chore: add OAuth config and dependencies · bretton.dev/coves@7221afe

+111 -11

.env.prod.example

··· 9 9 POSTGRES_USER=coves_user 10 10 POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE 11 11 12 + # Full connection string (alternative to individual vars above) 13 + # DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require 14 + 12 15 # ============================================================================= 13 16 # PDS (Personal Data Server) 14 17 # ============================================================================= 18 + # PDS URL for XRPC calls 19 + PDS_URL=https://pds.coves.social 20 + 15 21 # Generate with: openssl rand -hex 32 16 22 PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS 17 23 ··· 22 28 # Generate with: openssl rand -hex 32 23 29 PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS 24 30 31 + # Coves instance PDS account (for creating community records) 32 + PDS_INSTANCE_HANDLE=coves.social 33 + PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD 34 + 25 35 # Optional: Email configuration for account recovery 26 36 # PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587 27 - # PDS_EMAIL_FROM_ADDRESS=noreply@coves.me 37 + # PDS_EMAIL_FROM_ADDRESS=noreply@coves.social 38 + 39 + # ============================================================================= 40 + # Identity & Federation 41 + # ============================================================================= 42 + # PLC Directory URL for DID resolution 43 + # Defaults to https://plc.directory if not set 44 + # PLC_DIRECTORY_URL=https://plc.directory 45 + 46 + # Instance DID (did:web or did:plc) 47 + INSTANCE_DID=did:web:coves.social 48 + 49 + # Instance domain (required if not using did:web) 50 + # INSTANCE_DOMAIN=coves.social 51 + 52 + # Identity cache TTL (Go duration format) 53 + # IDENTITY_CACHE_TTL=5m 28 54 29 55 # ============================================================================= 30 56 # JWT Authentication ··· 43 69 # 44 70 # HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256 45 71 # These PDSes MUST share the same PDS_JWT_SECRET with Coves 46 - # Example: HS256_ISSUERS=https://pds.coves.social,https://pds.example.com 47 - HS256_ISSUERS=https://pds.coves.me 48 - 49 - # PLC Directory URL for DID resolution (optional) 50 - # Defaults to https://plc.directory if not set 51 - # PLC_DIRECTORY_URL=https://plc.directory 72 + HS256_ISSUERS=https://pds.coves.social 52 73 53 74 # Skip JWT signature verification (DEVELOPMENT ONLY!) 54 75 # Set to false in production for proper security 55 76 AUTH_SKIP_VERIFY=false 56 77 57 78 # ============================================================================= 58 - # AppView OAuth (for mobile app authentication) 79 + # OAuth Configuration 59 80 # ============================================================================= 60 - OAUTH_CLIENT_ID=https://coves.social/client-metadata.json 81 + # AppView public URL (used for OAuth callback and client metadata) 82 + APPVIEW_PUBLIC_URL=https://coves.social 83 + 84 + # OAuth client ID (usually your client-metadata.json URL) 85 + OAUTH_CLIENT_ID=https://coves.social/oauth/client-metadata.json 86 + 87 + # OAuth callback URI 61 88 OAUTH_REDIRECT_URI=https://coves.social/oauth/callback 62 89 63 90 # Generate EC P-256 private key in JWK format 64 91 # See: https://atproto.com/specs/oauth#client-metadata 92 + # Generate with: go run cmd/genjwks/main.go 65 93 OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."} 66 94 95 + # Seal secret for encrypting mobile session tokens (AES-256-GCM) 96 + # Generate with: openssl rand -base64 32 97 + OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES 98 + 99 + # Optional: OAuth client secret and key ID (for confidential clients) 100 + # OAUTH_CLIENT_SECRET= 101 + # OAUTH_CLIENT_KID= 102 + 67 103 # ============================================================================= 68 - # AppView Encryption 104 + # Mobile Universal Links & App Links 105 + # ============================================================================= 106 + # Required for iOS Universal Links 107 + # Format: <Team ID>.<Bundle ID> 108 + # Find Team ID: Apple Developer Portal -> Membership 109 + # Find Bundle ID: Xcode project -> General -> Bundle Identifier 110 + APPLE_APP_ID=ABCD1234EF.social.coves.app 111 + 112 + # Required for Android App Links 113 + # Format: Android package name (reverse domain notation) 114 + ANDROID_PACKAGE_NAME=social.coves.app 115 + 116 + # SHA-256 fingerprint of your Android app's signing certificate 117 + # Get with: keytool -list -v -keystore release.jks -alias release 118 + # Format: 64 hex characters with colons (AA:BB:CC:...) 