agatha
7a835d3172
After LOGIN_MAX_FAILURES consecutive failed attempts from the same source IP within LOGIN_WINDOW_SECONDS, POST /api/v1/auth/token returns HTTP 429 with a Retry-After header for LOGIN_COOLDOWN_SECONDS. A successful login resets the counter. Trusted upstream proxy IPs/CIDRs can be declared via LOGIN_TRUSTED_PROXY_IPS so X-Forwarded-For is honoured correctly behind nginx ingress or similar reverse proxies. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30 lines
902 B
Plaintext
30 lines
902 B
Plaintext
# PostgreSQL — async DSN for SQLAlchemy + asyncpg
|
|
DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@postgres:5432/reactbin
|
|
|
|
# S3-compatible object storage (MinIO in local dev)
|
|
S3_ENDPOINT_URL=http://minio:9000
|
|
S3_BUCKET_NAME=reactbin
|
|
S3_ACCESS_KEY_ID=minioadmin
|
|
S3_SECRET_ACCESS_KEY=minioadmin
|
|
S3_REGION=us-east-1
|
|
|
|
# Angular SPA — injected at build or runtime
|
|
API_BASE_URL=http://localhost:8000
|
|
|
|
# Upload size limit in bytes (default 50 MiB)
|
|
MAX_UPLOAD_BYTES=52428800
|
|
|
|
# Owner credentials and JWT signing secret
|
|
JWT_SECRET_KEY=change-me-to-a-long-random-string
|
|
JWT_EXPIRY_SECONDS=86400
|
|
OWNER_USERNAME=owner
|
|
OWNER_PASSWORD=change-me
|
|
|
|
# Login brute-force protection
|
|
LOGIN_MAX_FAILURES=5
|
|
LOGIN_WINDOW_SECONDS=300
|
|
LOGIN_COOLDOWN_SECONDS=900
|
|
# Comma-separated IPs/CIDRs of trusted upstream proxies (e.g. nginx ingress pod CIDR).
|
|
# Leave empty when not behind a reverse proxy.
|
|
LOGIN_TRUSTED_PROXY_IPS=
|