-
Notifications
You must be signed in to change notification settings - Fork 1
/
simpleauth.default.yml
147 lines (137 loc) · 8.28 KB
/
simpleauth.default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
production: true # Production-level optimization
verbose: false # Enable debug-level logging
staticfromdisk: false # Before looking at internal storage for static content, check disk (primarily for debugging)
include: [] # Other files that should be loaded as config
# Metadata is fed into the `tmpl` and emails to be rendered
metadata:
company: "Simple Auth" # Used in emails, site title, etc
tagline: null # Displays under the title
footer: "" # Foot text
bucket: {} # Not used by default. Can be used to customize
web:
host: "0.0.0.0:9002" # The host and port the server (API & Web) listens on
baseurl: null # Specifies the full URL the server will be at. If null, inferred from host
prometheus: false # If true, will enable /metrics endpoint (Must be compiled with prometheus support)
swagger: false # If true, enables the swagger UI and docs endpoint at /swagger (Must be compiled with swagger support)
tls:
enabled: false
certfile: null # Certificate file, if enabled (and not auto)
keyfile: null # Key file, if enabled (and not auto)
# AutoTLS (and cache) are used to leverage LetsEncrypt to acquire certificate
# Needs to be internet-facing to work
auto: true # If false, will use certfile and keyfile instead of letsencrypt
autohosts: [] # Optional list of hosts that we're allowed to issue a cert for
cache: ./tlscache # Path to cache certificates in. Will be created if doesn't exist
# Login section for setting different ways a user is allowed to login
login:
settings:
routeonlogin: null # Where to route to post-login (either login or create)
allowedcontinueurls: [] # Url regex's, in addition to local pages, allowed post-login via ?continue query param
throttleduration: 1s # How often a user can make requests to a throttled API (disrupts brute-force attacks)
cookie:
jwt:
# Key for jwt-signing
signingmethod: "hs256" # HS256, HS512, RS256, RS512
signingkey: "" # IMPORTANT: The key that will sign use credentials. this MUST be kept secret, otherwise anyone can login to your site or hack your users. If RSA key, should be PEM
issuer: "simple-auth" # Who shows up as the issuer of the token
expiresminutes: 30 # Max time (and default time) until token expiration
name: "auth" # The name of the cookie that the session will be stored in
path: / # The path the session will be stored at (mainly useful if simple-auth is at a sub-path of root)
domain: null # Override the domain of the cookie
secureonly: false # If the cookie will only be passed on https
httponly: true # If the cookie can't be accessed from javascript
onetime:
enabled: true # Allow single-use token for login (important for forgot-password email)
allowforgotpassword: false # If allowed to issue forgot-password email. Required email config
tokenduration: 1h
# Gateway allows simple-auth to act as a reverse-proxy. If the user is logged-in, they will be allowed to pass-through the proxy
# to the remote application. Intentionally left simple, only can pass to one server. If you have more than one backend server
# to pass to, I recommend looking at nginx and the vouch endpoint
gateway:
enabled: false
basicauth: false # If true, will allow basic auth for local auth to pass-through the gateway
logoutpath: "/logout" # Special path that will act as "logout" (clear session). Shouldn't conflict with any downstream URLs
targets: [] # One or more downstream servers that SA will proxy to
host: null # Override the host header
rewrite: null # Rewrite URLs upon proxying eg "/old"->"/new" or "/api/*"->"/$1"
headers: null # Write additional headers (excluding host header)
nocache: true # If true, will attempt to disable caching to gateway target
# Enable or disable recaptchav2
recaptchav2:
enabled: false
sitekey: null # site key from google
secret: null # Secret key from google
theme: 'light' # light or dark
# Email config; sends welcome, forgot password, etc
email:
engine: noop # Email engines: smtp,noop,stdout
from: null # Who the email is "from"
smtp: # If engine is "smtp", the config
host: ''
identity: null
username: null
password: null
providers:
settings:
createaccountenabled: true # If allowed to create account (under any method)
local:
emailvalidationrequired: false # If email validation is required before login
requirements:
usernameregex: '^[a-z][a-z0-9.]+$' # Valid characters for username. Make sure not to include '@', or might compete with email addresses
passwordminlength: 3
passwordmaxlength: 30
usernameminlength: 5
usernamemaxlength: 20
twofactor: # Two-factor auth 2FA / TOTP (Only impacts local-auth users, not oidc)
enabled: false # TOTP two-factor (google authenticator, and others)
keylength: 12
drift: 2 # How many tokens around the "current" token to check (Accounts for user-entry-delay)
issuer: "simple-auth" # Who the token shows up as issued-by in the 2fa app
oidc: []
# - id: google
# name: Google
# icon: google
# clientid: id-from-google
# clientsecret: super-secret-from-google
# authurl: auth-endpoint
# tokenurl: token-endpoint
# Different ways a remote service can check a user is authenticated
authenticators:
simple: # An endpoint that allows checking a username/password/totp. See docs for more details
enabled: false
sharedsecret: null
vouch: # An endpoint intended to use for nginx auth_request
enabled: false
userheader: "" # If non-empty, will set the user's ID in the header with the given name
oauth2:
webgrant: true # Whether to allow web-grant (UI) or not
settings:
codeexpiresseconds: 60 # How soon a code will expire
tokenexpiresseconds: 21600 # 6 hours
codelength: 6 # Length of "code" in the authorization_code grant
allowautogrant: true # if true, will auto grant a new request if it matches a previous and authenticated request
reusetoken: true # if true, will reuse an existing token instead of creating a new one when possible
allowcredentials: false # If the `password` grant_type is supported
issuer: "simple-auth" # Name of the OAuth2 token issuer (Using in token and JWT)
issuerefreshtoken: false # Whether or not to issue a refresh token
revokeoldtokens: true # When issuing a new token, revoke all previously issued tokens of a lessor type
clients: {}
#client-id:
# secret: client-secret
# name: Client Name
# author: Author name
# authorurl: http://example.com # Link to client website
# redirecturi: http://example.com/auth-callback
# scopes: [] # List of valid (grantable) scopes
# NOTE: Allow `settings` are allowed here as overrides to common settings
# All of the API endpoints that the UI uses are also available for API calls
# if this is enabled
api:
external: false # If true, will allow access to the API via external (non-ui) requests
sharedsecret: "" # A shared-key secret that allows making API calls via the Authorization header (see docs for more detail)
throttleduration: 1s # Throttle on public-facing APIs (even if non-external)
# Storage engine
db:
driver: "sqlite3" # Storage driver: "sqlite3", "postgres", "mysql"
url: "simpleauth.db" # Storage connection URL. See http://gorm.io/docs/connecting_to_the_database.html
debug: false # Will output query performance to log