feat(core): support PEM-encoded keys in environment variables

apps/astro/.env.example

@@ -1,66 +1,96 @@
-# Opaque secret used to sign and verify JWT tokens
-
-# openssl rand -base64 32
+# Opaque salting and peppering secrets for key derivation and hashing
+# For example: openssl rand -base64 32
 AURA_AUTH_SALT=""
-# openssl rand -base64 32
+
+# Opaque secret for signing JWT tokens and encrypting data
+# For example: openssl rand -base64 32
 AURA_AUTH_SECRET=""
 
+# The base URL of the authentication server
+# For example: http://localhost:4000
+AURA_AUTH_BASE_URL=
+
+# Trusted Origins for CORS and redirect URI validation (comma-separated)
+# For example: http://localhost:3000,http://localhost:4000
+AURA_AUTH_TRUSTED_ORIGINS=
+
+# Enable debug logging for authentication operations (set to "true", "debug", "on", "yes" or "1" to enable)
+AURA_AUTH_DEBUG=
+
+# Log level for authentication operations (e.g. "error", "warn", "info", "debug")
+AURA_AUTH_LOG_LEVEL=
+
+# PEM-encoded RSA public/private key for signing and encrypting JWT tokens in "sealed" JWT mode (JWT with JWS and JWE)
+# For example: -----BEGIN PUBLIC KEY -----\n...\n-----END PUBLIC KEY-----
+AURA_AUTH_SIGNING_PUBLIC_KEY=
+AURA_AUTH_SIGNING_PRIVATE_KEY=
+AURA_AUTH_SIGNING_ALGORITHM=
+
+AURA_AUTH_ENCRYPTION_PUBLIC_KEY=
+AURA_AUTH_ENCRYPTION_PRIVATE_KEY=
+AURA_AUTH_ENCRYPTION_ALGORITHM=
+
+# PEM-encode RSA public/private key either in "signed" or "encrypted" JWT mode (JWT with JWS or JWE)
+AURA_AUTH_PUBLIC_KEY=
+AURA_AUTH_PRIVATE_KEY=
+AURA_AUTH_ALGORITHM=
+
 # Github OAuth App Credentials
-AURA_AUTH_GITHUB_CLIENT_ID=""
-AURA_AUTH_GITHUB_CLIENT_SECRET=""
+AURA_AUTH_GITHUB_CLIENT_ID=
+AURA_AUTH_GITHUB_CLIENT_SECRET=
 
 # Bitbucket OAuth App Credentials
-AURA_AUTH_BITBUCKET_CLIENT_ID=""
-AURA_AUTH_BITBUCKET_CLIENT_SECRET=""
+AURA_AUTH_BITBUCKET_CLIENT_ID=
+AURA_AUTH_BITBUCKET_CLIENT_SECRET=
 
 # Figma OAuth App Credentials
-AURA_AUTH_FIGMA_CLIENT_ID=""
-AURA_AUTH_FIGMA_CLIENT_SECRET=""
+AURA_AUTH_FIGMA_CLIENT_ID=
+AURA_AUTH_FIGMA_CLIENT_SECRET=
 
 # Discord OAuth App Credentials
-AURA_AUTH_DISCORD_CLIENT_ID=""
-AURA_AUTH_DISCORD_CLIENT_SECRET=""
+AURA_AUTH_DISCORD_CLIENT_ID=
+AURA_AUTH_DISCORD_CLIENT_SECRET=
 
 # GitLab OAuth App Credentials
-AURA_AUTH_GITLAB_CLIENT_ID=""
-AURA_AUTH_GITLAB_CLIENT_SECRET=""
+AURA_AUTH_GITLAB_CLIENT_ID=
+AURA_AUTH_GITLAB_CLIENT_SECRET=
 
 # Spotify OAuth App Credentials
-AURA_AUTH_SPOTIFY_CLIENT_ID=""
-AURA_AUTH_SPOTIFY_CLIENT_SECRET=""
+AURA_AUTH_SPOTIFY_CLIENT_ID=
+AURA_AUTH_SPOTIFY_CLIENT_SECRET=
 
 # X (Twitter) OAuth App Credentials
-AURA_AUTH_X_CLIENT_ID=""
-AURA_AUTH_X_CLIENT_SECRET=""
+AURA_AUTH_X_CLIENT_ID=
+AURA_AUTH_X_CLIENT_SECRET=
 
 # Strava OAuth App Credentials
-AURA_AUTH_STRAVA_CLIENT_ID=""
-AURA_AUTH_STRAVA_CLIENT_SECRET=""
+AURA_AUTH_STRAVA_CLIENT_ID=
+AURA_AUTH_STRAVA_CLIENT_SECRET=
 
