mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
7ae92f3e1c3e8122b455aab4202ac9881080e86f
stack/apps/api/.env.example
Jason Woltje 7390cac2cc fix(#338): Bind CSRF token to user session with HMAC 
- Token now includes HMAC binding to session ID
- Validates session binding on verification
- Adds CSRF_SECRET configuration requirement
- Requires authentication for CSRF token endpoint
- 51 new tests covering session binding security

Security: CSRF tokens are now cryptographically tied to user sessions,
preventing token reuse across sessions and mitigating session fixation
attacks.

Token format: {random_part}:{hmac(random_part + user_id, secret)}

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 16:33:22 -06:00

35 lines
1.5 KiB
Plaintext
Raw Blame History

# Database
DATABASE_URL=postgresql://user:password@localhost:5432/database
# Federation Instance Identity
# Display name for this Mosaic instance
INSTANCE_NAME=Mosaic Instance
# Publicly accessible URL for federation (must be valid HTTP/HTTPS URL)
INSTANCE_URL=http://localhost:3000
# Encryption (AES-256-GCM for sensitive data at rest)
# CRITICAL: Generate a secure random key for production!
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
ENCRYPTION_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# CSRF Protection (Required in production)
# Secret key for HMAC binding CSRF tokens to user sessions
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# In development, a random key is generated if not set
CSRF_SECRET=fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210
# OpenTelemetry Configuration
# Enable/disable OpenTelemetry tracing (default: true)
OTEL_ENABLED=true
# Service name for telemetry (default: mosaic-api)
OTEL_SERVICE_NAME=mosaic-api
# OTLP exporter endpoint (default: http://localhost:4318/v1/traces)
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318/v1/traces
# Alternative: Jaeger endpoint (legacy)
# OTEL_EXPORTER_JAEGER_ENDPOINT=http://localhost:4318/v1/traces
# Deployment environment (default: development, or uses NODE_ENV)
# OTEL_DEPLOYMENT_ENVIRONMENT=production
# Trace sampling ratio: 0.0 (none) to 1.0 (all) - default: 1.0
# Use lower values in high-traffic production environments
# OTEL_TRACES_SAMPLER_ARG=1.0
Reference in New Issue View Git Blame Copy Permalink