e903b03afe
- README:已落地补「浏览器免重登 + PWA」一项;prod 配置清单新增 CDROP_SESSION_SECRET(prod 强制非空,缺则拒启动) - .env.example、docker/compose.snippet.yaml:补 CDROP_SESSION_SECRET 模板项
34 lines
1.6 KiB
Bash
34 lines
1.6 KiB
Bash
# dev 模式(本机开发,brief 实施原则 5)
|
||
# 二者必须同时设置;后端启动期校验,缺一即 panic
|
||
CDROP_AUTH_MODE=dev
|
||
CDROP_DEV_TOKEN=replace-with-32-byte-random-base64
|
||
|
||
# prod 模式所需(填入你的 OIDC provider,如自建 Casdoor / Keycloak)
|
||
# CDROP_AUTH_MODE=prod
|
||
# CDROP_OIDC_AUTHORIZE_URL=https://your-idp.example/login/oauth/authorize
|
||
# CDROP_OIDC_TOKEN_URL=https://your-idp.example/api/login/oauth/access_token
|
||
# CDROP_OIDC_JWKS_URL=https://your-idp.example/.well-known/jwks
|
||
# CDROP_OIDC_ISSUER=https://your-idp.example/
|
||
# prod 强制非空:填你的 OAuth client_id(多值逗号分隔,web + 桌面端共用时填同一个)
|
||
# CDROP_OIDC_AUDIENCE=your-client-id
|
||
# CDROP_OIDC_CLIENT_ID=your-client-id
|
||
# CDROP_OIDC_REDIRECT_URI=https://your-domain.example/oauth/callback
|
||
# CDROP_OIDC_SCOPES=openid profile email
|
||
# prod 强制非空:浏览器免重登会话的 refresh_token 落盘加密密钥(任意长度高熵串,
|
||
# 内部 SHA-256 派生为 32 字节 AES-256 密钥)。留空则 prod 启动期校验失败、拒启动。
|
||
# CDROP_SESSION_SECRET=
|
||
# CDROP_HS256_SECRET=
|
||
# CDROP_TURN_URL=stun:your-stun.example:3478
|
||
|
||
# 通用
|
||
CDROP_DB_PATH=./cdrop.db
|
||
CDROP_LISTEN=:8080
|
||
# Device row max age (sliding via auth-middleware UPSERT and SSE keepalive).
|
||
# Bound by brief §2 refresh_token sliding window (196h ≈ 8 days). Default 196.
|
||
CDROP_DEVICE_TTL_HOURS=196
|
||
|
||
# Cloudflare Realtime TURN(可选;不配则 /api/calls/credentials 返回 STUN-only fallback)。
|
||
# 申请:dash.cloudflare.com → Realtime → TURN → "Create TURN App",拿到 Key ID 与 API Token。
|
||
# CDROP_CF_TURN_KEY_ID=
|
||
# CDROP_CF_TURN_API_TOKEN=
|