 # Atlassian OAuth App Credentials
-AURA_AUTH_ATLASSIAN_CLIENT_ID=""
-AURA_AUTH_ATLASSIAN_CLIENT_SECRET=""
+AURA_AUTH_ATLASSIAN_CLIENT_ID=
+AURA_AUTH_ATLASSIAN_CLIENT_SECRET=
 
 # Mailchimp OAuth App Credentials
-AURA_AUTH_MAILCHIMP_CLIENT_ID=""
-AURA_AUTH_MAILCHIMP_CLIENT_SECRET=""
+AURA_AUTH_MAILCHIMP_CLIENT_ID=
+AURA_AUTH_MAILCHIMP_CLIENT_SECRET=
 
 # Pinterest OAuth App Credentials
-AURA_AUTH_PINTEREST_CLIENT_ID=""
-AURA_AUTH_PINTEREST_CLIENT_SECRET=""
+AURA_AUTH_PINTEREST_CLIENT_ID=
+AURA_AUTH_PINTEREST_CLIENT_SECRET=
 
 # Dropbox OAuth App Credentials
-AURA_AUTH_DROPBOX_CLIENT_ID=""
-AURA_AUTH_DROPBOX_CLIENT_SECRET=""
+AURA_AUTH_DROPBOX_CLIENT_ID=
+AURA_AUTH_DROPBOX_CLIENT_SECRET=
 
 # Twitch OAuth App Credentials
-AURA_AUTH_TWITCH_CLIENT_ID=""
-AURA_AUTH_TWITCH_CLIENT_SECRET=""
+AURA_AUTH_TWITCH_CLIENT_ID=
+AURA_AUTH_TWITCH_CLIENT_SECRET=
 
 # Notion OAuth App Credentials
-AURA_AUTH_NOTION_CLIENT_ID=""
-AURA_AUTH_NOTION_CLIENT_SECRET=""
+AURA_AUTH_NOTION_CLIENT_ID=
+AURA_AUTH_NOTION_CLIENT_SECRET=
 
 # TikTok OAuth App Credentials
-AURA_AUTH_TIKTOK_CLIENT_ID=""
-AURA_AUTH_TIKTOK_CLIENT_SECRET=""
+AURA_AUTH_TIKTOK_CLIENT_ID=
+AURA_AUTH_TIKTOK_CLIENT_SECRET=

apps/bun/.env.example

@@ -1,67 +1,95 @@
-# Salt for key derivation (e.g., password hashing)
-# openssl rand -base64 32
+# Opaque salting and peppering secrets for key derivation and hashing
+# For example: openssl rand -base64 32
 AURA_AUTH_SALT=""
 
-# Opaque secret used to sign and verify JWT tokens
-# openssl rand -base64 32
+# Opaque secret for signing JWT tokens and encrypting data
+# For example: openssl rand -base64 32
 AURA_AUTH_SECRET=""
 
+# The base URL of the authentication server
+# For example: http://localhost:4000
+AURA_AUTH_BASE_URL=
+
+# Trusted Origins for CORS and redirect URI validation (comma-separated)
+# For example: http://localhost:3000,http://localhost:4000
+AURA_AUTH_TRUSTED_ORIGINS=
+
+# Enable debug logging for authentication operations (set to "true", "debug", "on", "yes" or "1" to enable)
+AURA_AUTH_DEBUG=
+
+# Log level for authentication operations (e.g. "error", "warn", "info", "debug")
+AURA_AUTH_LOG_LEVEL=
+
+# PEM-encoded RSA public/private key for signing and encrypting JWT tokens in "sealed" JWT mode (JWT with JWS and JWE)
+# For example: -----BEGIN PUBLIC KEY -----\n...\n-----END PUBLIC KEY-----
+AURA_AUTH_SIGNING_PUBLIC_KEY=
+AURA_AUTH_SIGNING_PRIVATE_KEY=
+AURA_AUTH_SIGNING_ALGORITHM=
+
+AURA_AUTH_ENCRYPTION_PUBLIC_KEY=
+AURA_AUTH_ENCRYPTION_PRIVATE_KEY=
+AURA_AUTH_ENCRYPTION_ALGORITHM=
+
+# PEM-encode RSA public/private key either in "signed" or "encrypted" JWT mode (JWT with JWS or JWE)
+AURA_AUTH_PUBLIC_KEY=
+AURA_AUTH_PRIVATE_KEY=
+AURA_AUTH_ALGORITHM=
 # Github OAuth App Credentials
-AURA_AUTH_GITHUB_CLIENT_ID=""
-AURA_AUTH_GITHUB_CLIENT_SECRET=""
+AURA_AUTH_GITHUB_CLIENT_ID=
+AURA_AUTH_GITHUB_CLIENT_SECRET=
 
