Add auth foundation: sessions/tokens schema, Argon2 hashing, config
Two tables (sessions, user_tokens) + migration; only token *hashes* are stored, so a DB leak yields no usable credential. Argon2id password hashing and token primitives in app/core/security. Config and .env.example gain session/cookie/token TTLs, app base URL, and SMTP settings (twelve-factor). Migration verified reversible (drops the token_purpose enum) and matches the models. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
@@ -24,6 +24,16 @@ S3_REGION=us-east-1
|
||||
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
||||
PROVENANCE_SITE_ADDRESS=:80
|
||||
|
||||
# --- Auth / sessions ---
|
||||
SESSION_TTL_DAYS=30
|
||||
TOKEN_TTL_HOURS=24
|
||||
# Set false for local http; true (default) behind TLS.
|
||||
COOKIE_SECURE=false
|
||||
# Base URL used to build links in outbound email.
|
||||
APP_BASE_URL=http://localhost
|
||||
# Mailer: 'console' logs links to stdout (dev); 'smtp' uses the SMTP settings below.
|
||||
MAILER=console
|
||||
|
||||
# --- Email (SMTP) — wired in a later phase ---
|
||||
SMTP_HOST=
|
||||
SMTP_PORT=587
|
||||
|
||||
Reference in New Issue
Block a user