mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-23 03:26:42 +02:00
🐛 fix(mana-core-auth): use EdDSA for OIDC id_token signing
Set useJWTPlugin: true so id_tokens are signed with EdDSA keys from JWKS instead of HS256. This fixes Synapse OIDC integration which verifies tokens via JWKS endpoint.
This commit is contained in:
Till-JS
parent
5c61a4ed0f
commit
efb077b9ea
22 changed files with 1605 additions and 142 deletions
|
|
@ -1,37 +1,91 @@
|
|||
# Mana Core Auth - Development Environment
|
||||
# ============================================================================
|
||||
# Mana Core Auth - Environment Configuration
|
||||
# ============================================================================
|
||||
# Copy this file to .env and fill in your values.
|
||||
# Variables marked [REQUIRED] must be set.
|
||||
# Variables marked [REQUIRED IN PRODUCTION] are optional in development.
|
||||
# ============================================================================
|
||||
|
||||
# Environment
|
||||
NODE_ENV=development
|
||||
PORT=3001
|
||||
|
||||
# Database
|
||||
DATABASE_URL=postgresql://manacore:password@localhost:5432/manacore
|
||||
# Logging
|
||||
# Options: debug, info, warn, error
|
||||
LOG_LEVEL=debug
|
||||
|
||||
# Redis
|
||||
# ============================================================================
|
||||
# Database [REQUIRED]
|
||||
# ============================================================================
|
||||
DATABASE_URL=postgresql://manacore:manacore@localhost:5432/manacore_auth
|
||||
|
||||
# ============================================================================
|
||||
# Redis (Optional in development, recommended in production)
|
||||
# ============================================================================
|
||||
REDIS_HOST=localhost
|
||||
REDIS_PORT=6379
|
||||
REDIS_PASSWORD=
|
||||
|
||||
# JWT Configuration
|
||||
JWT_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGRsOXROB4lprw\n9oXaOIt+cwHe3UxBOoiWiUXcpFuXwb+kBWn/LyjeCIOXtefOwE0S10JEodK+6foe\naqGHanq86qAmmkb4a8sjj5LAxXkHL35sJo8HaYcx5NkJQLxQSRHpTfdfxsKsKwxa\n4R4uqrvToqdo6tl/VMsGDPS8L7KzaiKaSdGugvlVtXWgV1soeXSUPyPwpyAXQg7h\nY4CkTSkJAplrs77RLdj8u6jbHKR3F7QkwiU1JocjhM1GP/suKiqXRu8omLFnu45C\ns09SNSRsOpNY5csrKA4PZ2LCks9VHH7HafFvB+BbRw4+Ssr6myOysAztqi3bZMRW\nLTakWpBbAgMBAAECggEAF5zi0IzaghHxhtkyYfrSRgSynX9+WYBRNu2ch8/SZqAj\neghOXMkZgAPEjtiSMDGqRsr4ReMoYtB2Qea8sOX8kwC1gj4Po1Mhtez0cwexclUf\nebLH3X/y9/1YiZJk5YImOMIuaoC/ELDvFOhIEhJcMbKREbIc+oiMcH6HgN0vViVh\nJptgHTnqnGHNARkEpf+xnxqJJxEgrEMz50b4fApKpoZsWXNnZ3Atc/i2ziGew5z4\npnGJxs9TWSukBZaQvl9iluBBvqmPkCOId+L7CmB44bNURpqQOm8gxEgLcdn06y5j\nIKee3Z4H6OTseFvSIYYqBqCyyyZWHICBZXUCDQKUbQKBgQDnFe+O+pQc5looLFiF\nxuYsfDtJqvoMgQ0BaVAo6wVpPe6w+1NA6ZxghcM0+8zyc70jZvdMXINhdsfWD5Gi\nJ/NEDI8EXJJKMfnFQ7F1Ad5NyTnnn/TsLda4GIGQznPRS6uxUP4ljFtxmU9G8Diz\nUQ47XsLjwzzbTedMTSYoQ46kdwKBgQDbp0dIq047o4A72/BBttKdZbgQmjFmqCXF\n8YRUquIDXh/CJ4OQwOIaOvk2398Rg53c3MsV+XCJaMmWYqnJ4BdITLsqeGKsczoS\nI0DMehDr++aOoX/f29r1c+7J/fV5jtAEUcwIEOR1vyAM+WdiWnnTvdpMPVUDsgaT\ntuH0E8WgPQKBgQCCINci87Z+Q7VXVAmRY7zwJhEY3eArNGzHc6+BKz+D0S1dmll6\nf1LhA9I2PuldSpGiovP1m08cjk/gGipPXyHdGxlaQmravyPA0urWUfQGZ59k8K1y\nZim4x4wGqEuN+4e2tT44lL5VzRhYgSPcznMuOaGTsrjNYiQy0mr/V3O25wKBgHvV\nryaVDaIp553XvXgO7ma2djNF+xv5KHKUWxqwzINBiX4YcOAnHlHTdbUuOcDSByoB\ngK1+16dgYGZccYTSxc2JFOw4usimndKj9WBSYT/p4G4BNuqqNKO1HKbceoxxq20E\nAJd7jpGjkxo9cb/Nammp22yoF0niEDsvG+xTSVOxAoGBAMfxHYCMdPc625upCbqG\nkPSJJGYREKGad80OtXilYXLvBPzV65q32k2YZGjaicPKRAzj72KO4nfIu9SY6bfO\nBvXCtIcvllZQuxyd3Cd8MirujJodKwThLTMd4bAYYMXGz1/W6R6pzunZs5KEpgEr\nczy9Gk9WNp0t8vfzyZZ9aago\n-----END PRIVATE KEY-----\n"
