version: v0.13.0

dsn: "overrided-by-env"

serve:
  public:
    base_url: http://127.0.0.1:4433/
    cors:
      enabled: true
      allow_credentials: true
      allowed_origins:
        - http://127.0.0.1:4433
        - http://0.0.0.0:4434
        - http://localhost:3000
        - http://127.0.0.1:3000
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
        - X-Session-Token
      exposed_headers:
        - Content-Type
        - Set-Cookie
      debug: true

  admin:
    base_url: http://0.0.0.0:4434/

selfservice:
  default_browser_return_url: http://localhost:3000/
  allowed_return_urls:
    - http://127.0.0.1:4455/
    - http://localhost:3000/

  methods:
    oidc:
      enabled: false
    webauthn:
      enabled: false
    totp:
      enabled: true
    password:
      enabled: true

    code:
      enabled: true
      config:
        # Defines how long the verification or the recovery code is valid for (default 1h)
        lifespan: 15m

  flows:
    error:
      ui_url: http://127.0.0.1:4455/error

    settings:
      ui_url: http://127.0.0.1:4455/settings

      # very short time frame because this has impact in the totp flow
      privileged_session_max_age: 1s

      # to enforce the user to paste his 2fa to deactivate it, this could be set to highest_available
      required_aal: aal1

      after:
        profile:
          hooks:
            - hook: web_hook
              config:
                # url: http://bats-tests:4455/auth/after_settings_hooks
                url: http://invalid-because-we-dont-want-profile-to-be-updated
                method: POST
                body: file:///home/ory/body.jsonnet
                auth:
                  type: api_key
                  config:
                    name: Authorization
                    value: The-Value-of-My-Key
                    in: header

    recovery:
      enabled: true
      ui_url: http://127.0.0.1:4455/recovery

    verification:
      use: code
      enabled: true
      lifespan: 15m
      # notify_unknown_recipients: false

    logout:
      after:
        default_browser_return_url: http://127.0.0.1:4455/login

    login:
      ui_url: http://localhost:3000/login
      lifespan: 10m

      # this below make phone authentication fails even if there is no email in the schema
      # after:
      #   password:
      #     hooks:
      #     - hook: require_verified_address

    registration:
      lifespan: 10m
      ui_url: http://localhost:3000/register
      after:
        password:
          hooks:
            # we are not sure if we need this hook yet.
            # this could be used to check if the user is already registered in the backend
            # before creating the user in kratos
            # otherwise response: parse: false happens after kratos user creation
            #
            #
            # - hook: web_hook
            #   config:
            #     url: http://bats-tests:4012/kratos/preregistration
            #     method: POST
            #     response:
            #       parse: true
            #     body: file:///home/ory/body.jsonnet # TODO: use a base64 encoding instead
            #     auth:
            #       type: api_key
            #       config:
            #         name: Authorization
            #         value: The-Value-of-My-Key
            #         in: header
            - hook: web_hook
              config:
                url: http://bats-tests:4012/kratos/registration
                method: POST
                response:
                  parse: false
                body: file:///home/ory/body.jsonnet # TODO: use a base64 encoding instead
                auth:
                  type: api_key
                  config:
                    name: Authorization
                    value: The-Value-of-My-Key
                    in: header
            - hook: session

log:
  level: debug
  format: json
  leak_sensitive_values: true

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 8

identity:
  default_schema_id: phone_no_password_v0
  schemas:
    - id: phone_no_password_v0
      url: file:///home/ory/phone_no_password_v0.identity.schema.json
    - id: phone_email_no_password_v0
      url: file:///home/ory/phone_email_no_password_v0.identity.schema.json
    - id: email_no_password_v0
      url: file:///home/ory/email_no_password_v0.identity.schema.json
    - id: username_password_deviceid_v0
      url: file:///home/ory/username_password_deviceid_v0.identity.schema.json

courier:
  smtp:
    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
  templates:
    recovery_code:
      valid:
        email:
          subject: base64://eW91ciBjb2RlCg==
          body:
            # courier/template/courier/builtin/templates/recovery_code/valid/email.body.plaintext.gotmpl
            # Hi,
            # You can confirm access to your blink account by entering the following code:
            # {{ .RecoveryCode }}
            # Don't share this code with anyone. Our employee will never ask for this code
            plaintext: base64://SGksCgpZb3UgY2FuIGNvbmZpcm0gYWNjZXNzIHRvIHlvdXIgYmxpbmsgYWNjb3VudCBieSBlbnRlcmluZyB0aGUgZm9sbG93aW5nIGNvZGU6Cgp7eyAuUmVjb3ZlcnlDb2RlIH19CgpEb24ndCBzaGFyZSB0aGlzIGNvZGUgd2l0aCBhbnlvbmUuIE91ciBlbXBsb3llZSB3aWxsIG5ldmVyIGFzayBmb3IgdGhpcyBjb2RlCg==
            html: base64://SGksCgpZb3UgY2FuIGNvbmZpcm0gYWNjZXNzIHRvIHlvdXIgYmxpbmsgYWNjb3VudCBieSBlbnRlcmluZyB0aGUgZm9sbG93aW5nIGNvZGU6Cgp7eyAuUmVjb3ZlcnlDb2RlIH19CgpEb24ndCBzaGFyZSB0aGlzIGNvZGUgd2l0aCBhbnlvbmUuIE91ciBlbXBsb3llZSB3aWxsIG5ldmVyIGFzayBmb3IgdGhpcyBjb2RlCg==

session:
  # TODO: check lifespan per schema
  # or look how to extend
  lifespan: "720h" # 1 month
  earliest_possible_extend: "720h" # needed for test. should be shorter in prod

  whoami:
    required_aal: highest_available