119 + ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00 120 + 121 + # ============================================================================= 122 + # Security & Encryption 69 123 # ============================================================================= 70 124 # For encrypting community credentials in database 71 125 # Generate with: openssl rand -base64 32 72 126 ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY 73 127 128 + # Secret for HMAC signing of pagination cursors 129 + # Generate with: openssl rand -base64 32 130 + CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET 131 + 132 + # Optional: Restrict community creation to specific DIDs 133 + # Comma-separated list. If not set, any authenticated user can create communities. 134 + # COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456 135 + 136 + # ============================================================================= 137 + # Jetstream Configuration (Real-time Event Indexing) 138 + # ============================================================================= 139 + # User profile indexing 140 + JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile 141 + 142 + # Optional: Filter Jetstream events to specific PDS 143 + # JETSTREAM_PDS_FILTER=pds.coves.social 144 + 145 + # Community event indexing (profiles and subscriptions) 146 + # COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription 147 + 148 + # Post indexing 149 + # POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post 150 + 151 + # Vote indexing 152 + # VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote 153 + 154 + # Comment indexing 155 + # COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment 156 + 157 + # Aggregator indexing 158 + # AGGREGATOR_JETSTREAM_URL= 159 + 74 160 # ============================================================================= 75 161 # Cloudflare (for wildcard SSL certificates) 76 162 # ============================================================================= 77 163 # Required for *.coves.social wildcard certificate 78 - # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token 164 + # Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token 79 165 # Template: "Edit zone DNS" with permissions for coves.social zone 80 166 CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN 167 + 168 + # ============================================================================= 169 + # Server Configuration 170 + # ============================================================================= 171 + # HTTP server port 172 + PORT=8080 173 + 174 + # Environment 175 + ENV=production 176 + IS_DEV_ENV=false 177 + 178 + # Skip did:web domain verification (DEVELOPMENT ONLY!) 179 + # MUST be false in production to prevent domain spoofing 180 + SKIP_DID_WEB_VERIFICATION=false 81 181 82 182 # ============================================================================= 83 183 # Optional: Versioning

+2

go.mod

··· 27 27 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect 28 28 github.com/earthboundkid/versioninfo/v2 v2.24.1 // indirect 29 29 github.com/felixge/httpsnoop v1.0.4 // indirect 30 + github.com/go-chi/cors v1.2.2 // indirect 30 31 github.com/go-logr/logr v1.4.1 // indirect 31 32 github.com/go-logr/stdr v1.2.2 // indirect 32 33 github.com/goccy/go-json v0.10.2 // indirect 33 34 github.com/gogo/protobuf v1.3.2 // indirect 35 + github.com/google/go-querystring v1.1.0 // indirect 34 36 github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 35 37 github.com/hashicorp/go-retryablehttp v0.7.5 // indirect 36 38 github.com/hashicorp/golang-lru v1.0.2 // indirect

+5

go.sum

··· 21 21 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= 22 22 github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8= 23 23 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= 24 + github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE= 25 + github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= 24 26 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 25 27 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= 26 28 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= ··· 33 35 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 34 36 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= 35 37 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= 38 + github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 36 39 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 37 40 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 41 + github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= 42 + github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= 38 43 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 39 44 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= 40 45 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=