660fe7b37f
Backlog §2.10: registration issued a live session and email_verified_at was
written but never read, so an unverified user had full access and there was no
switch to require verification.
Add REQUIRE_EMAIL_VERIFICATION (default false). When true:
- resolve_session_user returns None for a user whose email_verified_at is null —
the single read-side gate covering every authenticated request, incl. the
session minted at registration.
- login raises 403 ("email not verified") instead of issuing a useless token.
Default false on purpose: self-hosts without SMTP, and accounts created before
this gate existed (email_verified_at null), must not be locked out. Operators
enable it once mail works and accounts are verified. Documented in .env.example.
Tests: default-off keeps unverified accounts working; on → register's session
won't resolve (401), login is 403, and after verify-email both work. 75 passed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
64 lines
2.2 KiB
Bash
64 lines
2.2 KiB
Bash
# Provenance configuration — copy to `.env` and fill in. Never commit `.env`.
|
|
# Everything is twelve-factor; no endpoints or secrets live in code.
|
|
|
|
# --- Core ---
|
|
APP_ENV=development
|
|
|
|
# --- Images (pulled from git.jpaul.io; CI pushes to the LAN registry) ---
|
|
# test-main = current main build; or pin a semver / test-sha-<sha> for rollback.
|
|
IMAGE_TAG=test-main
|
|
|
|
# --- Database (Postgres) ---
|
|
POSTGRES_USER=provenance
|
|
POSTGRES_PASSWORD=change-me
|
|
POSTGRES_DB=provenance
|
|
# Backend connection string (async driver). Host 'postgres' = compose service.
|
|
DATABASE_URL=postgresql+asyncpg://provenance:change-me@postgres:5432/provenance
|
|
|
|
# --- Object storage (S3-compatible / MinIO) ---
|
|
MINIO_ROOT_USER=provenance
|
|
MINIO_ROOT_PASSWORD=change-me-too
|
|
S3_ENDPOINT_URL=http://minio:9000
|
|
S3_BUCKET=provenance
|
|
S3_ACCESS_KEY=provenance
|
|
S3_SECRET_KEY=change-me-too
|
|
S3_REGION=us-east-1
|
|
|
|
# --- Edge (Caddy) ---
|
|
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
|
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
|
|
# tunnel forwards plain HTTP to caddy:80.
|
|
PROVENANCE_SITE_ADDRESS=:80
|
|
|
|
# --- Deploy-host services (optional, selected via COMPOSE_PROFILES) ---
|
|
# 'tunnel' -> cloudflared connector (needs CLOUDFLARE_TUNNEL_TOKEN; public hostname -> http://caddy:80)
|
|
# Auto-deploy is handled by the host's global Watchtower (watches the
|
|
# watchtower-enabled backend/frontend labels) — no profile needed here.
|
|
CLOUDFLARE_TUNNEL_TOKEN=
|
|
COMPOSE_PROFILES=
|
|
|
|
# --- Auth / sessions ---
|
|
SESSION_TTL_DAYS=30
|
|
TOKEN_TTL_HOURS=24
|
|
# Set false for local http; true (default) behind TLS.
|
|
COOKIE_SECURE=false
|
|
# Base URL used to build links in outbound email.
|
|
APP_BASE_URL=http://localhost
|
|
# Mailer: 'console' logs links to stdout (dev); 'smtp' uses the SMTP settings below.
|
|
MAILER=console
|
|
# Require a verified email before an account has an active session. Leave false
|
|
# until SMTP works and existing accounts are verified, or you will lock users out.
|
|
REQUIRE_EMAIL_VERIFICATION=false
|
|
|
|
# --- Email (SMTP) — wired in a later phase ---
|
|
SMTP_HOST=
|
|
SMTP_PORT=587
|
|
SMTP_USERNAME=
|
|
SMTP_PASSWORD=
|
|
SMTP_FROM=
|
|
|
|
# --- Model providers — wired in Phase 4 (AI assistant). BYO key. ---
|
|
# ANTHROPIC_API_KEY=
|
|
# OPENAI_API_KEY=
|
|
# XAI_API_KEY=
|