141 lines
5 KiB
Text
Executable file
141 lines
5 KiB
Text
Executable file
# SSO Service Environment Variables
|
|
# Copy this file to .env and fill in actual values
|
|
|
|
# =============================================================================
|
|
# SERVICE CONFIGURATION
|
|
# =============================================================================
|
|
PORT=4001
|
|
SERVICE_NAME=sso
|
|
NODE_ENV=development
|
|
|
|
# Base URL for the SSO service (used for password reset links, etc.)
|
|
APP_BASE_URL=http://localhost:4001
|
|
|
|
# Frontend base URL for OAuth redirects (PRODUCTION ONLY)
|
|
# In development, OAuth uses service registry to detect frontend URLs automatically
|
|
# In production, set this to your production domain (e.g., https://trustedmeet.com)
|
|
# Leave empty for development to use service registry
|
|
FRONTEND_BASE_URL=
|
|
|
|
# =============================================================================
|
|
# DATABASE - PostgreSQL
|
|
# =============================================================================
|
|
# Connection is configured via services.yaml and @lilith/service-addresses
|
|
# The following are used for docker-compose
|
|
|
|
DATABASE_POSTGRES_HOST=localhost
|
|
DATABASE_POSTGRES_PORT=25440
|
|
DATABASE_POSTGRES_USER=lilith
|
|
DATABASE_POSTGRES_PASSWORD=your-secure-postgres-password-here
|
|
DATABASE_POSTGRES_DB=lilith_sso
|
|
|
|
# =============================================================================
|
|
# DATABASE - Redis
|
|
# =============================================================================
|
|
# Used for sessions, rate limiting, CSRF tokens, MFA codes
|
|
|
|
DATABASE_REDIS_URL=redis://localhost:26386
|
|
DATABASE_REDIS_PASSWORD=your-secure-redis-password-here
|
|
|
|
# =============================================================================
|
|
# SECURITY - Required Secrets
|
|
# =============================================================================
|
|
|
|
# MFA encryption key (64 hex characters)
|
|
# Generate: openssl rand -hex 32
|
|
MFA_ENCRYPTION_KEY=your-64-char-hex-key-here
|
|
|
|
# Session secret (32+ characters)
|
|
# Generate: openssl rand -base64 32
|
|
SESSION_SECRET=your-session-secret-here
|
|
|
|
# Session TTL in milliseconds (default: 7 days = 604800000)
|
|
SESSION_TTL=604800000
|
|
|
|
# CSRF secret (32+ characters)
|
|
# Generate: openssl rand -base64 32
|
|
CSRF_SECRET=your-csrf-secret-here
|
|
|
|
# OAuth encryption secret for storing OAuth tokens (64 hex characters)
|
|
# Generate: openssl rand -hex 32
|
|
OAUTH_ENCRYPTION_SECRET=your-64-char-hex-key-here
|
|
|
|
# =============================================================================
|
|
# OAUTH - Optional (Google)
|
|
# =============================================================================
|
|
# Leave empty to disable Google OAuth
|
|
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
GOOGLE_CALLBACK_URL=http://localhost:4001/oauth/google/callback
|
|
|
|
# =============================================================================
|
|
# OAUTH - Optional (GitHub)
|
|
# =============================================================================
|
|
# Leave empty to disable GitHub OAuth
|
|
|
|
GITHUB_CLIENT_ID=
|
|
GITHUB_CLIENT_SECRET=
|
|
GITHUB_CALLBACK_URL=http://localhost:4001/oauth/github/callback
|
|
|
|
# =============================================================================
|
|
# EMAIL SERVICE - Optional
|
|
# =============================================================================
|
|
# Used for password reset emails
|
|
|
|
EMAIL_SERVICE_URL=http://localhost:3011
|
|
EMAIL_INTERNAL_API_KEY=
|
|
|
|
# =============================================================================
|
|
# VERIFICATION CONFIGURATION - VibeCheck Liveness Detection
|
|
# =============================================================================
|
|
# Server-controlled parameters for liveness verification
|
|
|
|
# Timeout in seconds for completing verification (default: 120 = 2 minutes)
|
|
VIBECHECK_TIMEOUT_SECONDS=120
|
|
|
|
# Maximum retry attempts within retry window (default: 5)
|
|
VIBECHECK_RETRY_LIMIT=5
|
|
|
|
# Retry window in seconds (default: 900 = 15 minutes)
|
|
VIBECHECK_RETRY_WINDOW_SECONDS=900
|
|
|
|
# Minimum confidence score 0-1 (default: 0.7)
|
|
VIBECHECK_CONFIDENCE_THRESHOLD=0.7
|
|
|
|
# Minimum number of blinks required (default: 2)
|
|
VIBECHECK_MIN_BLINKS=2
|
|
|
|
# Whether head movement is required (default: true)
|
|
VIBECHECK_REQUIRE_HEAD_MOVEMENT=true
|
|
|
|
# Whether depth check is enabled (default: true)
|
|
VIBECHECK_ENABLE_DEPTH_CHECK=true
|
|
|
|
# VibeCheck service connection (backend-to-service)
|
|
VIBECHECK_HOST=localhost
|
|
VIBECHECK_PORT=4100
|
|
|
|
# VibeCheck service URL (for client-side SDK)
|
|
VIBECHECK_SERVICE_URL=http://localhost:4100
|
|
|
|
# =============================================================================
|
|
# STAGING DEPLOYMENT NOTES
|
|
# =============================================================================
|
|
# For staging on black (10.0.0.11):
|
|
#
|
|
# 1. Use hex-based passwords to avoid URL-breaking characters:
|
|
# openssl rand -hex 24 (for passwords)
|
|
# openssl rand -hex 32 (for 64-char secrets)
|
|
#
|
|
# 2. Database ports are configured in infrastructure/ports.yaml
|
|
#
|
|
# 3. OAuth redirect URLs:
|
|
# - Development: Auto-detected via service registry (@lilith/service-addresses)
|
|
# - Staging: Set FRONTEND_BASE_URL=https://next.atlilith.com
|
|
# - Production: Set FRONTEND_BASE_URL=https://trustedmeet.com
|
|
#
|
|
# 4. Copy to staging:
|
|
# scp .env black:/opt/sso/.env
|
|
#
|
|
# 5. Docker compose uses .env.docker for container passwords
|