Chore: Setup and Env

.env.example

@@ -1,58 +1,117 @@
-# Flask Configuration
-FLASK_APP=wsgi.py
+FLASK_APP=manage.py
 FLASK_ENV=development
-SECRET_KEY=your-secret-key-here-change-in-production
+FLASK_DEBUG=1
 
 # Database
-DATABASE_URL=postgresql://user:password@localhost:5432/authy2_dev
+DATABASE_URL=postgresql://user:password@localhost:5432/gatehouse_dev
 SQLALCHEMY_ECHO=False
 SQLALCHEMY_LOG_LEVEL=WARNING
 
-# Security
+# Security / Encryption
+SECRET_KEY=change-me-in-production
+ENCRYPTION_KEY=change-me-in-production-32-bytes!!
+# Used to encrypt SSH CA private keys stored in the database
+CA_ENCRYPTION_KEY=change-me-in-production
 BCRYPT_LOG_ROUNDS=12
-ENCRYPTION_KEY=your-encryption-key-here-change-in-production
+
+# Session cookies
 SESSION_COOKIE_SECURE=False
-SESSION_COOKIE_HTTPONLY=True
 SESSION_COOKIE_SAMESITE=Lax
+# Only needed when sharing cookies across subdomains (e.g. api.example.com + ui.example.com)
+# SESSION_COOKIE_DOMAIN=example.com
 MAX_SESSION_DURATION=86400
 
-# CORS
-#CORS_ORIGINS=http://localhost:3000,http://localhost:5173,https://oidc-playpen.lovable.app/,http://localhost:8080/
-CORS_ORIGINS=*
-
-
-# JWT (if using JWT instead of sessions)
-JWT_SECRET_KEY=your-jwt-secret-key-here
+# ─────────────────────────────────────────────────────────────────────────────
+# JWT
+# ─────────────────────────────────────────────────────────────────────────────
+JWT_SECRET_KEY=change-me-in-production
 JWT_ACCESS_TOKEN_EXPIRES=3600
 JWT_REFRESH_TOKEN_EXPIRES=2592000
 
-# Redis (for session storage)
+# ─────────────────────────────────────────────────────────────────────────────
+# Redis  (session storage + rate limiting)
+# ─────────────────────────────────────────────────────────────────────────────
 REDIS_URL=redis://localhost:6379/0
+SESSION_REDIS_URL=redis://localhost:6379/0
+RATELIMIT_STORAGE_URL=redis://localhost:6379/1
 
-# OIDC
+# ─────────────────────────────────────────────────────────────────────────────
+# CORS
+# ─────────────────────────────────────────────────────────────────────────────
+CORS_ORIGINS=http://localhost:8080,http://localhost:5173
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Frontend / App URLs
+# All three should point at the browser-facing SPA. They are used for:
+#   FRONTEND_URL  → OAuth callback redirects after provider auth
+#   APP_URL       → Password-reset and email-verify links in emails
+#   OIDC_UI_URL   → OIDC /authorize redirects to the React consent/login UI
+# ─────────────────────────────────────────────────────────────────────────────
+FRONTEND_URL=http://localhost:8080
+APP_URL=http://localhost:8080
+OIDC_UI_URL=http://localhost:8080
+
+# ─────────────────────────────────────────────────────────────────────────────
+# OIDC / OAuth issuer
+# ─────────────────────────────────────────────────────────────────────────────
 OIDC_ISSUER_URL=http://localhost:5000
+OIDC_BASE_URL=http://localhost:5000
 
+# ─────────────────────────────────────────────────────────────────────────────
+# WebAuthn
+# ─────────────────────────────────────────────────────────────────────────────
+WEBAUTHN_RP_ID=localhost
+WEBAUTHN_RP_NAME=Gatehouse
+WEBAUTHN_ORIGIN=http://localhost:8080
+
+# ─────────────────────────────────────────────────────────────────────────────
+# SSH CA  (pick one)
+# ─────────────────────────────────────────────────────────────────────────────
+SSH_CA_KEY_PATH=/path/to/ca-users
+# SSH_CA_PRIVATE_KEY=   # raw key content; takes priority over SSH_CA_KEY_PATH
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Email / SMTP
+# ─────────────────────────────────────────────────────────────────────────────
+EMAIL_ENABLED=False
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USE_TLS=True
+SMTP_USERNAME=
+SMTP_PASSWORD=
+FROM_ADDRESS=noreply@gatehouse.local
+
+# ─────────────────────────────────────────────────────────────────────────────
 # Logging
+# ─────────────────────────────────────────────────────────────────────────────
 LOG_LEVEL=INFO
 LOG_TO_STDOUT=True
 
+# ─────────────────────────────────────────────────────────────────────────────
 # Rate Limiting
+# ─────────────────────────────────────────────────────────────────────────────
 RATELIMIT_ENABLED=True
-RATELIMIT_STORAGE_URL=redis://localhost:6379/1
-
-# SSH CA
-# Path to CA private key file (alternative to SSH_CA_PRIVATE_KEY env var)
-SSH_CA_KEY_PATH=/path/to/ca-users
-# Or set the key content directly (takes priority over SSH_CA_KEY_PATH):
-# SSH_CA_PRIVATE_KEY=
-
-EMAIL_ENABLED=
-SMTP_HOST=
-SMTP_PORT=
-SMTP_USERNAME=
-SMTP_PASSWORD=
-FROM_ADDRESS=
-WEBAUTHN_ORIGIN=
+# Per-endpoint auth limits (optional — defaults shown)
+# RATELIMIT_AUTH_REGISTER=10 per minute; 50 per hour
+# RATELIMIT_AUTH_LOGIN=20 per minute; 100 per hour
+# RATELIMIT_AUTH_TOTP_VERIFY=20 per minute; 100 per hour
+# RATELIMIT_AUTH_FORGOT_PASSWORD=5 per minute; 20 per hour
+# RATELIMIT_AUTH_RESET_PASSWORD=10 per minute; 30 per hour
 
 ZEROTIER_API_TOKEN=
-ZEROTIER_API_URL=
+ZEROTIER_API_URL=
+
+# ─────────────────────────────────────────────────────────────────────────────
+# OIDC token lifetimes & security (optional — defaults shown)
+# ─────────────────────────────────────────────────────────────────────────────
+# OIDC_ACCESS_TOKEN_LIFETIME=3600
+# OIDC_REFRESH_TOKEN_LIFETIME=2592000
+# OIDC_ID_TOKEN_LIFETIME=3600
+# OIDC_AUTHORIZATION_CODE_LIFETIME=600
+# OIDC_REQUIRE_PKCE=True
+# OIDC_ALLOW_IMPLICIT_FLOW=False
+# OIDC_KEY_ROTATION_DAYS=90
+# OIDC_KEY_GRACE_PERIOD_DAYS=30
+# OIDC_RATE_LIMIT_AUTHORIZE=10/minute
+# OIDC_RATE_LIMIT_TOKEN=20/minute
+# OIDC_RATE_LIMIT_USERINFO=60/minute