Two config keys were silently ignored by drasl (logged as "unknown config option"), so neither took effect in production: - `DefaultAdminUsernames` is not a drasl option; the correct top-level key is `DefaultAdmins`. With the wrong key, the `admin` user never got promoted — admin-only API routes (e.g. GET /players for the registered-players roster) returned 403. - `CORSAllowOrigins` sat after the `[RegistrationNewPlayer]` table header, so TOML parsed it as `RegistrationNewPlayer.CORSAllowOrigins` (ignored → no CORS headers → landing register/account browser calls blocked). Moved it top-level, before any [Section], with a comment warning against re-nesting. Verified against drasl master configuration.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
51 lines
2.4 KiB
Cheetah
51 lines
2.4 KiB
Cheetah
# Drasl config — password-login mode (NO Keycloak/OIDC for now).
|
|
# TOML only (drasl has no env support). Rendered by tooling/render-config.sh
|
|
# -> drasl/config/config.toml (gitignored). Substitutes ${BASE_DOMAIN} and
|
|
# ${REGISTRATION_REQUIRE_INVITE} (derived from REGISTRATION_MODE in .env).
|
|
# Reached only via Caddy at auth.${BASE_DOMAIN}; drasl has no published host port.
|
|
|
|
# Public scheme is HTTPS — the host nginx terminates TLS in front of caddy.
|
|
# Drasl builds absolute URLs (textures, authlib-injector API location) from this;
|
|
# an http:// value triggers mixed-content + broken login on the https origin.
|
|
BaseURL = "https://auth.${BASE_DOMAIN}"
|
|
Domain = "auth.${BASE_DOMAIN}"
|
|
ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it
|
|
DefaultAdmins = ["admin"]
|
|
|
|
# Password login: admin + guests register a username/password on the web UI.
|
|
AllowPasswordLogin = true
|
|
|
|
# 1.21+ secure-profile fix: MUST pair with server ENFORCE_SECURE_PROFILE=FALSE.
|
|
# Both or neither — mixed auth breaks on MC 1.21+ with SignPublicKeys = true.
|
|
SignPublicKeys = false
|
|
|
|
# Free-text owner label shown in the web UI (a string, not a table).
|
|
ApplicationOwner = "Ulicraft"
|
|
|
|
# CORS: the landing register/account form (served from the apex) calls the
|
|
# Drasl API from the browser. Without this the API has NO CORS headers and the
|
|
# browser blocks every cross-origin call. Scope to the apex only — never "*",
|
|
# which would let any site script the auth API. Echo backfills AllowMethods
|
|
# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization).
|
|
# MUST stay top-level (before any [Section]) — under a table it parses as
|
|
# <table>.CORSAllowOrigins and drasl ignores it (silent: no CORS headers).
|
|
CORSAllowOrigins = ["https://${BASE_DOMAIN}"]
|
|
|
|
# New-account registration (username+password). RequireInvite is derived from
|
|
# REGISTRATION_MODE in .env by render-config.sh: invite -> true, open -> false.
|
|
# When true, non-admin callers (web UI + landing register form) must supply a
|
|
# valid invite code; admins bypass. Mint codes via POST /drasl/api/v2/invites
|
|
# with an admin api token.
|
|
[RegistrationNewPlayer]
|
|
Allow = true
|
|
RequireInvite = ${REGISTRATION_REQUIRE_INVITE}
|
|
|
|
# Rate limit the now public-facing API (anonymous POST /users etc). Token
|
|
# bucket; admins are exempt. Conservative for a 4-10 player server.
|
|
[RateLimit]
|
|
RequestsPerSecond = 5
|
|
Burst = 10
|
|
|
|
# OIDC block intentionally omitted for now (no Keycloak).
|
|
# [[RegistrationOIDC]] <- future task
|