.env.sample

#
# APPLICATION
#
APP_NAME=app-name
APP_SCHEMA=http
APP_HOST=localhost
APP_PORT=8999
# serverenv = development OR production
APP_ENV=development
RELEASE_VERSION_OR_COMMIT_NUMBER=

#
# Get real IP of the client
#
# when using Cloudflare's CDN:
# TRUSTED_PLATFORM=cf
#
# when running on Google App Engine:
# TRUSTED_PLATFORM=google
#
# when using apache or nginx reverse proxy without
# Cloudflare's CDN or Google App Engine:
# [Default value]
TRUSTED_PLATFORM=X-Real-Ip
#
# config for nginx:
# =================
# proxy_set_header X-Real-IP       $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Sentry.io
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_SENTRY=no
SentryDSN=https://abcd@ijk.ingest.sentry.io/xyz
# Performance tracing
# By default, it is disabled
# Activate by setting it to yes
SENTRY_ENABLE_TRACING=no
# Set sample rate to 1.0 to capture 100%
# of transactions for performance monitoring.
# We recommend adjusting this value in production.
SENTRY_TRACES_SAMPLE_RATE=0.0

#
# User password minimum length
#
MIN_PASS_LENGTH=6

#
# Basic Auth
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_BASIC_AUTH=yes
USERNAME=your_username
PASSWORD=secret_password

#
# JWT
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_JWT=yes
# Accepted algorithms: HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512
JWT_ALG=HS256
ACCESS_KEY=Use_a_strong_and_long_random_key
REFRESH_KEY=Use_another_strong_and_long_random_key
# expires tokens in minutes
ACCESS_KEY_TTL=5
REFRESH_KEY_TTL=60
PRIV_KEY_FILE_PATH=./private-key.pem
PUB_KEY_FILE_PATH=./public-key.pem
AUDIENCE=
ISSUER=gorest
# NotBefore for ACCESS_KEY in seconds
NOT_BEFORE_ACC=0
# NotBefore for REFRESH_KEY in seconds
NOT_BEFORE_REF=0
SUBJECT=

#
# When user logs off, invalidate the tokens
# A Redis database is required for this feature
# By default, it is disabled
# Activate by setting it to yes
INVALIDATE_JWT=

#
# Auth cookie
#
# By default, it is disabled
# Activate by setting it to yes
AUTH_COOKIE_ACTIVATE=no
AUTH_COOKIE_PATH=/
AUTH_COOKIE_DOMAIN=your-domain.com
# Activate by setting it to yes
AUTH_COOKIE_SECURE=yes
# Activate by setting it to yes
AUTH_COOKIE_HttpOnly=yes
# Accepted values: strict, lax, none, or keep it empty
AUTH_COOKIE_SameSite=strict
# Disable by setting it to no, it is enabled by default
SERVE_JWT_AS_RESPONSE_BODY=

#
# HashPass config
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_HASHING=yes
# The amount of memory used by the Argon2 algorithm (in kibibytes)
# HASHPASSMEMORY * 1024
HASHPASSMEMORY=64
# The number of iterations (or passes) over the memory
HASHPASSITERATIONS=2
# The number of threads (or lanes) used by the algorithm
# Changing the value of the Parallelism parameter changes the hash output
HASHPASSPARALLELISM=2
# Length of the random salt. 16 bytes is recommended for password hashing
HASHPASSSALTLENGTH=16
# Length of the generated key (or password hash). 16 bytes or more is recommended
HASHPASSKEYLENGTH=32
# NIST 800-63B recommends using a secret value of at least 112 bits
# When this field is empty, no secret will be used for hashing
HASH_SECRET=

#
# Save user email in encrypted form at rest
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_CIPHER=
CIPHER_KEY=

#
# For blake2b hashing with optional secret
#
BLAKE2B_SECRET=

#
# Email verification and password recovery
#
# By default, these are disabled
# Activate by setting them to yes
VERIFY_EMAIL=no
RECOVER_PASSWORD=no

