example.env

# =============================================================================
# BFE2-LDP Environment Variables
# Copy this file to .env and fill in the values for your environment.
# =============================================================================

# --- General ---
# Turns off some features when running on bibframe.org
BFORGMODE=0

# --- Authentication ---
# to get to the /util/ admin page
DEPLOYPW="your-deploy-password"
STATSPW="your-stats-password"

# --- xml-database (Production) ---
MLUSER=your-xml-database-username
MLPASS=your-xml-database-password
PRODUCTIONPOSTURL=https://your-xml-database-host/production/post
PRODUCTIONccURL=https://your-xml-database-host/production/cc
PRODUCTIONNACOSTUB=https://your-xml-database-host/production/naco

# --- xml-database (Staging) ---
MLUSERSTAGE=your-xml-database-staging-username
MLPASSSTAGE=your-xml-database-staging-password
STAGINGPOSTURL=https://your-xml-database-host/staging/post
STAGGINGccURL=https://your-xml-database-host/staging/cc
STAGINGNACOSTUB=https://your-xml-database-host/staging/naco

# --- xml-database Validation ---
VALIDATIONURL=https://your-xml-database-host/validate
VALIDATIONNARURL=http://narvalidation:8080/validate

# --- WorldCat ---
WC_CLIENTID=your-worldcat-client-id
WC_SECRET=your-worldcat-secret

# --- External Services ---
LCAP_SYNC=https://your-lcap-sync-url
RECORD_HISTORY=https://your-record-history-url

# --- FOLIO (Staging) ---
FOLIO_STAGING_URL=https://folio-staging.example.org
FOLIO_STAGING_TENANT=your-tenant-id
FOLIO_STAGING_USERNAME=your-username
FOLIO_STAGING_PASSWORD=your-password

# --- FOLIO (Production) ---
FOLIO_PRODUCTION_URL=https://folio.example.org
FOLIO_PRODUCTION_TENANT=your-tenant-id
FOLIO_PRODUCTION_USERNAME=your-username
FOLIO_PRODUCTION_PASSWORD=your-password

# --- Scriptshifter Feedback ---
TXL_FEEDBACK_PATH=/mail
TXL_EMAIL_FROM="scriptshifter@your-domain.gov"
TXL_EMAIL_TO="scriptshifter@your-domain.gov"

# =============================================================================
# SSO / SAML Configuration
# See util-service/config/domains.js for per-domain SAML settings.
# See single-sign-on.md for full documentation.
# =============================================================================

# --- Feature Flags ---
SAML_ENABLED=1                  # 1 to enable SSO, 0 to disable
DEV_AUTH_BYPASS=0               # 1 to skip SAML and issue a test JWT (local dev only)
SAML_DEBUG=0                    # 1 to enable verbose [SAML DEBUG] logging

# --- SAML (localhost / fallback defaults) ---
# These are used by the "localhost" domain config in domains.js.
# On the deployed server, staging/prod domains read from their own env vars below.
SAML_ENTRY_POINT=http://localhost:8080/simplesaml/saml2/idp/SSOService.php
SAML_ISSUER=http://localhost:9400/marva
SAML_CALLBACK_URL=http://localhost:9400/marva/util/auth/callback
SAML_LOGOUT_URL=http://mock-idp:8080/simplesaml/saml2/idp/SingleLogoutService.php
SAML_LOGOUT_CALLBACK_URL=http://localhost:9400/marva/util/auth/logout/callback
SAML_IDP_CERT_PATH=/app/certs/mock-idp.crt
POST_LOGIN_REDIRECT=http://localhost:4444/marva/

# --- JWT ---
# Generate a strong secret with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
JWT_SECRET=CHANGE_ME_IN_PRODUCTION
JWT_EXPIRY=1h
# JWT_REFRESH_WINDOW=15         # Minutes before expiry when refresh is allowed (default: 15)

# --- SAML Per-Domain Overrides (deployed server only) ---
# Staging (staging.whatver.gov) — separate Entra app registration
SAML_STAGING_ENTRY_POINT=https://login.microsoftonline.com/{staging-tenant-id}/saml2
SAML_STAGING_IDP_CERT_PATH=/app/certs/entra-staging.cer
SAML_STAGING_LOGOUT_URL=https://login.microsoftonline.com/{staging-tenant-id}/saml2

# Production (prod.whatever.gov) — separate Entra app registration
SAML_PROD_ENTRY_POINT=https://login.microsoftonline.com/{prod-tenant-id}/saml2
SAML_PROD_IDP_CERT_PATH=/app/certs/entra-prod.cer
SAML_PROD_LOGOUT_URL=https://login.microsoftonline.com/{prod-tenant-id}/saml2