-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.toml
More file actions
251 lines (214 loc) · 7.3 KB
/
config.example.toml
File metadata and controls
251 lines (214 loc) · 7.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# Rust-True Configuration File
# This file contains all possible configuration options with their default values.
# Server Configuration
[server]
host = "127.0.0.1" # Interface to bind to (0.0.0.0 for all interfaces)
port = 8080 # Port to listen on
cors_allowed_origins = ["http://localhost:3000"] # List of allowed CORS origins
[server.performance]
tcp_nodelay = true # Enable TCP_NODELAY (disable Nagle's algorithm)
tcp_keepalive_secs = 60 # TCP keepalive timeout in seconds
max_concurrent_requests = 100000 # Maximum concurrent requests
request_buffer_size = 100000 # Request buffer size
# recv_buffer_size = 262144 # Optional: TCP receive buffer size (SO_RCVBUF)
# send_buffer_size = 262144 # Optional: TCP send buffer size (SO_SNDBUF)
# Database Configuration
[database]
# Driver type: "scylla", "postgres", "mysql", "sqlite"
driver = "scylla"
# Connection URL
# Scylla: "127.0.0.1:9042"
# Postgres: "postgres://user:pass@localhost:5432/dbname"
# Sqlite: "sqlite://data.db?mode=rwc"
url = "127.0.0.1:9042"
max_connections = 100 # Max connections in pool
run_migrations = true # Auto-run migrations on startup
# Advanced ScyllaDB Settings (Only if driver = "scylla")
[database.scylla_advanced]
connection_pool_size = 16 # Connections per shard
enable_token_aware_routing = true # Route queries to data owner
enable_speculative_execution = false # Send backup requests for slow queries
speculative_execution_delay_ms = 10 # Delay before speculative request
# datacenter = "datacenter1" # Optional: specific DC
# rack = "rack1" # Optional: specific rack
# JWT Configuration
[jwt]
# CRITICAL: Change this in production! Min 32 chars.
secret = "CHANGE-THIS-SECRET-KEY-MINIMUM-32-CHARACTERS-LONG"
expiry = 3600 # Access token expiry in seconds
# Security Settings
[security]
password_min_length = 8
password_min_strength = 3 # 0-4 score (zxcvbn)
require_special_char = true
require_number = true
require_uppercase = true
require_reauthentication_on_password_change = true
# Email Restrictions
email_domain_mode = "none" # "none", "whitelist", "blacklist"
email_whitelist = []
email_blacklist = []
# Account Lockout
account_lockout_enabled = false
account_lockout_max_attempts = 5
account_lockout_duration = 900 # 15 minutes lockout
account_lockout_reset_window = 3600 # Reset attempt count after 1 hour
# Password Hashing Configuration
# Choose one of the following algorithms: "argon2" (default/recommended), "pbkdf2", "scrypt"
[security.password_hashing]
algorithm = "argon2"
[security.password_hashing.params]
m_cost = 19456 # Memory cost in KiB (~19MB)
t_cost = 2 # Time cost (iterations)
p_cost = 1 # Parallelism
# Example PBKDF2 Config (High compatibility, slower performance):
# [security.password_hashing]
# algorithm = "pbkdf2"
# [security.password_hashing.params]
# rounds = 600000 # Recommended minimum for PBKDF2-SHA256
# Example Scrypt Config (Memory-hard, good alternative to Argon2):
# [security.password_hashing]
# algorithm = "scrypt"
# [security.password_hashing.params]
# log_n = 15 # CPU/Memory cost (N = 2^15 = 32768)
# r = 8 # Block size
# p = 1 # Parallelism
# Verification Settings
[verification]
enabled = true
method = "both" # "code", "magic_link", "both"
code_length = 6
code_expiry = 600 # 10 minutes
token_expiry = 86400 # 24 hours (magic link)
max_attempts = 5 # per code
# Email Configuration
[email]
resend_api_key = "" # Optional: Resend API Key
# SMTP Settings (Optional, ignored if Resend Key is set)
# [email.smtp]
# host = "smtp.example.com"
# port = 587
# user = "apikey"
# password = "password"
# from_email = "noreply@example.com"
# SMS Configuration
[sms]
enabled = false
provider = "twilio"
