`9f24a0e`

Add auth.totp_key_b64 config + SHITHUB_TOTP_KEY alias for at-rest TOTP encryption key

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 9f24a0e3a08242c4801373b1cf31d5917e003c5a
Parents: 7fb6cba
Tree: 455fedd

1 changed file

Status	File	+	-
M	`internal/infra/config/config.go`	6	0

internal/infra/config/config.gomodified


 	SMTP                     SMTPConfig     `toml:"smtp"`
 	Postmark                 PostmarkConfig `toml:"postmark"`
 	Argon2                   Argon2Config   `toml:"argon2"`
+	TOTPKeyB64               string         `toml:"totp_key_b64"` // base64 32-byte AEAD key for at-rest TOTP secrets
 }
 
 // SMTPConfig holds plain-SMTP backend settings (e.g. MailHog in dev).

 			cfg.Session.KeyB64 = v
 		}
 	}
+	if cfg.Auth.TOTPKeyB64 == "" {
+		if v := os.Getenv("SHITHUB_TOTP_KEY"); v != "" {
+			cfg.Auth.TOTPKeyB64 = v
+		}
+	}
 }
 
 // Validate enforces invariants. Errors are precise enough to point at the

`@@ -108,6 +108,7 @@` type AuthConfig struct {
108	108	SMTP SMTPConfig `toml:"smtp"`
109	109	Postmark PostmarkConfig `toml:"postmark"`
110	110	Argon2 Argon2Config `toml:"argon2"`
	111	+ TOTPKeyB64 string `toml:"totp_key_b64"` // base64 32-byte AEAD key for at-rest TOTP secrets
111	112	}
112	113
113	114	// SMTPConfig holds plain-SMTP backend settings (e.g. MailHog in dev).
`@@ -233,6 +234,11 @@` func applyAliases(cfg *Config) {
233	234	cfg.Session.KeyB64 = v
234	235	}
235	236	}
	237	+ if cfg.Auth.TOTPKeyB64 == "" {
	238	+ if v := os.Getenv("SHITHUB_TOTP_KEY"); v != "" {
	239	+ cfg.Auth.TOTPKeyB64 = v
	240	+ }
	241	+ }
236	242	}
237	243
238	244	// Validate enforces invariants. Errors are precise enough to point at the