From 97347693b606f303871650e84313db4185420c8a Mon Sep 17 00:00:00 2001 From: Oier Bravo Urtasun Date: Wed, 10 Jun 2026 18:34:48 +0200 Subject: [PATCH] fix(drasl): correct admin key + CORS placement in config template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two config keys were silently ignored by drasl (logged as "unknown config option"), so neither took effect in production: - `DefaultAdminUsernames` is not a drasl option; the correct top-level key is `DefaultAdmins`. With the wrong key, the `admin` user never got promoted — admin-only API routes (e.g. GET /players for the registered-players roster) returned 403. - `CORSAllowOrigins` sat after the `[RegistrationNewPlayer]` table header, so TOML parsed it as `RegistrationNewPlayer.CORSAllowOrigins` (ignored → no CORS headers → landing register/account browser calls blocked). Moved it top-level, before any [Section], with a comment warning against re-nesting. Verified against drasl master configuration.md. Co-Authored-By: Claude Opus 4.8 --- drasl/config/config.toml.tmpl | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/drasl/config/config.toml.tmpl b/drasl/config/config.toml.tmpl index e4ac38f..5d85f15 100644 --- a/drasl/config/config.toml.tmpl +++ b/drasl/config/config.toml.tmpl @@ -10,7 +10,7 @@ BaseURL = "https://auth.${BASE_DOMAIN}" Domain = "auth.${BASE_DOMAIN}" ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it -DefaultAdminUsernames = ["admin"] +DefaultAdmins = ["admin"] # Password login: admin + guests register a username/password on the web UI. AllowPasswordLogin = true @@ -22,6 +22,15 @@ SignPublicKeys = false # Free-text owner label shown in the web UI (a string, not a table). ApplicationOwner = "Ulicraft" +# CORS: the landing register/account form (served from the apex) calls the +# Drasl API from the browser. Without this the API has NO CORS headers and the +# browser blocks every cross-origin call. Scope to the apex only — never "*", +# which would let any site script the auth API. Echo backfills AllowMethods +# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). +# MUST stay top-level (before any [Section]) — under a table it parses as +# .CORSAllowOrigins and drasl ignores it (silent: no CORS headers). +CORSAllowOrigins = ["https://${BASE_DOMAIN}"] + # New-account registration (username+password). RequireInvite is derived from # REGISTRATION_MODE in .env by render-config.sh: invite -> true, open -> false. # When true, non-admin callers (web UI + landing register form) must supply a @@ -31,13 +40,6 @@ ApplicationOwner = "Ulicraft" Allow = true RequireInvite = ${REGISTRATION_REQUIRE_INVITE} -# CORS: the landing register/account form (served from the apex) calls the -# Drasl API from the browser. Without this the API has NO CORS headers and the -# browser blocks every cross-origin call. Scope to the apex only — never "*", -# which would let any site script the auth API. Echo backfills AllowMethods -# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). -CORSAllowOrigins = ["https://${BASE_DOMAIN}"] - # Rate limit the now public-facing API (anonymous POST /users etc). Token # bucket; admins are exempt. Conservative for a 4-10 player server. [RateLimit]