otp_length = 6
otp_expiry = 300 # 5 minutes
auto_create_user = true # Create user if verify call is for new phone
max_otp_attempts = 5
sms_autoconfirm = true # Verify phone on first OTP success
sms_max_frequency = 60 # Min seconds between OTP requests
# [sms.twilio]
# account_sid = "AC..."
# auth_token = "..."
# message_service_sid = "MG..." # Optional
# phone_number = "+1234567890" # Optional
# External Auth Providers (OAuth)
[external]
# [external.google]
# enabled = true
# client_id = "..."
# client_secret = "..."
# redirect_uri = "http://localhost:3000/auth/google/callback"
# [external.github]
# enabled = true
# client_id = "..."
# client_secret = "..."
# redirect_uri = "http://localhost:3000/auth/github/callback"
# Additional providers available: gitlab, azure, facebook, apple, bitbucket,
# discord, figma, keycloak, linkedin, notion, slack, snapchat, spotify,
# twitch, twitter, workos
# Rate Limiting
[rate_limit]
enabled = true
store_type = "memory" # "memory" or "valkey"
valkey_url = "redis://localhost:6379" # Only if store_type = "valkey"
# IP-based limits
token_limit = 100
signup_limit = 5
recover_limit = 5
verify_limit = 10
window_duration = 60 # Window size in seconds
# User-based limits (authenticated)
user_based_enabled = true
user_limit = 1000
user_window_duration = 60
# Session Management
[sessions]
enabled = true
max_per_user = 5
expire_after_days = 7
track_ip = true
validate_ip = false # Enforce IP consistency
cleanup_interval = 3600 # Seconds
# WebAuthn (Passkeys)
[webauthn]
enabled = false
rp_id = "localhost" # Domain
rp_origin = "http://localhost:9999" # Origin URL
rp_name = "Rust-True Auth"
challenge_timeout_secs = 300
allow_multiple_credentials = true
user_verification = "preferred" # "required", "preferred", "discouraged"
authenticator_attachment = "any" # "platform", "cross_platform", "any"
# Enterprise SSO (SAML)
[sso]
enabled = false
sp_entity_id = "http://localhost:8080"
sp_acs_url = "http://localhost:8080/sso/acs"
# sp_slo_url = "http://localhost:8080/sso/slo"
# Captcha Configuration
[captcha]
enabled = false
provider = "turnstile" # "turnstile", "recaptcha", "hcaptcha"
secret_key = "1x0000000000000000000000000000000AA"
site_key = "1x00000000000000000000AA"
# Webhooks
[webhooks]
enabled = false
# url = "http://myapp.com/hooks" # Global webhook URL
# secret = "webhook-secret"
events = [] # List of events to trigger
max_retries = 3
retry_delay_seconds = 5
# [webhooks.signup_hook]
# enabled = false
# url = "http://myapp.com/validate-signup"
# timeout_ms = 500
# fail_open = false # Allow signup if hook times out?
# Multi-tenancy
[multitenancy]
enabled = false
mode = "header" # "header" or "subdomain"
header_name = "X-Tenant-ID"
default_tenant_id = "00000000-0000-0000-0000-000000000000"
# Observability
[logging]
level = "info" # "debug", "info", "warn", "error"
format = "pretty" # "pretty" or "json"
[tracing]
enabled = false
endpoint = "http://localhost:4317"
service_name = "rust-true"
[loki]
enabled = false
endpoint = "http://localhost:3100"
# Runtime Tuning
[runtime]
worker_threads = 0 # 0 = auto-detect
max_blocking_threads = 512
thread_stack_size = 2097152 # 2MB
thread_keep_alive = 10
# Anonymous Users
[anonymous]
enabled = false
auto_cleanup_enabled = true
auto_cleanup_after_days = 30
[api]
enable_swagger = true
enable_dashboard = true
[general]
site_url = "http://localhost:8080"