#
# Two-Factor Authentication
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_2FA=no
TWO_FA_ISSUER=gorest
# SHA1 = 1, SHA256 = 256, SHA512 = 512
# FreeOTP supports SHA1, SHA256 SHA512
# Authy, Google Authenticator, Microsoft Authenticator, Okta
# support only SHA1
# So, better to use only SHA1 for now
TWO_FA_CRYPTO=1
# TWO_FA_DIGITS = 6, 7 or 8
TWO_FA_DIGITS=6
TWO_FA_VERIFIED=verified
TWO_FA_ON=on
TWO_FA_OFF=off
TWO_FA_INVALID=invalid
# Must be a local directory with relative path
# where the main application is hosted
TWO_FA_QR_PATH=tmp
# By default, sha2-256 hash of user's password is used to encrypt
# 2-FA secret. To harden the security with blake2b (with optional
# secret), set TWO_FA_DOUBLE_HASH=yes
TWO_FA_DOUBLE_HASH=

#
# App Firewall
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_FIREWALL=yes
# Allow all IP [LISTTYPE=whitelist | IP=*]
# Block all IP [LISTTYPE=blacklist | IP=*]
# Allow one or several IPs [LISTTYPE=whitelist | IP=x.x.x.x]
# Block one or several IPs [LISTTYPE=blacklist | IP=x.x.x.x]
LISTTYPE=whitelist
# LISTTYPE=blacklist
# IP - comma-separated list, IPv4, IPv6, CIDR
# IP=192.168.0.1,10.0.0.1,172.16.0.0/12,2400:cb00::/32
IP=*

#
# CORS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_CORS=yes
#
# Access-Control-Allow-Origin
# Indicates whether the response can be shared with requesting code from the given origin
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
CORS_ORIGIN=*
#
# Access-Control-Allow-Credentials
# Indicates whether or not the actual request can be made using credentials
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
CORS_CREDENTIALS=true
#
# Access-Control-Allow-Headers
# Indicate which HTTP headers can be used during the actual request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
CORS_HEADERS=Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, Accept, Origin, Cache-Control, X-Requested-With
#
# Access-Control-Expose-Headers
# Which response headers should be made available to scripts running in the browser
# in response to a cross-origin request
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
CORS_EXPOSE_HEADERS=Content-Length
#
# Access-Control-Allow-Methods
# Specifies one or more allowed methods
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
CORS_METHODS=GET, POST, PUT, PATCH, DELETE, OPTIONS
#
# Access-Control-Max-Age
# Indicates how long the results of a preflight request can be cached
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
CORS_MAXAGE=3600
#
# X-Content-Type-Options
# Prevent some browsers from MIME-sniffing the response
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
CORS_X_CONTENT_TYPE=nosniff
#
# X-Frame-Options
# Protect website against clickjacking
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034#section-2.1
# X-Frame-Options: DENY, SAMEORIGIN
CORS_X_FRAME=DENY
#
# Referrer-Policy
# Set a strict Referrer Policy to mitigate information leakage
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
CORS_REFERRER=strict-origin-when-cross-origin
#
# Content-Security-Policy
# Mitigate the risk of cross-site scripting and other content-injection attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://content-security-policy.com/
# https://developers.google.com/web/fundamentals/security/csp
CORS_CONTENT_SECURITY=default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'
#
# Timing-Allow-Origin
# Allow cross-origin access to the timing information for all resources
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
CORS_TIMING_ALLOW_ORIGIN=*
#
# Strict-Transport-Security
# HTTP Strict Transport Security (HSTS)
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# Strict-Transport-Security: max-age=63072000; includeSubDomains
# To enable HSTS preload inclusion: https://hstspreload.org/#deployment-recommendations
# Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
CORS_HSTS=

# Origin Validation
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_ORIGIN_VALIDATION=no

# IP-Based Rate Limiter
# "S": second, "M": minute, "H": hour, "D": day
# Example: RATE_LIMIT=100-M (100 requests per minute), RATE_LIMIT=100-H (100 requests per hour)
# Keep it empty to disable rate limiter
RATE_LIMIT=100-M

#
# HTML Templates
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_VIEW=no
# Must be a local directory with relative path
# where the main application is hosted
TEMPLATE_DIR=templates

