fix(config):add auth environment defaults

docker/.env.example

@@ -30,6 +30,11 @@ SECRET_KEY=replace_me_with_a_random_string
 # Auth type: LOCAL (email/password) or GOOGLE (OAuth)
 AUTH_TYPE=LOCAL
 
+# Cloud only: set COOKIE_DOMAIN=.surfsense.com so api., zero., and app
+# subdomains all receive the same first-party session cookie. Leave empty for
+# self-hosted Docker where Caddy serves a single origin.
+# COOKIE_DOMAIN=
+
 # Deployment mode: self-hosted enables local filesystem connectors; cloud hides them.
 DEPLOYMENT_MODE=self-hosted
 
@@ -135,6 +140,19 @@ CERT_EMAIL=
 # ZERO_MUTATE_URL=https://surf.example.com/api/zero/mutate
 # ZERO_QUERY_URL=http://frontend:3000/api/zero/query
 # ZERO_MUTATE_URL=http://frontend:3000/api/zero/mutate
+#
+# Forward browser session cookies from zero-cache to the query route. Keep this
+# enabled before switching the web app to cookie-only auth.
+# ZERO_QUERY_FORWARD_COOKIES=true
+#
+# Optional shared secret for the zero-cache -> /api/zero/query hop. Set the same
+# value on zero-cache and the frontend. When unset, the query route accepts the
+# request for backward-compatible rollout.
+# ZERO_QUERY_API_KEY=
+#
+# Bounds for auth revocation and RBAC membership changes on already-open sockets.
+# ZERO_AUTH_REVALIDATE_INTERVAL_SECONDS=60
+# ZERO_AUTH_RETRANSFORM_INTERVAL_SECONDS=60
 
 # ------------------------------------------------------------------------------
 # Database (defaults work out of the box, change for security)

surfsense_backend/.env.example

@@ -81,9 +81,24 @@ STRIPE_RECONCILIATION_INTERVAL=10m
 
 SECRET_KEY=SECRET
 
-# JWT Token Lifetimes (optional, defaults shown)
-# ACCESS_TOKEN_LIFETIME_SECONDS=86400      # 1 day
-# REFRESH_TOKEN_LIFETIME_SECONDS=1209600   # 2 weeks
+# JWT/session lifetimes (optional, defaults shown)
+# ACCESS_TOKEN_LIFETIME_SECONDS=1800        # 30 minutes
+# REFRESH_TOKEN_LIFETIME_SECONDS=1209600    # 14-day inactivity window
+# REFRESH_ROTATION_GRACE_SECONDS=45
+# REFRESH_ABSOLUTE_LIFETIME_SECONDS=2592000 # 30-day absolute cap
+#
+# Web session cookies. Leave COOKIE_DOMAIN empty for self-hosted same-origin
+# Docker. In cloud, use .surfsense.com so api., zero., and the app share the
+# first-party session cookie.
+# SESSION_COOKIE_NAME=surfsense_session
+# REFRESH_COOKIE_NAME=surfsense_refresh
+# SESSION_COOKIE_SECURE_POLICY=auto
+# SESSION_COOKIE_SAMESITE=lax
+# COOKIE_DOMAIN=
+#
+# Comma-separated allow-list for cookie-session unsafe requests. Defaults also
+# include NEXT_FRONTEND_URL and SURFSENSE_PUBLIC_URL when set.
+# CSRF_ALLOWED_ORIGINS=http://localhost:3000
 # Personal Access Tokens (PATs). Empty/unset = no maximum; users may create
 # never-expiring PATs. When set, PAT creation requires an expiry <= this many days.
 # PAT_MAX_EXPIRY_DAYS=
@@ -115,6 +130,8 @@ REGISTRATION_ENABLED=TRUE or FALSE
 # For Google Auth Only
 GOOGLE_OAUTH_CLIENT_ID=924507538m
 GOOGLE_OAUTH_CLIENT_SECRET=GOCSV
+GOOGLE_DESKTOP_CLIENT_ID=your_google_desktop_client_id
+GOOGLE_DESKTOP_CLIENT_SECRET=your_google_desktop_client_secret
 GOOGLE_PICKER_API_KEY=your-google-picker-api-key
 
 # Google Connector Specific Configurations

surfsense_web/.env.example

@@ -48,6 +48,10 @@ NEXT_PUBLIC_POSTHOG_HOST=https://us.i.posthog.com
 # "/zero" endpoint behind Caddy. Set it for local dev or packaged clients.
 # ─────────────────────────────────────────────────────────────────────────────
 # NEXT_PUBLIC_ZERO_CACHE_URL=http://localhost:4848
+# Server-only shared secret that authorizes zero-cache when it calls
+# /api/zero/query. Leave unset during the compatibility rollout, then set it
+# once every zero-cache instance sends X-Api-Key.
+# ZERO_QUERY_API_KEY=
 
 # ─────────────────────────────────────────────────────────────────────────────
 # Cloudflare Turnstile CAPTCHA for anonymous chat abuse prevention