-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
111 lines (94 loc) · 5.3 KB
/
.env.example
File metadata and controls
111 lines (94 loc) · 5.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# ZeroAuth Environment Configuration
# Copy to .env and update values
# For production deployment, run scripts/deploy.sh — it auto-generates fresh
# secrets if .env does not exist.
# ───────────────────────── Server ─────────────────────────
NODE_ENV=development
PORT=3000
# Public-facing URLs for the four product surfaces. After the subdomain
# refactor each one resolves to a different vhost in production:
#
# API_BASE_URL → https://api.zeroauth.dev (REST surface)
# CONSOLE_BASE_URL → https://console.zeroauth.dev (React dashboard)
# DOCS_BASE_URL → https://docs.zeroauth.dev (Docusaurus site)
# LANDING_BASE_URL → https://zeroauth.dev (marketing + signup)
#
# In dev they collapse onto a single Express host on :3000 so tests +
# round-trip flows work without DNS plumbing.
API_BASE_URL=http://localhost:3000
CONSOLE_BASE_URL=http://localhost:3000/dashboard
DOCS_BASE_URL=http://localhost:3000/docs
LANDING_BASE_URL=http://localhost:3000
# Comma-separated list of allowed CORS origins. Defaults derive from the
# four URLs above in production, or localhost variants in dev.
# Production example:
# https://api.zeroauth.dev,https://console.zeroauth.dev,https://docs.zeroauth.dev,https://zeroauth.dev
CORS_ORIGINS=
# Whether to trust X-Forwarded-* headers. Set to true when behind Caddy/Nginx/
# Cloudflare. Auto-enabled in production.
TRUST_PROXY=false
# Legacy /api/auth/saml/* and /api/auth/oidc/* routes simulate the assertion
# exchange and mint session JWTs without validating signatures. They are off
# by default in production; opt in for local development. The real
# tenant-scoped equivalents live under /v1/auth/saml/* and /v1/auth/oidc/*.
ENABLE_DEMO_AUTH=true
# ────────────────────────── JWT ───────────────────────────
# Generate with: openssl rand -base64 48
JWT_SECRET=your-super-secret-key-change-in-production
JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=7d
# ───────────────────── SAML 2.0 / OIDC ────────────────────
SAML_ENTRY_POINT=https://idp.example.com/sso/saml
SAML_ISSUER=zeroauth-sp
SAML_CALLBACK_URL=http://localhost:3000/api/auth/saml/callback
SAML_CERT=
OIDC_ISSUER=https://accounts.google.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback
# ──────────────────────── Session ─────────────────────────
# Generate with: openssl rand -base64 48
SESSION_SECRET=your-session-secret-change-in-production
# ─────────────────────── Rate Limiting ────────────────────
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=300
# ──────────────────────── Admin Key ───────────────────────
# Generate with: openssl rand -hex 24
ADMIN_API_KEY=admin-api-key-change-in-production
# ─────────────────────── Logging ──────────────────────────
LOG_LEVEL=info
# ────────────────── Blockchain (Base Sepolia L2) ──────────
BLOCKCHAIN_RPC_URL=https://sepolia.base.org
BLOCKCHAIN_CHAIN_ID=84532
# Deployer wallet — must own DIDRegistry. Generate with:
# node -e "console.log(require('ethers').Wallet.createRandom().privateKey)"
BLOCKCHAIN_PRIVATE_KEY=
DID_REGISTRY_ADDRESS=0xC68ceB726DDB898E899080021A0B9e7994f63A73
VERIFIER_CONTRACT_ADDRESS=0x58258bf549D8E8694b22B12410F24583D16e1aA4
VERIFY_ON_CHAIN=false
# ─────────────────── ZKP Circuit Paths ────────────────────
ZKP_WASM_PATH=circuits/build/identity_proof_js/identity_proof.wasm
ZKP_ZKEY_PATH=circuits/build/circuit_final.zkey
ZKP_VKEY_PATH=circuits/build/verification_key.json
# ─────────────────── Redis (sessions) ─────────────────────
REDIS_URL=redis://localhost:6379
USE_REDIS_SESSIONS=false
# ──────────────────────── PostgreSQL ──────────────────────
# Required for tenants, API keys, usage metering, and lead capture.
POSTGRES_HOST=localhost
POSTGRES_PORT=5432
POSTGRES_DB=zeroauth
POSTGRES_USER=zeroauth
POSTGRES_PASSWORD=zeroauth-dev
# ── Email (Brevo SMTP) ──────────────────────────────
# Per ADR-0005. Required for signup welcome emails, password reset,
# and the DPDP §8(7) breach-notification procedure.
# Brevo dashboard → Settings → SMTP & API → Authorized IPs must list
# the sending IP (104.207.143.14 for the prod VPS) or every login
# returns 5.7.1 Unauthorized IP.
SMTP_HOST=smtp-relay.brevo.com
SMTP_PORT=587
SMTP_USER=<your-brevo-smtp-login>@smtp-brevo.com
SMTP_PASSWORD=<your-brevo-smtp-key>
EMAIL_FROM=noreply@zeroauth.dev
EMAIL_FROM_NAME=ZeroAuth