Barong environments overview

This document provides description, defaults and possible values for all environment variables that take a part in app configuration

General configuration

Env nameDefault valuePossible valuesDescription
barong_app_nameBarongany string valueDefine app name for 2FA issuer and friendly_name for twilio v2 verification
barong_domainopenware.comany string valueValue of the env will be sent as domain param in EVENT API in identity module, which helps mailer or 3rd party email send services to avoid additional configurations
barong_uid_prefixIDany string value that matches regex: /^[A-z]{2,6}$/This env configurate first 2-6 chars of UID
barong_session_name_barong_sessionany string valuesession cookie name
barong_session_expire_time1800any number ( value is in seconds)session lifetime (auto-renews on every private call
barong_required_docs_expiretruefalse trueforce Barong to validate or not validate expires_in parameter at document creation. with false still can be sent and recorded but with no time validation
barong_doc_num_limit10any amount numbernumber of maximum documents that can be attached to uniq user
barong_geoip_langenen, de, es, fr, ja, ruinternal GeoIP lang Barong::GeoIP.lang, which configures the language of detected country/continent name
barong_csrf_protectiontruetrue, falsewhile turned on (true) exposes csrf_token on session create and requires X-CSRF-Token on every private POST PUT PATCH DELETE TRACE on AuthZ level
barong_apikey_nonce_lifetime5000integer representation of millisecondsnonce in api key headers should not be older than this env value
barong_gateway'cloudflare'cloudflare, akamaiwhile turned on (true) user IP on session and AuthZ level will firstly be checked in TRUE_CLIENT_IP header
barong_jwt_expire_time'3600'integer representation of secondsgeneral purpose tokens (reset password, confirm email) expiration time
crc32_salt-any string valuesalt for crc32 algorithm which used to searching in encrypted fields

Password configuration

Env nameDefault valuePossible valuesDescription
barong_password_regexp^(?=.[[:lower:]])(?=.[[:upper:]])(?=.[[:digit:]])(?=.[[:graph:]]).{8,80}$any valid regex without / /regex will validate password while user sign up / reset pass / password change
barong_password_min_entropy14any positive intminimal entropy required by password
barong_password_use_dictionarytrueboolactivates or deactivates most common password dictionary check

Storage configuration

More details in storage configuration doc

Env nameDefault valuePossible valuesDescription
barong_storage_providerlocallocal google aws alicloudprovider for documents store. this env may have an affected on other from this module
barong_storage_bucket_namelocalany string valuebucket name, required for all providers
barong_storage_access_key-any string valueaccess key for bucket, required for all providers
barong_storage_secret_key-any string valuesecret key for bucket, required for all providers
barong_storage_endpoint-any string valid url valuecustom storage endpoint, can be used for AWS, AliCloud providers
barong_storage_signature_version42 3 4custom signature version, can be used for AWS provider
barong_storage_region-any string valuebucket storage region
barong_storage_pathstylefalsefalse truestorage pathstyle, myght be used for AWS or AliCloud providers
barong_upload_size_min_range1any integer valueminimum size of possible upload (in megabytes)
barong_upload_size_max_range10any integer valuemaximum size of possible upload (in megabytes)
barong_upload_auth_url_expiration1any integer valueconfigures in minutes the lifetime of auth signature to see upload
barong_upload_extension_whitelistjpg, jpeg, png, pdfstring with comma-separated extensions formatswhitelist of upload extensions

API CORS configuration

Env nameDefault valuePossible valuesDescription
barong_api_cors_origins*any string valid url value or wildcard *CORS configuration - url or wildcard
barong_api_cors_max_age3600any number ( value is in seconds)indicates how long the results of a preflight request can be cached, in seconds
barong_api_cors_allow_credentialsfalsefalse trueallows cookies to be sent in cross-domain responses

CAPTCHA configuration

More details in captcha policy doc

Env nameDefault valuePossible valuesDescription
barong_captchanonenone recaptcha geetestconfigures captcha policy
barong_geetest_id-any string valuegeetest id for captcha from geetest.com
barong_geetest_key-any string valuegeetest id for captcha from geetest.com
barong_recaptcha_site_key-any string valuesite key for RECAPTCHA
barong_recaptcha_secret_key-any string valuesecret key for RECAPTCHA

Twilio configuration

More details in twilio configuration

Env nameDefault valuePossible valuesDescription
barong_phone_verificationmocktwilio_verify , twilio_sms , mocksms send policy, switcher between twilio services and stub (mock)
barong_twilio_phone_number+15005550000any twilio valid number or twilio string nameTwilio sms sender number/name
barong_twilio_account_sid-any string valuetwilio account sid, required by configuration
barong_twilio_auth_token-any string valuetwilio auth token, required by configuration
barong_twilio_service_sid-any string valuetwilio service sid, required by configuration of twilio_verify policy
barong_sms_content_templateYour verification code for Barong: {{code}}any string value containing {{code}}template, used in both configurations as content for SMS