#
# RDBMS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_RDBMS=no
# Supported dbDriver: mysql, postgres, sqlite3
DBDRIVER=dbDriver
DBUSER=dbUser
DBPASS=dbPass
DBNAME=dbName
DBHOST=localhost
DBPORT=dbport
# To enable TLS, set DBSSLMODE from 'disable' to 'require' or 'verify-ca' or 'verify-full'
# require: use host machine's root CAs to verify
# verify-ca or verify-full: perform comprehensive SSL/TLS certificate validation using
# certificate signed by a recognized CA or by a self-signed certificate
DBSSLMODE=disable
# Set minimum supported TLS version
DBSSL_TLS_MIN=1.2
# If DBSSL_ROOT_CA is set, it will be used in TLS
# Otherwise, DBSSL_SERVER_CERT will be used
DBSSL_ROOT_CA=/path/to/ca.pem
DBSSL_SERVER_CERT=/path/to/server-cert.pem
# For authentication of the client to the server, both DBSSL_CLIENT_CERT & DBSSL_CLIENT_KEY are required
DBSSL_CLIENT_CERT=/path/to/client-cert.pem
DBSSL_CLIENT_KEY=/path/to/client-key.pem
DBTIMEZONE=Europe/Berlin
#
# Max number of connections in the idle connection pool
DBMAXIDLECONNS=10
#
# Max number of open connections in the database
DBMAXOPENCONNS=100
#
# Max amount of time a connection may be reused
# Example:
# 1h
# 10m
# 20s
# 2h30m
# 2h30m45s
DBCONNMAXLIFETIME=1h
#
# Silent level = 1
# Error level = 2
# Warn level = 3
# Info level = 4
DBLOGLEVEL=1

#
# REDIS
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_REDIS=no
REDISHOST=127.0.0.1
REDISPORT=6379
POOLSIZE=10
# Context deadline in second
CONNTTL=5

#
# MONGO
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_MONGO=no
# Manual: https://docs.mongodb.com/manual/reference/connection-string/
# For MongoDB Atlas
# MONGO_URI=mongodb+srv://<username>:<password>@<cluster>.<subdomain>.mongodb.net/<cluster>?retryWrites=true&w=majority
# For standard connection on the local machine with auth
MONGO_URI=mongodb://<username>:<password>@<IP>:<PORT>/?retryWrites=true&w=majority
# For standard connection on the local machine without auth
# MONGO_URI=mongodb://<IP>:<PORT>/?retryWrites=true&w=majority
MONGO_APP=any_app_name
# Connection pool
MONGO_POOLSIZE=50
MONGO_MONITOR_POOL=yes
# MONGO_MONITOR_POOL=no
# Mongo client context deadline in second
MONGO_CONNTTL=10

#
# EMAIL SERVICE
#
# By default, it is disabled
# Activate by setting it to yes
ACTIVATE_EMAIL_SERVICE=no
# Supported providers: postmark
EMAIL_SERVICE_PROVIDER=postmark
# EMAIL_API_TOKEN: For postmark, it is the server token
EMAIL_API_TOKEN=
EMAIL_FROM=email@yourdomain.com
# Activate by setting it to yes
EMAIL_TRACK_OPENS=no
# EMAIL_TRACK_LINKS: Possible options -
# "None", "HtmlAndText", "HtmlOnly", "TextOnly"
EMAIL_TRACK_LINKS=None
# EMAIL_DELIVERY_TYPE: message stream ID
EMAIL_DELIVERY_TYPE=outbound
EMAIL_VERIFY_TEMPLATE_ID=0
EMAIL_PASS_RECOVER_TEMPLATE_ID=0
EMAIL_UPDATE_VERIFY_TEMPLATE_ID=0
# Default: EMAIL_VERIFY_USE_UUIDv4 = no, EMAIL_VERIFY_CODE_LENGTH is required
# If EMAIL_VERIFY_USE_UUIDv4 = yes, EMAIL_VERIFY_CODE_LENGTH is ignored
EMAIL_VERIFY_USE_UUIDv4=no
EMAIL_VERIFY_CODE_LENGTH=8
# Default: EMAIL_PASS_RECOVER_USE_UUIDv4 = no, EMAIL_PASS_RECOVER_CODE_LENGTH is required
# If EMAIL_PASS_RECOVER_USE_UUIDv4 = yes, EMAIL_PASS_RECOVER_CODE_LENGTH is ignored
EMAIL_PASS_RECOVER_USE_UUIDv4=no
EMAIL_PASS_RECOVER_CODE_LENGTH=12
EMAIL_VERIFY_TAG=emailVerification
EMAIL_PASS_RECOVER_TAG=passwordRecover
EMAIL_HTML_MODEL=product_url:https://github.com/pilinux/gorest;product_name:gorest;company_name:pilinux;company_address:Country
EMAIL_VERIFY_VALIDITY_PERIOD=86400
EMAIL_PASS_RECOVER_VALIDITY_PERIOD=1800