logo

Barong environments overview

This document provides description, defaults and possible values for all environment variables that take a part in app configuration

General configuration

Env nameDefault valuePossible valuesDescription
barong_app_nameBarongany string valueDefine app name for 2FA issuer and friendly_name for twilio v2 verification
barong_domainopenware.comany string valueValue of the env will be sent as domain param in EVENT API in identity module, which helps mailer or 3rd party email send services to avoid additional configurations
barong_uid_prefixIDany string value that matches regex: /^[A-z]{2,6}$/This env configurate first 2-6 chars of UID
barong_session_name_barong_sessionany string valuesession cookie name
barong_session_expire_time1800any number ( value is in seconds)session lifetime (auto-renews on every private call
barong_required_docs_expiretruefalse trueforce Barong to validate or not validate expires_in parameter at document creation. with false still can be sent and recorded but with no time validation
barong_doc_num_limit10any amount numbernumber of maximum documents that can be attached to uniq user
barong_geoip_langenen, de, es, fr, ja, ruinternal GeoIP lang Barong::GeoIP.lang, which configures the language of detected country/continent name
barong_csrf_protectiontruetrue, falsewhen turned on (true) exposes csrf_token on session create and requires X-CSRF-Token on every private POST PUT PATCH DELETE TRACE on AuthZ level
barong_apikey_nonce_lifetime5000integer representation of millisecondsnonce in api key headers should not be older than this env value
barong_gateway'cloudflare'cloudflare, akamaiwhen turned on (true) user IP on session and AuthZ level will firstly be checked in TRUE_CLIENT_IP header
barong_jwt_expire_time'3600'integer representation of secondsgeneral purpose tokens (reset password, confirm email) expiration time
barong_rack_attack_limit5integer representation of calls per minuteallowed amount of calls per 60 seconds to endpoints which are protected by rack-attack
crc32_salt-any string valuesalt for crc32 algorithm which used to searching in encrypted fields
api_data_masking_enabledtruetrue, falsewhen turned on (true) user API will be with ecnrypted user data
first_registration_superadmintruetrue, falsewhen turned on (true) first registered user on a platform will be superadmin without any email confirmation
mgn_api_keys_userfalsetrue, falsewhen turned on (true) management API to create/update api keys will be provided for user entity
mgn_api_keys_safalsetrue, falsewhen turned on (true) management API to create/update api keys will be provided for service account entity
barong_tls_enabledtruetrue, falsewhen turned on (true) the KYCAid request schema will be https; otherwise request schema will be http
auth_methodspasswordpassword, auth0, signaturearray of available authentication methods
barong_tls_enabledtruetrue, falsewhen turned on (true) the KYCAid request schema will be https; otherwise request schema will be http

Password configuration

Env nameDefault valuePossible valuesDescription
barong_password_regexp^(?=.[[:lower:]])(?=.[[:upper:]])(?=.[[:digit:]])(?=.[[:graph:]]).{8,80}$any valid regex without / /regex will validate password while user sign up / reset pass / password change
barong_password_min_entropy14any positive intminimal entropy required by password
barong_password_use_dictionarytrueboolactivates or deactivates most common password dictionary check

Storage configuration

More details in storage configuration doc

Env nameDefault valuePossible valuesDescription
barong_storage_providerlocallocal google aws alicloudprovider for documents store. this env may have an affected on other from this module
barong_storage_bucket_namelocalany string valuebucket name, required for all providers
barong_storage_access_key-any string valueaccess key for bucket, required for all providers
barong_storage_secret_key-any string valuesecret key for bucket, required for all providers
barong_storage_endpoint-any string valid url valuecustom storage endpoint, can be used for AWS, AliCloud providers
barong_storage_signature_version42 3 4custom signature version, can be used for AWS provider
barong_storage_region-any string valuebucket storage region
barong_storage_pathstylefalsefalse truestorage pathstyle, myght be used for AWS or AliCloud providers
barong_upload_size_min_range1any integer valueminimum size of possible upload (in megabytes)
barong_upload_size_max_range10any integer valuemaximum size of possible upload (in megabytes)
barong_upload_auth_url_expiration1any integer valueconfigures in minutes the lifetime of auth signature to see upload
barong_upload_extension_whitelistjpg, jpeg, png, pdfstring with comma-separated extensions formatswhitelist of upload extensions

API CORS configuration

Env nameDefault valuePossible valuesDescription
barong_api_cors_origins*any string valid url value or wildcard *CORS configuration - url or wildcard
barong_api_cors_max_age3600any number ( value is in seconds)indicates how long the results of a preflight request can be cached, in seconds
barong_api_cors_allow_credentialsfalsefalse trueallows cookies to be sent in cross-domain responses

CAPTCHA configuration

More details in captcha policy doc

Env nameDefault valuePossible valuesDescription
barong_captchanonenone recaptcha geetestconfigures captcha policy
barong_geetest_id-any string valuegeetest id for captcha from geetest.com
barong_geetest_key-any string valuegeetest id for captcha from geetest.com
barong_recaptcha_site_key-any string valuesite key for RECAPTCHA
barong_recaptcha_secret_key-any string valuesecret key for RECAPTCHA

