Corentin JOGUET
a79c51e6f2
Some checks are pending
CI / Type-check bridge (push) Blocked by required conditions
CI / Tests unit bridge (push) Blocked by required conditions
CI / Lint bridge (Biome) (push) Waiting to run
CI / Tests integration bridge (push) Blocked by required conditions
CI / Security scan (push) Waiting to run
CI / Docker build + healthcheck (push) Blocked by required conditions
62 lines
2.8 KiB
Text
62 lines
2.8 KiB
Text
# Bridge service — variables d'environnement
|
|
# Copier vers .env et remplir avec valeurs reelles.
|
|
|
|
# Server
|
|
NODE_ENV=development
|
|
PORT=4000
|
|
LOG_LEVEL=debug
|
|
|
|
# Baserow API
|
|
BASEROW_API_URL=http://baserow:80/api
|
|
BASEROW_API_TOKEN=
|
|
|
|
# Docmost API (optionnel — pas utilise par le bridge generique R1)
|
|
# DOCMOST_API_URL=http://docmost:3000/api
|
|
# DOCMOST_API_TOKEN=
|
|
|
|
# Redis (cache + idempotence webhooks + rate limit)
|
|
REDIS_URL=redis://docmost-redis:6379
|
|
|
|
# Webhooks Baserow signature secret (HMAC-SHA256, header X-Baserow-Signature)
|
|
BASEROW_WEBHOOK_SECRET=
|
|
|
|
# Webhooks Docmost signature secret (HMAC-SHA256, header X-Docmost-Signature)
|
|
# Stub Bloc 7b — handlers metier viennent en Bloc 8 (Tiptap node-views)
|
|
# DOCMOST_WEBHOOK_SECRET=
|
|
|
|
# Auth tokens bridge — JSON serialise (Phase 2 simple)
|
|
# Format: [{"token":"brg_xxx","name":"label","scopes":["read:tables",...]}]
|
|
# Scopes generiques R1 : read:tables, write:tables, admin:*
|
|
BRIDGE_API_TOKENS=
|
|
|
|
# Authentik OIDC (optional — laisse vide pour mode local-only avec service tokens)
|
|
# Active uniquement si AUTHENTIK_ISSUER + AUTHENTIK_JWKS_URI + AUTHENTIK_AUDIENCE sont set.
|
|
# AUTHENTIK_ISSUER=https://auth.acadenice.com/application/o/formation-hub/
|
|
# AUTHENTIK_JWKS_URI=https://auth.acadenice.com/application/o/formation-hub/jwks/
|
|
# AUTHENTIK_AUDIENCE=formation-hub-bridge
|
|
# Mapping group Authentik -> scopes bridge (optionnel).
|
|
# AUTH_GROUPS_SCOPES_MAP={"acadenice-admins":["admin:*"],"acadenice-formateurs":["read:tables","write:tables"]}
|
|
#
|
|
# R1 generique : le bridge lit aussi le claim JWT `acadenice_permissions[]`
|
|
# qui alimente directement les scopes (alimente cote DocAdenice par le RBAC R2).
|
|
|
|
# JWT HMAC DocAdenice (Docmost fork) — mode local sans Authentik (R2.3b)
|
|
# Le bridge accepte les JWT HS256/384/512 signes par DocAdenice avec son APP_SECRET
|
|
# (le meme secret que `docmost.appSecret`). Permet au frontend Docmost d'appeler
|
|
# le bridge directement avec son cookie/Bearer Docmost natif, sans IdP OIDC.
|
|
# Laisse vide en prod si Authentik OIDC est branche — l'utilisateur passe par OIDC.
|
|
# Le secret doit faire >= 32 chars (matche les contraintes Docmost).
|
|
# DOCMOST_APP_SECRET=must-be-32-chars-or-more-and-match-docmost-app-secret
|
|
# DOCMOST_JWT_ISSUER=Docmost
|
|
# DOCMOST_JWT_AUDIENCE=
|
|
|
|
# Rate limiting (Bloc 5) — sliding window Redis sur /api/v1/*
|
|
# (hors /api/health, /api/ready, /api/webhooks/* qui ont leur propre defense).
|
|
# Global s'applique sur tous les verbes ; Mutation s'ajoute sur POST/PATCH/PUT/DELETE
|
|
# avec un compteur Redis distinct (suffixe `:mut`) volontairement plus strict.
|
|
# Cle derivee de l'identite : tokenId (service token) > email OIDC > sub OIDC > IP > anonymous.
|
|
# Defauts conservateurs ci-dessous, override si besoin.
|
|
# RATE_LIMIT_GLOBAL_MAX=100
|
|
# RATE_LIMIT_GLOBAL_WINDOW=60
|
|
# RATE_LIMIT_MUTATION_MAX=30
|
|
# RATE_LIMIT_MUTATION_WINDOW=60
|