diff --git a/conf/.env.example b/conf/.env.example index ddaa8cd..ae53542 100644 --- a/conf/.env.example +++ b/conf/.env.example @@ -16,20 +16,41 @@ APP_DEBUG=true # This should be your email address -SITE_OWNER=__EMAIL__ +SITE_OWNER=__APP__@__DOMAIN__ # The encryption key for your database and sessions. Keep this very secure. # If you generate a new one all existing data must be considered LOST. -# Change it to a string of exactly 32 chars or use command `php artisan key:generate` to generate it +# +# You can leave this empty if you use `php artisan 2fauth:install`. +# Otherwise, change it to a string of exactly 32 chars or use command +# `php artisan key:generate` to generate it. -APP_KEY=SomeRandomStringOf32CharsExactly +APP_KEY=__KEY__ -# This variable must match your installation's external address but keep in mind that -# it's only used on the command line as a fallback value. +# This variable must match your installation's external address. +# Webauthn won't work otherwise. -APP_URL=http://__DOMAIN__ +APP_URL=https://__DOMAIN__ + + +# If you want to serve js assets from a CDN (like https://cdn.example.com), +# uncomment the following line and set this var with the CDN url. +# Otherwise, let this line commented. + +ASSET_URL=https://__DOMAIN__ + + +# The domain subdirectory from which you want to serve 2FAuth. +# This must reflect the path targeted by APP_URL. +# +# For example, if you set APP_URL=https://mydomain.org/2fa to access 2FAuth from the '/2fa/' subdirectory +# you have to set APP_SUBDIRECTORY=2fa +# +# Leave blank if you serve 2FAuth from the domain root. + +APP_SUBDIRECTORY= # Turn this to true if you want your app to react like a demo. @@ -39,9 +60,9 @@ IS_DEMO_APP=false # The log channel defines where your log entries go to. -# 'daily' is the default logging mode giving you 5 daily rotated log files in /storage/logs/. -# Several other options exist. You can use 'single' for one big fat error log (not recommended). -# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself. +# 'daily' is the default logging mode giving you 7 daily rotated log files in /storage/logs/. +# Also available are 'errorlog', 'syslog', 'stderr', 'papertrail', 'slack' and a 'stack' channel +# to combine multiple channels into a single one. LOG_CHANNEL=daily @@ -51,7 +72,7 @@ LOG_CHANNEL=daily # If you set it to debug your logs will grow large, and fast. If you set it to emergency probably # nothing will get logged, ever. -APP_LOG_LEVEL=notice +LOG_LEVEL=notice # If you're looking for performance improvements, you could install memcached. @@ -63,6 +84,23 @@ FILESYSTEM_DRIVER=local #### Database config & credentials #### +# Supported values for DB_CONNECTION: mysql|pgsql|sqlsrv|sqlite +# mysql => MySQL +# pgsql => PostGreSQL +# sqlsrv => SQL server +# sqlite => SQLite + +# Example for a MySQL database connection +# +# DB_CONNECTION=mysql +# DB_DATABASE=my_2fauth_DB_name +# DB_HOST=127.0.0.1 +# DB_PORT=3306 +# DB_USERNAME=my_2fauth_db_user +# DB_PASSWORD=My_d8_S3cr3t + +# Example for SQLite (linux) +# # DB_CONNECTION=sqlite # DB_DATABASE="path/to/your/database.sqlite" @@ -83,17 +121,44 @@ DB_PASSWORD=__DB_PWD__ MAIL_DRIVER=smtp MAIL_HOST=localhost -MAIL_PORT=25 -MAIL_FROM=admin@__DOMAIN__ -MAIL_USERNAME=null -MAIL_PASSWORD=null -MAIL_ENCRYPTION=null -MAIL_FROM_NAME=null -MAIL_FROM_ADDRESS=null +MAIL_PORT=587 +MAIL_FROM=__APP__@__DOMAIN__ +MAIL_USERNAME=__APP__ +MAIL_PASSWORD=__MAIL_PWD__ +MAIL_ENCRYPTION=starttls +#MAIL_FROM_NAME=null +#MAIL_FROM_ADDRESS=null + + +# SSL peer verification. +# Set this to false to disable the SSL certificate validation. +# +# WARNING +# Disabling peer verification can result in a major security flaw. +# Change it only if you know what you're doing. + +MAIL_VERIFY_SSL_PEER=true + + +#### API settings #### + +# The maximum number of API calls in a minute from the same IP. +# Once reached, all requests from this IP will be rejected until the minute has elapsed. +# +# Set to null to disable the API throttling. + +THROTTLE_API=60 #### Authentication settings #### +# The number of times per minute a user can fail to log in before being locked out. +# Once reached, all login attempts will be rejected until the minute has elapsed. +# +# This setting applies to both email/password and webauthn login attemps. + +LOGIN_THROTTLE=5 + # The default authentication guard # # Supported: @@ -107,6 +172,7 @@ MAIL_FROM_ADDRESS=null AUTHENTICATION_GUARD=web-guard + # Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level. # Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...) # (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard') @@ -114,6 +180,7 @@ AUTHENTICATION_GUARD=web-guard AUTH_PROXY_HEADER_FOR_USER=null AUTH_PROXY_HEADER_FOR_EMAIL=null + # Custom logout URL to open when using an auth proxy. PROXY_LOGOUT_URL=null @@ -121,21 +188,24 @@ PROXY_LOGOUT_URL=null #### WebAuthn settings #### -# Relying Party name, aka the name of the application. If null, defaults to APP_NAME +# Relying Party name, aka the name of the application. +# If blank, defaults to APP_NAME. Do not set to null. WEBAUTHN_NAME=2FAuth + # Relying Party ID. If null, the device will fill it internally. -# See https://webauthn-doc.spomky-labs.com/pre-requisites/the-relying-party#how-to-determine-the-relying-party-id +# See https://webauthn-doc.spomky-labs.com/prerequisites/the-relying-party#how-to-determine-the-relying-party-id WEBAUTHN_ID=null + +# [DEPRECATED] +# Optional image data in BASE64 (128 bytes maximum) or an image url +# See https://webauthn-doc.spomky-labs.com/prerequisites/the-relying-party#relying-party-icon + # WEBAUTHN_ICON=null # [/DEPRECATED] -# Optional image data in BASE64 (128 bytes maximum) or an image url -# See https://webauthn-doc.spomky-labs.com/pre-requisites/the-relying-party#relying-party-icon - -WEBAUTHN_ICON= # Use this setting to control how user verification behave during the # WebAuthn authentication flow. @@ -152,6 +222,23 @@ WEBAUTHN_ICON= WEBAUTHN_USER_VERIFICATION=preferred + +#### SSO settings (for Socialite) #### + +# Uncomment and complete lines for the OAuth providers you want to enable. + +# OPENID_AUTHORIZE_URL= +# OPENID_TOKEN_URL= +# OPENID_USERINFO_URL= +# OPENID_CLIENT_ID= +# OPENID_CLIENT_SECRET= + +# GITHUB_CLIENT_ID= +# GITHUB_CLIENT_SECRET= + + +#### Proxy settings #### + # Use this setting to declare trusted proxied. # Supported: # '*': to trust any proxy @@ -159,6 +246,14 @@ WEBAUTHN_USER_VERIFICATION=preferred TRUSTED_PROXIES=null + +# Proxy for outgoing requests like new releases detection or logo fetching. +# You can provide a proxy URL that contains a scheme, username, and password. +# For example, "http://username:password@192.168.16.1:10". + +PROXY_FOR_OUTGOING_REQUESTS=null + + # Leave the following configuration vars as is. # Unless you like to tinker and know what you're doing. @@ -175,7 +270,7 @@ PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1 -MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" -MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" +VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}" +VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}" MIX_ENV=local diff --git a/manifest.toml b/manifest.toml index 06890ef..4d705c2 100644 --- a/manifest.toml +++ b/manifest.toml @@ -49,6 +49,7 @@ ram.runtime = "50M" autoupdate.strategy = "latest_github_tag" [resources.system_user] + allow_email = true [resources.install_dir] diff --git a/scripts/install b/scripts/install index 6178fe0..9608fe1 100755 --- a/scripts/install +++ b/scripts/install @@ -26,6 +26,10 @@ ynh_app_setting_set --app=$app --key=fpm_footprint --value=$fpm_footprint ynh_app_setting_set --app=$app --key=fpm_free_footprint --value=$fpm_free_footprint ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage +# key for the .env __KEY__ +key=$(ynh_string_random --length=45 | base64) +ynh_app_setting_set --app=$app --key=key --value=$key + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -61,7 +65,7 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 # Setup application config ynh_add_config --template=".env.example" --destination="$install_dir/.env" -chmod 644 "$install_dir/.env" +chmod 640 "$install_dir/.env" chown $app:$app "$install_dir/.env" #================================================= @@ -75,7 +79,6 @@ pushd $install_dir php$phpversion artisan passport:install -n php$phpversion artisan storage:link -n php$phpversion artisan config:cache -n - php$phpversion artisan key:generate -n popd chmod 775 "$install_dir" diff --git a/scripts/upgrade b/scripts/upgrade index 379d99c..7cb235b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -38,6 +38,11 @@ if [ -z "${fpm_usage:-}" ]; then ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage fi +if [ -z "${key:-}" ]; then + key=$(ynh_string_random --length=45 | base64) + ynh_app_setting_set --app=$app --key=key --value=$key +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -65,15 +70,13 @@ ynh_add_nginx_config #================================================= # ADD A CONFIGURATION #================================================= -#ynh_script_progression --message="Adding a configuration file..." --weight=1 - -#email=$(ynh_user_get_info --username=$admin --key=mail) +ynh_script_progression --message="Upgrading a configuration file..." --weight=1 # Setup application config -#ynh_add_config --template=".env.example" --destination="$install_dir/.env" +ynh_add_config --template=".env.example" --destination="$install_dir/.env" -#chmod 644 "$install_dir/.env" -#chown $app:$app "$install_dir/.env" +chmod 640 "$install_dir/.env" +chown $app:$app "$install_dir/.env" #================================================= # INSTALL 2FAUTH WITH COMPOSER