Add authentication, user management, and database migration features
- Implement OAuth 2.0 and PAT authentication methods - Add user management, roles, and profile functionality - Add database migrations and admin user scripts - Update services for authentication and user settings - Add protected routes and permission hooks - Update documentation for authentication and database access
This commit is contained in:
141
docs/AUTHENTICATION-ENV-VARS.md
Normal file
141
docs/AUTHENTICATION-ENV-VARS.md
Normal file
@@ -0,0 +1,141 @@
|
||||
# Authentication System Environment Variables
|
||||
|
||||
This document describes the new environment variables required for the authentication and authorization system.
|
||||
|
||||
## Application Branding
|
||||
|
||||
```env
|
||||
# Application name displayed throughout the UI
|
||||
APP_NAME=CMDB Insight
|
||||
|
||||
# Application tagline/subtitle displayed in header and login pages
|
||||
APP_TAGLINE=Management console for Jira Assets
|
||||
|
||||
# Copyright text displayed in the footer (use {year} as placeholder for current year)
|
||||
APP_COPYRIGHT=© {year} Zuyderland Medisch Centrum
|
||||
```
|
||||
|
||||
**Note:** The `{year}` placeholder in `APP_COPYRIGHT` will be automatically replaced with the current year. If not set, defaults to `© {current_year} Zuyderland Medisch Centrum`.
|
||||
|
||||
## Email Configuration (Nodemailer)
|
||||
|
||||
```env
|
||||
# SMTP Configuration
|
||||
SMTP_HOST=smtp.example.com
|
||||
SMTP_PORT=587
|
||||
SMTP_SECURE=false
|
||||
SMTP_USER=your-email@example.com
|
||||
SMTP_PASSWORD=your-password
|
||||
SMTP_FROM=noreply@example.com
|
||||
```
|
||||
|
||||
## Encryption
|
||||
|
||||
```env
|
||||
# Encryption Key (32 bytes, base64 encoded)
|
||||
# Generate with: openssl rand -base64 32
|
||||
ENCRYPTION_KEY=your-32-byte-encryption-key-base64
|
||||
```
|
||||
|
||||
## Local Authentication
|
||||
|
||||
```env
|
||||
# Enable local authentication (email/password)
|
||||
LOCAL_AUTH_ENABLED=true
|
||||
|
||||
# Allow public registration (optional, default: false)
|
||||
REGISTRATION_ENABLED=false
|
||||
```
|
||||
|
||||
## Password Requirements
|
||||
|
||||
```env
|
||||
# Password minimum length
|
||||
PASSWORD_MIN_LENGTH=8
|
||||
|
||||
# Password complexity requirements
|
||||
PASSWORD_REQUIRE_UPPERCASE=true
|
||||
PASSWORD_REQUIRE_LOWERCASE=true
|
||||
PASSWORD_REQUIRE_NUMBER=true
|
||||
PASSWORD_REQUIRE_SPECIAL=false
|
||||
```
|
||||
|
||||
## Session Configuration
|
||||
|
||||
```env
|
||||
# Session duration in hours
|
||||
SESSION_DURATION_HOURS=24
|
||||
```
|
||||
|
||||
## Initial Admin User
|
||||
|
||||
```env
|
||||
# Create initial administrator user (optional)
|
||||
ADMIN_EMAIL=admin@example.com
|
||||
ADMIN_PASSWORD=SecurePassword123!
|
||||
ADMIN_USERNAME=admin
|
||||
ADMIN_DISPLAY_NAME=Administrator
|
||||
```
|
||||
|
||||
## Complete Example
|
||||
|
||||
```env
|
||||
# Email Configuration
|
||||
SMTP_HOST=smtp.gmail.com
|
||||
SMTP_PORT=587
|
||||
SMTP_SECURE=false
|
||||
SMTP_USER=your-email@gmail.com
|
||||
SMTP_PASSWORD=your-app-password
|
||||
SMTP_FROM=noreply@example.com
|
||||
|
||||
# Encryption
|
||||
ENCRYPTION_KEY=$(openssl rand -base64 32)
|
||||
|
||||
# Local Auth
|
||||
LOCAL_AUTH_ENABLED=true
|
||||
REGISTRATION_ENABLED=false
|
||||
|
||||
# Password Requirements
|
||||
PASSWORD_MIN_LENGTH=8
|
||||
PASSWORD_REQUIRE_UPPERCASE=true
|
||||
PASSWORD_REQUIRE_LOWERCASE=true
|
||||
PASSWORD_REQUIRE_NUMBER=true
|
||||
PASSWORD_REQUIRE_SPECIAL=false
|
||||
|
||||
# Session
|
||||
SESSION_DURATION_HOURS=24
|
||||
|
||||
# Initial Admin
|
||||
ADMIN_EMAIL=admin@example.com
|
||||
ADMIN_PASSWORD=ChangeMe123!
|
||||
ADMIN_USERNAME=admin
|
||||
ADMIN_DISPLAY_NAME=Administrator
|
||||
```
|
||||
|
||||
## Important Notes
|
||||
|
||||
### User-Specific Configuration (REMOVED from ENV)
|
||||
|
||||
The following environment variables have been **REMOVED** from the codebase and are **NOT** configurable via environment variables:
|
||||
|
||||
- `JIRA_PAT`: **Configure in User Settings > Jira PAT**
|
||||
- `ANTHROPIC_API_KEY`: **Configure in User Settings > AI Settings**
|
||||
- `OPENAI_API_KEY`: **Configure in User Settings > AI Settings**
|
||||
- `TAVILY_API_KEY`: **Configure in User Settings > AI Settings**
|
||||
|
||||
**These are now user-specific settings only.** Each user must configure their own API keys in their profile settings. This provides:
|
||||
- Better security (keys not in shared config files)
|
||||
- Per-user API key management
|
||||
- Individual rate limiting per user
|
||||
- Better audit trails
|
||||
- Encrypted storage in the database
|
||||
|
||||
### Required Configuration
|
||||
|
||||
- `SESSION_SECRET`: Should be a secure random string in production (generate with `openssl rand -base64 32`)
|
||||
- `ENCRYPTION_KEY`: Must be exactly 32 bytes when base64 decoded (generate with `openssl rand -base64 32`)
|
||||
- `JIRA_SCHEMA_ID`: Required for Jira Assets integration
|
||||
|
||||
### Application Branding
|
||||
|
||||
- The `{year}` placeholder in `APP_COPYRIGHT` will be automatically replaced with the current year
|
||||
Reference in New Issue
Block a user