Twilio configuration

More details in twilio configuration

Env nameDefault valuePossible valuesDescription
barong_phone_verificationmocktwilio_verify , twilio_sms , mocksms send policy, switcher between twilio services and stub (mock)
phone_max_unverified3-Maximum of unverfied phone numbers per user
phone_code_min_delay30-Minimum seconds for a user to wait before sending a new code
phone_max_send_retries5-Maximum retry count for sending a SMS
phone_max_verify_retries5-Maximum retry count for verifying a code
barong_twilio_phone_number+15005550000any twilio valid number or twilio string nameTwilio sms sender number/name
barong_twilio_account_sid-any string valuetwilio account sid, required by configuration
barong_twilio_auth_token-any string valuetwilio auth token, required by configuration
barong_twilio_service_sid-any string valuetwilio service sid, required by configuration of twilio_verify policy
barong_sms_content_templateYour verification code for Barong: {{code}}any string value containing {{code}}template, used in both configurations as content for SMS

RabbitMQ configuration

Env nameDefault valuePossible valuesDescription
barong_event_api_rabbitmq_hostlocalhostany string valuerabbitmq server host
barong_event_api_rabbitmq_port5672any valid port stringrabbitmq server port
barong_event_api_rabbitmq_usernameguestany string valuerabbitmq server access username
barong_event_api_rabbitmq_passwordguestany string valuerabbitmq server access password

Redis configuration

| barong_redis_cluster | false | false true | define redis mode usage (https://redis.io/topics/cluster-tutorial) | | barong_redis_url | redis://localhost:6379/1 | any valid url | url of redis server with port | | barong_redis_password | ~ | any string value | redis server access password |

Vault configuration

| barong_vault_address | http://localhost:8200 | any valid url | vault server url with port | | barong_vault_token | | any string value | vault access token | | barong_vault_app_name | barong | any string value | the name of the application, all encryption keys in Vault will be prefixed with this application name |

Sentry configuration

| barong_sentry_dsn_backend | ~ | valid host url | Sentry SDK client key |

Auth0 configuration

Env nameDefault valuePossible valuesDescription
auth0_domain-any string valueauth0 Domain name (without https://)
auth0_client_id-any string valuethe client_id of your auth0 application

SMTP configuration

Env nameDefault valuePossible valuesDescription
barong_sender_email[email protected]any valid emailthis will be displayed as sender email for client in all outbox
barong_sender_nameBarongany string valuethis will be displayed as sender name for client in all outbox
barong_smtp_password-any string valuepassword for auth 3d party send emails service smtp
barong_smtp_port1025any integer valueport for auth 3d party send emails service smtp
barong_smtp_hostlocalhostvalid host urlhost for auth 3d party send emails service smtp
barong_smtp_user-any string valueusername for auth 3d party send emails service smtp
barong_default_languageenalpha-2 countrydefault language for email letters

Config files configuration

Env nameDefault valuePossible valuesDescription
barong_configconfig/barong.ymlany valid path to existing filepath to barong config with activation_requirements, state_triggers, document_types and user_storage_titles
barong_maxminddb_pathgeolite/GeoLite2-Country.mmdbany valid path to existing filepath to geolite country DB file
barong_seeds_fileconfig/seeds.ymlany valid path to existing filepath to configuration file with pre-defined API rules, users and levels
barong_authz_rules_fileconfig/authz_rules.ymlany valid path to existing filepath to configuration file with blacklisted and whitelisted API pathes

Barong configurations overview

#Twilio configuration

For twilio configuration we need to set such required envs

  • BARONG_TWILIO_ACCOUNT_SID, which acts as a twilio username
  • BARONG_TWILIO_SERVICE_SID, which acts as a twilio password
  • BARONG_TWILIO_PHONE_NUMBER, virtual phone numbers which will give you instant access to local, national, mobile, and toll-free phone numbers

We have ability to set twilio with 3 different ways

  1. BARONG_PHONE_VERIFICATION == "twilio_sms" If you choose phone verification as twilio sms we will use send_sms API call Also you can add your own template for sms using BARONG_SMS_CONTENT_TEMPLATE
  2. BARONG_PHONE_VERIFICATION == "twilio_verify" In this case we will use twilio Verify API call There are a lot of benefits of using Verify API like you can validate users via voice One verification service can be used to send multiple verification tokens, it is not necessary to create a new service each time, so you can set BARONG_TWILIO_SERVICE_SID at once
  3. BARONG_PHONE_VERIFICATION == "mock" With this type of verification all the numbers will be accepted and validated as a right code for any given number

#Blacklist/Whitelist configuration

Pass routes will never be checked by AuthZ endpoint and will be available without session requirement. On Block routes user always will get 401, it doesn't depend on a session / role / ip / etc

You need to put whitelisted (public) routes for pass object and blacklisted routes for block in authz_rules.yml

rules:
  pass:
    - api/v2/barong/identity
    - api/v2/peatio/public
    - api/v2/ranger/public
    - api/v2/applogic/public
   block:
    - api/v2/barong/management
    - api/v2/peatio/managemen

#State configuration

We can customize barong configuration as we want

  1. For user activation we just need to have verified email label in example below. You can put more labels to create your own rules for user activation
  2. For example, if you want to ban your user you just need to put ban and fraud labels on tower admin panel. For sure you can customize this case too and put change or add label names in barong.yml
  3. For document verification we use, as standard - following document types. But you can configure available document types by changing or extending existing list. This way we keep an opportunity to support any custom KYC services, logic, etc
activation_requirements:
  email: 'verified'
state_triggers:
  banned:
    - ban
    - fraud
  deleted:
    - delete
  locked:
    - suspicious
    - lock
document_types:
  - Passport
  - Identity card
  - Driver license
  - Utility Bill
  - Residental
  - Institutional