bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

chore: clean up OAuth env vars and add seal secret to dev

- Remove unused OAUTH_CLIENT_ID, OAUTH_REDIRECT_URI, OAUTH_PRIVATE_JWK from .env.prod.example
- Add OAUTH_SEAL_SECRET to .env.dev for local development
- Clarify that OAUTH_SEAL_SECRET is required, client secret/kid are optional

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 99ad3ede 7221afe7

+9 -14
+5
.env.dev
··· 115 115 # Also supports base64: prefix for consistency 116 116 OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d 117 117 118 + # Seal secret for OAuth session tokens (AES-256-GCM encryption) 119 + # Generate with: openssl rand -base64 32 120 + # This must be 32 bytes when base64-decoded for AES-256 121 + # OAUTH_SEAL_SECRET=ryW6xNVxYhP6hCDA90NGCmK58Q2ONnkYXbHL0oZN2no= 122 + 118 123 # AppView public URL (used for OAuth callback and client metadata) 119 124 # Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252) 120 125 # Prod: https://coves.social
+4 -14
.env.prod.example
··· 81 81 # AppView public URL (used for OAuth callback and client metadata) 82 82 APPVIEW_PUBLIC_URL=https://coves.social 83 83 84 - # OAuth client ID (usually your client-metadata.json URL) 85 - OAUTH_CLIENT_ID=https://coves.social/oauth/client-metadata.json 86 - 87 - # OAuth callback URI 88 - OAUTH_REDIRECT_URI=https://coves.social/oauth/callback 89 - 90 - # Generate EC P-256 private key in JWK format 91 - # See: https://atproto.com/specs/oauth#client-metadata 92 - # Generate with: go run cmd/genjwks/main.go 93 - OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."} 94 - 95 - # Seal secret for encrypting mobile session tokens (AES-256-GCM) 96 - # Generate with: openssl rand -base64 32 84 + # Seal secret for encrypting session tokens (AES-256-GCM) 85 + # REQUIRED - Generate with: openssl rand -base64 32 97 86 OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES 98 87 99 - # Optional: OAuth client secret and key ID (for confidential clients) 88 + # Optional: OAuth client secret and key ID (for confidential clients only) 89 + # Most deployments use public clients and don't need these 100 90 # OAUTH_CLIENT_SECRET= 101 91 # OAUTH_CLIENT_KID= 102 92