fix(config):add auth environment defaults

2026-06-26 21:39:43 +02:00 · 2026-06-23 12:48:23 +05:30 · 2026-06-23 12:48:23 +05:30 · 4d49d9311c
commit 4d49d9311c
parent 83fdef2180
3 changed files with 42 additions and 3 deletions
--- a/docker/.env.example
+++ b/docker/.env.example
@ -30,6 +30,11 @@ SECRET_KEY=replace_me_with_a_random_string
 # Auth type: LOCAL (email/password) or GOOGLE (OAuth)
 AUTH_TYPE=LOCAL

+# Cloud only: set COOKIE_DOMAIN=.surfsense.com so api., zero., and app
+# subdomains all receive the same first-party session cookie. Leave empty for
+# self-hosted Docker where Caddy serves a single origin.
+# COOKIE_DOMAIN=
+
 # Deployment mode: self-hosted enables local filesystem connectors; cloud hides them.
 DEPLOYMENT_MODE=self-hosted

@ -135,6 +140,19 @@ CERT_EMAIL=
 # ZERO_MUTATE_URL=https://surf.example.com/api/zero/mutate
 # ZERO_QUERY_URL=http://frontend:3000/api/zero/query
 # ZERO_MUTATE_URL=http://frontend:3000/api/zero/mutate
+#
+# Forward browser session cookies from zero-cache to the query route. Keep this
+# enabled before switching the web app to cookie-only auth.
+# ZERO_QUERY_FORWARD_COOKIES=true
+#
+# Optional shared secret for the zero-cache -> /api/zero/query hop. Set the same
+# value on zero-cache and the frontend. When unset, the query route accepts the
+# request for backward-compatible rollout.
+# ZERO_QUERY_API_KEY=
+#
+# Bounds for auth revocation and RBAC membership changes on already-open sockets.
+# ZERO_AUTH_REVALIDATE_INTERVAL_SECONDS=60
+# ZERO_AUTH_RETRANSFORM_INTERVAL_SECONDS=60

 # ------------------------------------------------------------------------------
 # Database (defaults work out of the box, change for security)