2026-04-07 21:58:17 -04:00
|
|
|
# Database Configuration
|
|
|
|
|
POSTGRES_DB=wilddragon
|
|
|
|
|
POSTGRES_USER=wilddragon
|
|
|
|
|
POSTGRES_PASSWORD=changeme
|
|
|
|
|
|
|
|
|
|
# Database Connection
|
|
|
|
|
DATABASE_URL=postgres://wilddragon:changeme@db:5432/wilddragon
|
|
|
|
|
|
|
|
|
|
# Redis Configuration
|
|
|
|
|
REDIS_URL=redis://queue:6379
|
|
|
|
|
|
|
|
|
|
# S3 Configuration
|
|
|
|
|
S3_ENDPOINT=https://broadcastmgmt.cloud
|
|
|
|
|
S3_BUCKET=wild-dragon
|
|
|
|
|
S3_ACCESS_KEY=changeme
|
|
|
|
|
S3_SECRET_KEY=changeme
|
2026-05-16 00:29:45 -04:00
|
|
|
S3_REGION=us-east-1
|
2026-04-07 21:58:17 -04:00
|
|
|
|
|
|
|
|
# Session Configuration
|
|
|
|
|
SESSION_SECRET=changeme
|
|
|
|
|
|
|
|
|
|
# MAM API Configuration
|
|
|
|
|
MAM_API_URL=http://mam-api:3000
|
2026-05-16 00:29:45 -04:00
|
|
|
|
2026-05-27 15:25:29 -04:00
|
|
|
# Auth — default to ON in production. Setting to 'false' is a dev-only escape
|
|
|
|
|
# hatch that disables all auth checks and attaches a synthetic 'dev' user to
|
|
|
|
|
# every request. Never run with AUTH_ENABLED=false on a network you don't control.
|
feat(mam-api,web-ui): per-project RBAC (v2 auth layer)
Adds per-project access control on top of the flat v1 auth. admin keeps
global access; editor/viewer are scoped to projects granted to them (direct
or via group) at view (read-only) or edit (read-write) level.
- migration 026: project_access table + access_level enum
- src/auth/authz.js: central isAdmin/accessibleProjectIds/projectLevel/
assertProjectAccess
- requireAdmin middleware; admin-gate /users, /auth/users, /groups
- enforce scoping on projects, assets, bins (list filter + per-resource
view/edit + create checks); gate bulk asset maintenance + batch-trim
- grant API: GET/POST/DELETE /projects/:id/access
- web-ui: hide admin nav for non-admins, admin-route bounce, project
"Manage access" modal, rewrite Policies tab
- tests: authz, project-access, assets-access (node:test, skip w/o DB)
- deferred routers carry TODO(authz) markers; .env.example documents the
service-token-needs-admin/grants requirement
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 22:37:36 -04:00
|
|
|
#
|
|
|
|
|
# RBAC v2 note: with AUTH_ENABLED=true, per-project access is enforced. Service
|
|
|
|
|
# API tokens (capture sidecar, Premiere panel, integrations) must belong to a
|
|
|
|
|
# user with the access they need — an 'admin' user (full access), or a user with
|
|
|
|
|
# the right project grants. A non-admin service token with no grants will get
|
|
|
|
|
# 403 on asset registration (ingest) and streaming. In dev mode the synthetic
|
|
|
|
|
# user is admin, so this only matters once auth is on.
|
2026-05-27 15:25:29 -04:00
|
|
|
AUTH_ENABLED=true
|
|
|
|
|
|
|
|
|
|
# CORS allowlist — comma-separated origins that may carry credentials to the API.
|
|
|
|
|
# Same-origin requests via the nginx reverse proxy do not need to be listed here.
|
|
|
|
|
# Leave empty to allow any origin (DEV ONLY).
|
|
|
|
|
ALLOWED_ORIGINS=
|
|
|
|
|
|
|
|
|
|
# Reverse-proxy trust — set 'true' when the API sits behind nginx terminating HTTPS,
|
|
|
|
|
# so secure-cookie + X-Forwarded-Proto behave correctly. ALSO required for accurate
|
|
|
|
|
# per-IP login rate-limiting (otherwise req.ip is always the nginx IP).
|
|
|
|
|
TRUST_PROXY=false
|
