diff --git a/drasl/config/config.toml.tmpl b/drasl/config/config.toml.tmpl index e4ac38f..5d85f15 100644 --- a/drasl/config/config.toml.tmpl +++ b/drasl/config/config.toml.tmpl @@ -10,7 +10,7 @@ BaseURL = "https://auth.${BASE_DOMAIN}" Domain = "auth.${BASE_DOMAIN}" ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it -DefaultAdminUsernames = ["admin"] +DefaultAdmins = ["admin"] # Password login: admin + guests register a username/password on the web UI. AllowPasswordLogin = true @@ -22,6 +22,15 @@ SignPublicKeys = false # Free-text owner label shown in the web UI (a string, not a table). ApplicationOwner = "Ulicraft" +# CORS: the landing register/account form (served from the apex) calls the +# Drasl API from the browser. Without this the API has NO CORS headers and the +# browser blocks every cross-origin call. Scope to the apex only — never "*", +# which would let any site script the auth API. Echo backfills AllowMethods +# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). +# MUST stay top-level (before any [Section]) — under a table it parses as +#