 # Bitbucket OAuth App Credentials
-AURA_AUTH_BITBUCKET_CLIENT_ID=""
-AURA_AUTH_BITBUCKET_CLIENT_SECRET=""
+AURA_AUTH_BITBUCKET_CLIENT_ID=
+AURA_AUTH_BITBUCKET_CLIENT_SECRET=
 
 # Figma OAuth App Credentials
-AURA_AUTH_FIGMA_CLIENT_ID=""
-AURA_AUTH_FIGMA_CLIENT_SECRET=""
+AURA_AUTH_FIGMA_CLIENT_ID=
+AURA_AUTH_FIGMA_CLIENT_SECRET=
 
 # Discord OAuth App Credentials
-AURA_AUTH_DISCORD_CLIENT_ID=""
-AURA_AUTH_DISCORD_CLIENT_SECRET=""
+AURA_AUTH_DISCORD_CLIENT_ID=
+AURA_AUTH_DISCORD_CLIENT_SECRET=
 
 # GitLab OAuth App Credentials
-AURA_AUTH_GITLAB_CLIENT_ID=""
-AURA_AUTH_GITLAB_CLIENT_SECRET=""
+AURA_AUTH_GITLAB_CLIENT_ID=
+AURA_AUTH_GITLAB_CLIENT_SECRET=
 
 # Spotify OAuth App Credentials
-AURA_AUTH_SPOTIFY_CLIENT_ID=""
-AURA_AUTH_SPOTIFY_CLIENT_SECRET=""
+AURA_AUTH_SPOTIFY_CLIENT_ID=
+AURA_AUTH_SPOTIFY_CLIENT_SECRET=
 
 # X (Twitter) OAuth App Credentials
-AURA_AUTH_X_CLIENT_ID=""
-AURA_AUTH_X_CLIENT_SECRET=""
+AURA_AUTH_X_CLIENT_ID=
+AURA_AUTH_X_CLIENT_SECRET=
 
 # Strava OAuth App Credentials
-AURA_AUTH_STRAVA_CLIENT_ID=""
-AURA_AUTH_STRAVA_CLIENT_SECRET=""
+AURA_AUTH_STRAVA_CLIENT_ID=
+AURA_AUTH_STRAVA_CLIENT_SECRET=
 
 # Atlassian OAuth App Credentials
-AURA_AUTH_ATLASSIAN_CLIENT_ID=""
-AURA_AUTH_ATLASSIAN_CLIENT_SECRET=""
+AURA_AUTH_ATLASSIAN_CLIENT_ID=
+AURA_AUTH_ATLASSIAN_CLIENT_SECRET=
 
 # Mailchimp OAuth App Credentials
-AURA_AUTH_MAILCHIMP_CLIENT_ID=""
-AURA_AUTH_MAILCHIMP_CLIENT_SECRET=""
+AURA_AUTH_MAILCHIMP_CLIENT_ID=
+AURA_AUTH_MAILCHIMP_CLIENT_SECRET=
 
 # Pinterest OAuth App Credentials
-AURA_AUTH_PINTEREST_CLIENT_ID=""
-AURA_AUTH_PINTEREST_CLIENT_SECRET=""
+AURA_AUTH_PINTEREST_CLIENT_ID=
+AURA_AUTH_PINTEREST_CLIENT_SECRET=
 
 # Dropbox OAuth App Credentials
-AURA_AUTH_DROPBOX_CLIENT_ID=""
-AURA_AUTH_DROPBOX_CLIENT_SECRET=""
+AURA_AUTH_DROPBOX_CLIENT_ID=
+AURA_AUTH_DROPBOX_CLIENT_SECRET=
 
 # Twitch OAuth App Credentials
-AURA_AUTH_TWITCH_CLIENT_ID=""
-AURA_AUTH_TWITCH_CLIENT_SECRET=""
+AURA_AUTH_TWITCH_CLIENT_ID=
+AURA_AUTH_TWITCH_CLIENT_SECRET=
 
 # Notion OAuth App Credentials
-AURA_AUTH_NOTION_CLIENT_ID=""
-AURA_AUTH_NOTION_CLIENT_SECRET=""
+AURA_AUTH_NOTION_CLIENT_ID=
+AURA_AUTH_NOTION_CLIENT_SECRET=
 
