_captcha = true
|
|
captcha_after_attempts = 3
|
|
ip_tracking = true
|
|
device_fingerprinting = true
|
|
|
|
# Two-Factor Authentication - Example with all options
|
|
[auth.two_factor]
|
|
enabled = true
|
|
backup_codes_count = 10
|
|
totp_issuer = "Rustelo App"
|
|
totp_digits = 6
|
|
totp_period = 30
|
|
totp_skew = 1 # Allow 1 period before/after
|
|
sms_enabled = true
|
|
email_enabled = true
|
|
app_enabled = true
|
|
hardware_key_enabled = false
|
|
|
|
# User Registration - Example with moderation
|
|
[auth.registration]
|
|
enabled = true
|
|
require_email_verification = true
|
|
auto_approve = false
|
|
default_role = "user"
|
|
allowed_domains = ["company.com", "partner.org"]
|
|
blocked_domains = ["tempmail.org", "10minutemail.com"]
|
|
require_invitation = false
|
|
invitation_expiry = 604800 # 7 days
|
|
username_min_length = 3
|
|
username_max_length = 30
|
|
username_regex = "^[a-zA-Z0-9_-]+$"
|
|
|
|
# Session Management - Example with comprehensive settings
|
|
[auth.sessions]
|
|
cleanup_interval = 1800 # 30 minutes in seconds
|
|
max_concurrent_sessions = 5
|
|
remember_me_duration = 2592000 # 30 days in seconds
|
|
session_storage = "database" # "memory", "database", "redis"
|
|
secure_cookie = true
|
|
httponly_cookie = true
|
|
same_site = "strict" # "strict", "lax", "none"
|
|
session_regeneration = true
|
|
|
|
# Rate Limiting - Example with tiered limits
|
|
[auth.rate_limiting]
|
|
login_attempts_per_minute = 10
|
|
registration_attempts_per_hour = 5
|
|
password_reset_attempts_per_hour = 5
|
|
oauth_attempts_per_minute = 15
|
|
api_calls_per_minute = 100
|
|
burst_limit = 20
|
|
enable_progressive_delay = true
|
|
|
|
# Role-Based Access Control - Example
|
|
[auth.rbac]
|
|
enabled = true
|
|
default_permissions = ["read_profile", "update_profile"]
|
|
admin_permissions = ["*"]
|
|
moderator_permissions = ["read_*", "update_content", "delete_content"]
|
|
user_permissions = ["read_profile", "update_profile", "create_content"]
|
|
|
|
# Audit Logging - Example
|
|
[auth.audit]
|
|
enabled = true
|
|
log_successful_logins = true
|
|
log_failed_logins = true
|
|
log_password_changes = true
|
|
log_role_changes = true
|
|
log_permission_changes = true
|
|
retention_days = 365
|
|
export_format = "json"
|
|
|
|
# Advanced Security Features - Example
|
|
[auth.security.advanced]
|
|
enable_bruteforce_protection = true
|
|
enable_ip_whitelist = false
|
|
whitelist_ips = ["192.168.1.0/24", "10.0.0.0/8"]
|
|
enable_geolocation_check = true
|
|
allowed_countries = ["US", "CA", "GB"]
|
|
suspicious_activity_threshold = 10
|
|
account_lockout_escalation = true
|
|
password_breach_check = true
|
|
device_trust_duration = 2592000 # 30 days
|
|
|
|
# Integration Settings - Example
|
|
[auth.integrations]
|
|
ldap_enabled = false
|
|
ldap_server = "ldap://ldap.company.com"
|
|
ldap_bind_dn = "cn=admin,dc=company,dc=com"
|
|
ldap_bind_password = "ldap-password"
|
|
ldap_search_base = "ou=users,dc=company,dc=com"
|
|
ldap_user_filter = "(&(objectClass=person)(uid={username}))"
|
|
|
|
saml_enabled = false
|
|
saml_entity_id = "rustelo-app"
|
|
saml_sso_url = "https://sso.company.com/saml/sso"
|
|
saml_certificate_path = "certs/saml.crt"
|
|
|
|
# Development and Testing - Example
|
|
[auth.development]
|
|
bypass_email_verification = false
|
|
allow_weak_passwords = false
|
|
log_auth_tokens = false
|
|
enable_test_users = false
|
|
mock_oauth_providers = false
|