RabbitMQ configuration

Env nameDefault valuePossible valuesDescription
barong_event_api_rabbitmq_hostlocalhostany string valuerabbitmq server host
barong_event_api_rabbitmq_port5672any valid port stringrabbitmq server port
barong_event_api_rabbitmq_usernameguestany string valuerabbitmq server access username
barong_event_api_rabbitmq_passwordguestany string valuerabbitmq server access password

Redis configuration

| barong_redis_cluster | false | false true | define redis mode usage (https://redis.io/topics/cluster-tutorial) | | barong_redis_url | redis://localhost:6379/1 | any valid url | url of redis server with port | | barong_redis_password | ~ | any string value | redis server access password |

Vault configuration

| barong_vault_address | http://localhost:8200 | any valid url | vault server url with port | | barong_vault_token | | any string value | vault access token | | barong_vault_app_name | barong | any string value | the name of the application, all encryption keys in Vault will be prefixed with this application name |

Sentry configuration

| barong_sentry_dsn_backend | ~ | valid host url | Sentry SDK client key |

SMTP configuration

Env nameDefault valuePossible valuesDescription
barong_sender_email[email protected]any valid emailthis will be displayed as sender email for client in all outbox
barong_sender_nameBarongany string valuethis will be displayed as sender name for client in all outbox
barong_smtp_password-any string valuepassword for auth 3d party send emails service smtp
barong_smtp_port1025any integer valueport for auth 3d party send emails service smtp
barong_smtp_hostlocalhostvalid host urlhost for auth 3d party send emails service smtp
barong_smtp_user-any string valueusername for auth 3d party send emails service smtp
barong_default_languageenalpha-2 countrydefault language for email letters

Config files configuration

Env nameDefault valuePossible valuesDescription
barong_configconfig/barong.ymlany valid path to existing filepath to barong config with activation_requirements, state_triggers, document_types and user_storage_titles
barong_maxminddb_pathgeolite/GeoLite2-Country.mmdbany valid path to existing filepath to geolite country DB file
barong_seeds_fileconfig/seeds.ymlany valid path to existing filepath to configuration file with pre-defined API rules, users and levels
barong_authz_rules_fileconfig/authz_rules.ymlany valid path to existing filepath to configuration file with blacklisted and whitelisted API pathes

Barong configurations overview

#Twilio configuration

For twilio configuration we need to set such required envs

  • BARONG_TWILIO_ACCOUNT_SID, which acts as a twilio username
  • BARONG_TWILIO_SERVICE_SID, which acts as a twilio password
  • BARONG_TWILIO_PHONE_NUMBER, virtual phone numbers which will give you instant access to local, national, mobile, and toll-free phone numbers

We have ability to set twilio with 3 different ways

  1. BARONG_PHONE_VERIFICATION == "twilio_sms" If you choose phone verification as twilio sms we will use send_sms API call Also you can add your own template for sms using BARONG_SMS_CONTENT_TEMPLATE
  2. BARONG_PHONE_VERIFICATION == "twilio_verify" In this case we will use twilio Verify API call There are a lot of benefits of using Verify API like you can validate users via voice One verification service can be used to send multiple verification tokens, it is not necessary to create a new service each time, so you can set BARONG_TWILIO_SERVICE_SID at once
  3. BARONG_PHONE_VERIFICATION == "mock" With this type of verification all the numbers will be accepted and validated as a right code for any given number

#Blacklist/Whitelist configuration

Pass routes will never be checked by AuthZ endpoint and will be available without session requirement. On Block routes user always will get 401, it doesn't depend on a session / role / ip / etc

You need to put whitelisted (public) routes for pass object and blacklisted routes for block in authz_rules.yml

    - api/v2/barong/identity
    - api/v2/peatio/public
    - api/v2/ranger/public
    - api/v2/applogic/public
    - api/v2/barong/management
    - api/v2/peatio/managemen

#State configuration

We can customize barong configuration as we want

  1. For user activation we just need to have verified email label in example below. You can put more labels to create your own rules for user activation
  2. For example, if you want to ban your user you just need to put ban and fraud labels on tower admin panel. For sure you can customize this case too and put change or add label names in barong.yml
  3. For document verification we use, as standard - following document types. But you can configure available document types by changing or extending existing list. This way we keep an opportunity to support any custom KYC services, logic, etc
  email: 'verified'
    - ban
    - fraud
    - delete
    - suspicious
    - lock
  - Passport
  - Identity card
  - Driver license
  - Utility Bill
  - Residental
  - Institutional

Who can I talk to if I have questions?