|
||||
# ============================================================================
|
||||
# Base URL [REQUIRED IN PRODUCTION]
|
||||
# ============================================================================
|
||||
# The public URL where this auth service is accessible
|
||||
# Used for email verification links, OIDC callbacks, etc.
|
||||
BASE_URL=http://localhost:3001
|
||||
|
||||
JWT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxkbDl0TgeJaa8PaF2jiL\nfnMB3t1MQTqIlolF3KRbl8G/pAVp/y8o3giDl7XnzsBNEtdCRKHSvun6Hmqhh2p6\nvOqgJppG+GvLI4+SwMV5By9+bCaPB2mHMeTZCUC8UEkR6U33X8bCrCsMWuEeLqq7\n06KnaOrZf1TLBgz0vC+ys2oimknRroL5VbV1oFdbKHl0lD8j8KcgF0IO4WOApE0p\nCQKZa7O+0S3Y/Luo2xykdxe0JMIlNSaHI4TNRj/7Lioql0bvKJixZ7uOQrNPUjUk\nbDqTWOXLKygOD2diwpLPVRx+x2nxbwfgW0cOPkrK+psjsrAM7aot22TEVi02pFqQ\nWwIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
# ============================================================================
|
||||
# CORS [REQUIRED IN PRODUCTION]
|
||||
# ============================================================================
|
||||
# Comma-separated list of allowed origins
|
||||
# In development, defaults to localhost ports if not set
|
||||
CORS_ORIGINS=http://localhost:3000,http://localhost:5173,http://localhost:5174,http://localhost:8081
|
||||
|
||||
# ============================================================================
|
||||
# JWT Configuration
|
||||
# ============================================================================
|
||||
# Note: Better Auth uses EdDSA keys stored in the database (JWKS).
|
||||
# These RSA keys are only used as fallback for legacy token generation.
|
||||
# You can leave these empty if using Better Auth's default JWKS.
|
||||
|
||||
# JWT_PRIVATE_KEY=
|
||||
# JWT_PUBLIC_KEY=
|
||||
JWT_ACCESS_TOKEN_EXPIRY=15m
|
||||
JWT_REFRESH_TOKEN_EXPIRY=7d
|
||||
JWT_ISSUER=manacore
|
||||
JWT_AUDIENCE=manacore
|
||||
|
||||
# Stripe (use test keys)
|
||||
# ============================================================================
|
||||
# Stripe (Optional - credit system won't work without it)
|
||||
# ============================================================================
|
||||
# Get your keys from https://dashboard.stripe.com/apikeys
|
||||
STRIPE_SECRET_KEY=sk_test_...
|
||||
STRIPE_PUBLISHABLE_KEY=pk_test_...
|
||||
STRIPE_WEBHOOK_SECRET=whsec_...
|
||||
|
||||
# CORS
|
||||
CORS_ORIGINS=http://localhost:3000,http://localhost:8081
|
||||
# ============================================================================
|
||||
# SMTP (Optional - emails will be logged if not configured)
|
||||
# ============================================================================
|
||||
# Using Brevo (formerly Sendinblue) SMTP relay
|
||||
SMTP_HOST=smtp-relay.brevo.com
|
||||
SMTP_PORT=587
|
||||
SMTP_USER=
|
||||
SMTP_PASSWORD=
|
||||
SMTP_FROM=ManaCore <noreply@mana.how>
|
||||
|
||||
# ============================================================================
|
||||
# Credits
|
||||
# ============================================================================
|
||||
CREDITS_SIGNUP_BONUS=150
|
||||
CREDITS_DAILY_FREE=5
|
||||
|
||||
# ============================================================================
|
||||
# Rate Limiting
|
||||
# ============================================================================
|
||||
# TTL in seconds, limit is requests per TTL
|
||||
RATE_LIMIT_TTL=60
|
||||
RATE_LIMIT_MAX=100
|
||||
|
||||
# ============================================================================
|
||||
# AI Services (Optional)
|
||||
# ============================================================================
|
||||
GOOGLE_GENAI_API_KEY=
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue