dragonflight/.env.example

# Database Configuration
POSTGRES_DB=wilddragon
POSTGRES_USER=wilddragon
POSTGRES_PASSWORD=changeme

# Database Connection
DATABASE_URL=postgres://wilddragon:changeme@db:5432/wilddragon

# Redis Configuration
REDIS_URL=redis://queue:6379

# S3 Configuration
S3_ENDPOINT=https://broadcastmgmt.cloud
S3_BUCKET=wild-dragon
S3_ACCESS_KEY=changeme
S3_SECRET_KEY=changeme
S3_REGION=us-east-1

# Session Configuration
SESSION_SECRET=changeme

# MAM API Configuration
MAM_API_URL=http://mam-api:3000

# Auth — default to ON in production. Setting to 'false' is a dev-only escape
# hatch that disables all auth checks and attaches a synthetic 'dev' user to
# every request. Never run with AUTH_ENABLED=false on a network you don't control.
#
# RBAC v2 note: with AUTH_ENABLED=true, per-project access is enforced. Service
# API tokens (capture sidecar, Premiere panel, integrations) must belong to a
# user with the access they need — an 'admin' user (full access), or a user with
# the right project grants. A non-admin service token with no grants will get
# 403 on asset registration (ingest) and streaming. In dev mode the synthetic
# user is admin, so this only matters once auth is on.
AUTH_ENABLED=true

# CORS allowlist — comma-separated origins that may carry credentials to the API.
# Same-origin requests via the nginx reverse proxy do not need to be listed here.
# Leave empty to allow any origin (DEV ONLY).
ALLOWED_ORIGINS=

# Reverse-proxy trust — set 'true' when the API sits behind nginx terminating HTTPS,
# so secure-cookie + X-Forwarded-Proto behave correctly. ALSO required for accurate
# per-IP login rate-limiting (otherwise req.ip is always the nginx IP).
TRUST_PROXY=false

# Google OAuth (OIDC) sign-in — OPTIONAL. Leave the client id/secret blank to
# disable; the "Sign in with Google" button and the /auth/google routes only
# activate when all three of CLIENT_ID, CLIENT_SECRET, and REDIRECT_URL are set.
# Create an OAuth 2.0 Client (type: Web application) in Google Cloud Console and
# add OAUTH_REDIRECT_URL to its authorized redirect URIs.
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
# Must exactly match a redirect URI on the OAuth client, e.g.
# https://dragonflight.live/api/v1/auth/google/callback
OAUTH_REDIRECT_URL=
# Restrict sign-in to one Google Workspace domain (recommended). First login from
# an allowed-domain account auto-provisions a NEW 'viewer' account (matched only
# by Google's stable subject id, never by email — so a Google login can never
# seize a pre-existing local account). An admin then grants project access.
# Leave blank to allow any verified Google account to self-provision (NOT advised).
GOOGLE_ALLOWED_DOMAIN=
# Note: if a Google-linked account also has TOTP enabled, sign-in still requires
# the authenticator code (Google is treated as the first factor). Accounts without
# TOTP complete sign-in in one Google step.

# Playout / Master Control (MCR)
# Image tag the mam-api spawns when a channel starts. Build with:
#   docker compose --profile build-only build playout
PLAYOUT_IMAGE=wild-dragon-playout:latest
# Base AMCP port — each channel binds to BASE + channel_id (in CasparCG terms).
PLAYOUT_AMCP_BASE_PORT=5250
add .env.example 2026-04-07 21:58:17 -04:00			`# Database Configuration`
			`POSTGRES_DB=wilddragon`
			`POSTGRES_USER=wilddragon`
			`POSTGRES_PASSWORD=changeme`

			`# Database Connection`
			`DATABASE_URL=postgres://wilddragon:changeme@db:5432/wilddragon`

			`# Redis Configuration`
			`REDIS_URL=redis://queue:6379`

			`# S3 Configuration`
			`S3_ENDPOINT=https://broadcastmgmt.cloud`
			`S3_BUCKET=wild-dragon`
			`S3_ACCESS_KEY=changeme`
			`S3_SECRET_KEY=changeme`
fix(infra+workers): S3 creds, ffprobe, BullMQ awaits, thumbnail seek, bin optional, docker-compose vars, jobs Redis, recorders stop codes: .env.example 2026-05-16 00:29:45 -04:00			`S3_REGION=us-east-1`
add .env.example 2026-04-07 21:58:17 -04:00
			`# Session Configuration`
			`SESSION_SECRET=changeme`

			`# MAM API Configuration`
			`MAM_API_URL=http://mam-api:3000`
fix(infra+workers): S3 creds, ffprobe, BullMQ awaits, thumbnail seek, bin optional, docker-compose vars, jobs Redis, recorders stop codes: .env.example 2026-05-16 00:29:45 -04:00
docs(auth): flip AUTH_ENABLED default + document setup + recovery 2026-05-27 15:25:29 -04:00			`# Auth — default to ON in production. Setting to 'false' is a dev-only escape`
			`# hatch that disables all auth checks and attaches a synthetic 'dev' user to`
			`# every request. Never run with AUTH_ENABLED=false on a network you don't control.`
feat(mam-api,web-ui): per-project RBAC (v2 auth layer) Adds per-project access control on top of the flat v1 auth. admin keeps global access; editor/viewer are scoped to projects granted to them (direct or via group) at view (read-only) or edit (read-write) level. - migration 026: project_access table + access_level enum - src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/ assertProjectAccess - requireAdmin middleware; admin-gate /users, /auth/users, /groups - enforce scoping on projects, assets, bins (list filter + per-resource view/edit + create checks); gate bulk asset maintenance + batch-trim - grant API: GET/POST/DELETE /projects/:id/access - web-ui: hide admin nav for non-admins, admin-route bounce, project "Manage access" modal, rewrite Policies tab - tests: authz, project-access, assets-access (node:test, skip w/o DB) - deferred routers carry TODO(authz) markers; .env.example documents the service-token-needs-admin/grants requirement Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-29 22:37:36 -04:00			`#`
			`# RBAC v2 note: with AUTH_ENABLED=true, per-project access is enforced. Service`
			`# API tokens (capture sidecar, Premiere panel, integrations) must belong to a`
			`# user with the access they need — an 'admin' user (full access), or a user with`
			`# the right project grants. A non-admin service token with no grants will get`
			`# 403 on asset registration (ingest) and streaming. In dev mode the synthetic`
			`# user is admin, so this only matters once auth is on.`
docs(auth): flip AUTH_ENABLED default + document setup + recovery 2026-05-27 15:25:29 -04:00			`AUTH_ENABLED=true`