 # TikTok OAuth App Credentials
-AURA_AUTH_TIKTOK_CLIENT_ID=""
-AURA_AUTH_TIKTOK_CLIENT_SECRET=""
+AURA_AUTH_TIKTOK_CLIENT_ID=
+AURA_AUTH_TIKTOK_CLIENT_SECRET=

apps/cloudflare/.env.example

@@ -1,11 +1,39 @@
-# Salt for key derivation (e.g., password hashing)
-# openssl rand -base64 32
-AURA_AUTH_SALT=
-
-# Opaque secret used to sign and verify JWT tokens
-# openssl rand -base64 32
-AURA_AUTH_SECRET=
-
+# Opaque salting and peppering secrets for key derivation and hashing
+# For example: openssl rand -base64 32
+AURA_AUTH_SALT=""
+
+# Opaque secret for signing JWT tokens and encrypting data
+# For example: openssl rand -base64 32
+AURA_AUTH_SECRET=""
+
+# The base URL of the authentication server
+# For example: http://localhost:4000
+AURA_AUTH_BASE_URL=
+
+# Trusted Origins for CORS and redirect URI validation (comma-separated)
+# For example: http://localhost:3000,http://localhost:4000
+AURA_AUTH_TRUSTED_ORIGINS=
+
+# Enable debug logging for authentication operations (set to "true", "debug", "on", "yes" or "1" to enable)
+AURA_AUTH_DEBUG=
+
+# Log level for authentication operations (e.g. "error", "warn", "info", "debug")
+AURA_AUTH_LOG_LEVEL=
+
+# PEM-encoded RSA public/private key for signing and encrypting JWT tokens in "sealed" JWT mode (JWT with JWS and JWE)
+# For example: -----BEGIN PUBLIC KEY -----\n...\n-----END PUBLIC KEY-----
+AURA_AUTH_SIGNING_PUBLIC_KEY=
+AURA_AUTH_SIGNING_PRIVATE_KEY=
+AURA_AUTH_SIGNING_ALGORITHM=
+
+AURA_AUTH_ENCRYPTION_PUBLIC_KEY=
+AURA_AUTH_ENCRYPTION_PRIVATE_KEY=
+AURA_AUTH_ENCRYPTION_ALGORITHM=
+
+# PEM-encode RSA public/private key either in "signed" or "encrypted" JWT mode (JWT with JWS or JWE)
+AURA_AUTH_PUBLIC_KEY=
+AURA_AUTH_PRIVATE_KEY=
+AURA_AUTH_ALGORITHM=
 # Github OAuth App Credentials
 AURA_AUTH_GITHUB_CLIENT_ID=
 AURA_AUTH_GITHUB_CLIENT_SECRET=

apps/deno/.env.example

@@ -1,11 +1,39 @@
-# Salt for key derivation (e.g., password hashing)
-# openssl rand -base64 32
-AURA_AUTH_SALT=
-
-# Opaque secret used to sign and verify JWT tokens
-# openssl rand -base64 32
-AURA_AUTH_SECRET=
-
+# Opaque salting and peppering secrets for key derivation and hashing
+# For example: openssl rand -base64 32
+AURA_AUTH_SALT=""
+
+# Opaque secret for signing JWT tokens and encrypting data
+# For example: openssl rand -base64 32
+AURA_AUTH_SECRET=""
+
+# The base URL of the authentication server
+# For example: http://localhost:4000
+AURA_AUTH_BASE_URL=
+
+# Trusted Origins for CORS and redirect URI validation (comma-separated)
+# For example: http://localhost:3000,http://localhost:4000
+AURA_AUTH_TRUSTED_ORIGINS=
+
+# Enable debug logging for authentication operations (set to "true", "debug", "on", "yes" or "1" to enable)
+AURA_AUTH_DEBUG=
+
+# Log level for authentication operations (e.g. "error", "warn", "info", "debug")
+AURA_AUTH_LOG_LEVEL=
+
+# PEM-encoded RSA public/private key for signing and encrypting JWT tokens in "sealed" JWT mode (JWT with JWS and JWE)
+# For example: -----BEGIN PUBLIC KEY -----\n...\n-----END PUBLIC KEY-----
+AURA_AUTH_SIGNING_PUBLIC_KEY=
+AURA_AUTH_SIGNING_PRIVATE_KEY=
+AURA_AUTH_SIGNING_ALGORITHM=
+
+AURA_AUTH_ENCRYPTION_PUBLIC_KEY=
+AURA_AUTH_ENCRYPTION_PRIVATE_KEY=
+AURA_AUTH_ENCRYPTION_ALGORITHM=
+
+# PEM-encode RSA public/private key either in "signed" or "encrypted" JWT mode (JWT with JWS or JWE)
+AURA_AUTH_PUBLIC_KEY=
+AURA_AUTH_PRIVATE_KEY=
+AURA_AUTH_ALGORITHM=
 # Github OAuth App Credentials
 AURA_AUTH_GITHUB_CLIENT_ID=
 AURA_AUTH_GITHUB_CLIENT_SECRET=