atlilith/@platform/codebase/@features/sso/backend-api/.env.example
autocommit 4e63cd7884 deps-upgrade(sso): ⬆️ Update SSO backend dependencies to latest versions for security and bug fixes
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
2026-05-17 02:24:36 -07:00

141 lines
5 KiB
Text
Executable file

# SSO Service Environment Variables
# Copy this file to .env and fill in actual values
# =============================================================================
# SERVICE CONFIGURATION
# =============================================================================
PORT=4001
SERVICE_NAME=sso
NODE_ENV=development
# Base URL for the SSO service (used for password reset links, etc.)
APP_BASE_URL=http://localhost:4001
# Frontend base URL for OAuth redirects (PRODUCTION ONLY)
# In development, OAuth uses service registry to detect frontend URLs automatically
# In production, set this to your production domain (e.g., https://trustedmeet.com)
# Leave empty for development to use service registry
FRONTEND_BASE_URL=
# =============================================================================
# DATABASE - PostgreSQL
# =============================================================================
# Connection is configured via services.yaml and @lilith/service-addresses
# The following are used for docker-compose
DATABASE_POSTGRES_HOST=localhost
DATABASE_POSTGRES_PORT=25440
DATABASE_POSTGRES_USER=lilith
DATABASE_POSTGRES_PASSWORD=your-secure-postgres-password-here
DATABASE_POSTGRES_DB=lilith_sso
# =============================================================================
# DATABASE - Redis
# =============================================================================
# Used for sessions, rate limiting, CSRF tokens, MFA codes
DATABASE_REDIS_URL=redis://localhost:26386
DATABASE_REDIS_PASSWORD=your-secure-redis-password-here
# =============================================================================
# SECURITY - Required Secrets
# =============================================================================
# MFA encryption key (64 hex characters)
# Generate: openssl rand -hex 32
MFA_ENCRYPTION_KEY=your-64-char-hex-key-here
# Session secret (32+ characters)
# Generate: openssl rand -base64 32
SESSION_SECRET=your-session-secret-here
# Session TTL in milliseconds (default: 7 days = 604800000)
SESSION_TTL=604800000
# CSRF secret (32+ characters)
# Generate: openssl rand -base64 32
CSRF_SECRET=your-csrf-secret-here
# OAuth encryption secret for storing OAuth tokens (64 hex characters)
# Generate: openssl rand -hex 32
OAUTH_ENCRYPTION_SECRET=your-64-char-hex-key-here
# =============================================================================
# OAUTH - Optional (Google)
# =============================================================================
# Leave empty to disable Google OAuth
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_CALLBACK_URL=http://localhost:4001/oauth/google/callback
# =============================================================================
# OAUTH - Optional (GitHub)
# =============================================================================
# Leave empty to disable GitHub OAuth
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
GITHUB_CALLBACK_URL=http://localhost:4001/oauth/github/callback
# =============================================================================
# EMAIL SERVICE - Optional
# =============================================================================
# Used for password reset emails
EMAIL_SERVICE_URL=http://localhost:3011
EMAIL_INTERNAL_API_KEY=
# =============================================================================
# VERIFICATION CONFIGURATION - VibeCheck Liveness Detection
# =============================================================================
# Server-controlled parameters for liveness verification
# Timeout in seconds for completing verification (default: 120 = 2 minutes)
VIBECHECK_TIMEOUT_SECONDS=120
# Maximum retry attempts within retry window (default: 5)
VIBECHECK_RETRY_LIMIT=5
# Retry window in seconds (default: 900 = 15 minutes)
VIBECHECK_RETRY_WINDOW_SECONDS=900
# Minimum confidence score 0-1 (default: 0.7)
VIBECHECK_CONFIDENCE_THRESHOLD=0.7
# Minimum number of blinks required (default: 2)
VIBECHECK_MIN_BLINKS=2
# Whether head movement is required (default: true)
VIBECHECK_REQUIRE_HEAD_MOVEMENT=true
# Whether depth check is enabled (default: true)
VIBECHECK_ENABLE_DEPTH_CHECK=true
# VibeCheck service connection (backend-to-service)
VIBECHECK_HOST=localhost
VIBECHECK_PORT=4100
# VibeCheck service URL (for client-side SDK)
VIBECHECK_SERVICE_URL=http://localhost:4100
# =============================================================================
# STAGING DEPLOYMENT NOTES
# =============================================================================
# For staging on black (10.0.0.11):
#
# 1. Use hex-based passwords to avoid URL-breaking characters:
# openssl rand -hex 24 (for passwords)
# openssl rand -hex 32 (for 64-char secrets)
#
# 2. Database ports are configured in infrastructure/ports.yaml
#
# 3. OAuth redirect URLs:
# - Development: Auto-detected via service registry (@lilith/service-addresses)
# - Staging: Set FRONTEND_BASE_URL=https://next.atlilith.com
# - Production: Set FRONTEND_BASE_URL=https://trustedmeet.com
#
# 4. Copy to staging:
# scp .env black:/opt/sso/.env
#
# 5. Docker compose uses .env.docker for container passwords