diff --git a/drasl/config/config.toml.tmpl b/drasl/config/config.toml.tmpl index e4ac38f..5d85f15 100644 --- a/drasl/config/config.toml.tmpl +++ b/drasl/config/config.toml.tmpl @@ -10,7 +10,7 @@ BaseURL = "https://auth.${BASE_DOMAIN}" Domain = "auth.${BASE_DOMAIN}" ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it -DefaultAdminUsernames = ["admin"] +DefaultAdmins = ["admin"] # Password login: admin + guests register a username/password on the web UI. AllowPasswordLogin = true @@ -22,6 +22,15 @@ SignPublicKeys = false # Free-text owner label shown in the web UI (a string, not a table). ApplicationOwner = "Ulicraft" +# CORS: the landing register/account form (served from the apex) calls the +# Drasl API from the browser. Without this the API has NO CORS headers and the +# browser blocks every cross-origin call. Scope to the apex only — never "*", +# which would let any site script the auth API. Echo backfills AllowMethods +# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). +# MUST stay top-level (before any [Section]) — under a table it parses as +# .CORSAllowOrigins and drasl ignores it (silent: no CORS headers). +CORSAllowOrigins = ["https://${BASE_DOMAIN}"] + # New-account registration (username+password). RequireInvite is derived from # REGISTRATION_MODE in .env by render-config.sh: invite -> true, open -> false. # When true, non-admin callers (web UI + landing register form) must supply a @@ -31,13 +40,6 @@ ApplicationOwner = "Ulicraft" Allow = true RequireInvite = ${REGISTRATION_REQUIRE_INVITE} -# CORS: the landing register/account form (served from the apex) calls the -# Drasl API from the browser. Without this the API has NO CORS headers and the -# browser blocks every cross-origin call. Scope to the apex only — never "*", -# which would let any site script the auth API. Echo backfills AllowMethods -# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). -CORSAllowOrigins = ["https://${BASE_DOMAIN}"] - # Rate limit the now public-facing API (anonymous POST /users etc). Token # bucket; admins are exempt. Conservative for a 4-10 player server. [RateLimit]