			`# CORS allowlist — comma-separated origins that may carry credentials to the API.`
			`# Same-origin requests via the nginx reverse proxy do not need to be listed here.`
			`# Leave empty to allow any origin (DEV ONLY).`
			`ALLOWED_ORIGINS=`

			`# Reverse-proxy trust — set 'true' when the API sits behind nginx terminating HTTPS,`
			`# so secure-cookie + X-Forwarded-Proto behave correctly. ALSO required for accurate`
			`# per-IP login rate-limiting (otherwise req.ip is always the nginx IP).`
			`TRUST_PROXY=false`
feat(mam-api,web-ui): Google OAuth (OIDC) sign-in Optional "Sign in with Google" with auto-provisioning, fully config-gated: without GOOGLE_CLIENT_ID/SECRET and OAUTH_REDIRECT_URL the routes 404 and the button is hidden, so deployments without SSO are unaffected. - migration 028: users.google_sub (unique) + email; password_hash nullable for OAuth-only accounts - src/auth/google-oauth.js: lazy google-auth-library, ID-token verify, GOOGLE_ALLOWED_DOMAIN enforcement, requires email_verified === true - auth routes: /auth/google (state-CSRF redirect), /auth/google/callback, /auth/google/enabled; reuses establishSession - web-ui: "Sign in with Google" on the login screen (shown only when enabled), friendly callback error handling - .env.example documents all new vars Security hardening (from review of this + the TOTP work): - resolveGoogleUser links ONLY by google_sub, never by email — a Google login can never seize a pre-existing local account (account-takeover fix) - a Google-linked account with TOTP still requires the second factor (ticket in session, /?mfa=1 step) instead of bypassing it - /login/totp now applies the per-IP login backoff - recovery-code consumption is atomic (WHERE used_at IS NULL + rowCount) - concurrent first-login race on google_sub is caught and re-resolved - tests: google-oauth config helpers + google-link takeover/dedup regression Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-29 22:51:59 -04:00
			`# Google OAuth (OIDC) sign-in — OPTIONAL. Leave the client id/secret blank to`
			`# disable; the "Sign in with Google" button and the /auth/google routes only`
			`# activate when all three of CLIENT_ID, CLIENT_SECRET, and REDIRECT_URL are set.`
			`# Create an OAuth 2.0 Client (type: Web application) in Google Cloud Console and`
			`# add OAUTH_REDIRECT_URL to its authorized redirect URIs.`
			`GOOGLE_CLIENT_ID=`
			`GOOGLE_CLIENT_SECRET=`
			`# Must exactly match a redirect URI on the OAuth client, e.g.`
			`# https://dragonflight.live/api/v1/auth/google/callback`
			`OAUTH_REDIRECT_URL=`
			`# Restrict sign-in to one Google Workspace domain (recommended). First login from`
			`# an allowed-domain account auto-provisions a NEW 'viewer' account (matched only`
			`# by Google's stable subject id, never by email — so a Google login can never`
			`# seize a pre-existing local account). An admin then grants project access.`
			`# Leave blank to allow any verified Google account to self-provision (NOT advised).`
			`GOOGLE_ALLOWED_DOMAIN=`
			`# Note: if a Google-linked account also has TOTP enabled, sign-in still requires`
			`# the authenticator code (Google is treated as the first factor). Accounts without`
			`# TOTP complete sign-in in one Google step.`
build(playout): compose wiring + .env knobs - Add /mnt/NVME/MAM/wild-dragon-media:/media to mam-api (rw) and worker-p4 (rw); web-ui (ro, for serving HLS preview segments). - worker-p4 WORKER_QUEUES gains 'playout-stage' so master-tier nodes pick up the loudnorm stage jobs (they already have ffmpeg + the media mount). - New build-only 'playout' service with profile ["build-only"] so `docker compose --profile build-only build playout` produces the wild-dragon-playout:latest image without compose trying to up it as a long-running service. mam-api spawns these on demand. - mam-api env adds PLAYOUT_IMAGE + PLAYOUT_AMCP_BASE_PORT (5250 default). - .env.example: PLAYOUT_IMAGE, PLAYOUT_AMCP_BASE_PORT. 2026-05-30 09:18:16 -04:00
			`# Playout / Master Control (MCR)`
			`# Image tag the mam-api spawns when a channel starts. Build with:`
			`# docker compose --profile build-only build playout`
			`PLAYOUT_IMAGE=wild-dragon-playout:latest`
			`# Base AMCP port — each channel binds to BASE + channel_id (in CasparCG terms).`
			`PLAYOUT_AMCP_BASE_PORT=5250`