UserFrosting/app/sprinkles/account/config/default.php at 4f5b64b397573d75392b45ca028b520054e25823 · userfrosting/UserFrosting · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<?php

/*
 * UserFrosting (http://www.userfrosting.com)
 *
 * @link      https://github.com/userfrosting/UserFrosting
 * @copyright Copyright (c) 2019 Alexander Weissman
 * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
 */

/*
 * Account configuration file for UserFrosting.
 */
return [
    /*
    * ----------------------------------------------------------------------
    * User Cache Config
    * ----------------------------------------------------------------------
    * Cache current user info for a given time to speed up process.
    * Set to zero to disable.
    */
    'cache' => [
        'user' => [
            'delay' => 120, // In minutes
            'key'   => '_user',
        ],
    ],

    /*
    * ----------------------------------------------------------------------
    * AuthorizationManager Debug
    * ----------------------------------------------------------------------
    * Turn this on to send AuthorizationManager::checkAccess process details
    * to log. This can help debugging your permissions and roles
    */
    'debug' => [
        'auth' => false,
    ],

    /*
    * ----------------------------------------------------------------------
    * Configuration for the 'password reset' feature
    * ----------------------------------------------------------------------
    */
    'password_reset' => [
        'algorithm'  => 'sha512',
        'timeouts'   => [
            'create' => 86400,
            'reset'  => 10800,
        ],
    ],

    /*
    * ----------------------------------------------------------------------
    * RememberMe Package Settings
    * ----------------------------------------------------------------------
    * See https://github.com/gbirke/rememberme for an explanation of these settings
    *
    * Note that the 'domain' field can be set to match your top-level-domain if you
    * want to send the rememberme to all hosts in your domain.  An automatic config
    * of this can be done in your config.php with code similar to this:
    *
    * if (!empty($_SERVER['SERVER_NAME']) && filter_var($_SERVER['SERVER_NAME'], \FILTER_VALIDATE_IP) === false) {
    *    $darr = explode(".", $_SERVER['SERVER_NAME']);
    *    array_shift($darr);
    *    $conf['session']['cookie_parameters'] = [ "lifetime" => 86400, "domain" => ".".join(".", $darr), "path" => "/" ];
    *    $conf['remember_me'] = [ "domain" => ".".join(".", $darr) ];
    * }
    *
    * (Or, for production, you can hard-code the domain rather than calculating it on each page load)
    *
    * This is DELIBERATELY NOT TURNED ON BY DEFAULT!
    *
    * If you enable the 'domain' (on both the session and the remember_me cookies)
    * you will be sending your authentication cookies to every machine in the
    * domain you are using. This may not be bad if you control the domain, but
    * if you are using a VPS and the hostname of the machine you are connecting to
    * is, for example, host2.vps.blah.com, and you connect to host20.vps.blah.com,
    * your browser will send your (super secret) cookies to host20.vps.blah.com.
    *
    * You only want to turn this on if you want machine1.foo.com to receive the
    * cookies that THIS MACHINE (machine2.foo.com) set.
    */
    'remember_me' => [
        'cookie' => [
            'name' => 'rememberme',
        ],
        'domain'      => null,
        'expire_time' => 604800,
        'session'     => [
            'path' => '/',
        ],
    ],

    /*
    * ----------------------------------------------------------------------
    * Reserved user IDs
    * ----------------------------------------------------------------------
    * Master (root) user will be the one with this user id. Same goes for
    * guest users
    */
    'reserved_user_ids' => [
        'guest'  => -1,
        'master' => 1,
    ],

    /*
    * ----------------------------------------------------------------------
    * Account Session config
    * ----------------------------------------------------------------------
    * The keys used in the session to store info about authenticated users
    */
    'session' => [
        'keys' => [
            'current_user_id'  => 'account.current_user_id',    // the key to use for storing the authenticated user's id
            'captcha'          => 'account.captcha',             // Key used to store a captcha hash during captcha verification
        ],
    ],

    /*
    * ----------------------------------------------------------------------
    * Account Site Settings
    * ----------------------------------------------------------------------
    * "Site" settings that are automatically passed to Twig. Use theses
    * settings to control the login, password (re)set and registration
    * processes
    */
    'site' => [
        'login' => [
            'enable_email' => true, // Set to false to allow login by username only
        ],
        'registration' => [
            'enabled'                    => true, //if this set to false, you probably want to also set require_email_verification to false as well to disable the link on the signup page
            'captcha'                    => true,
            'require_email_verification' => true,
            // Default roles and other settings for newly registered users
            'user_defaults' => [
                'locale' => 'en_US',
                'group'  => 'terran',
                'roles'  => [
                    'user' => true,
                ],
            ],
        ],
        'password' => [
            'length' => [
                'min' => 8,
                'max' => 25,
            ],
        ],
    ],

    /*
    * ----------------------------------------------------------------------
    * Throttles Configuration
    * ----------------------------------------------------------------------
    * No throttling is enforced by default. Everything is setup in
    * production mode. See http://security.stackexchange.com/a/59550/74909
    * for the inspiration for our throttling system
    */
    'throttles' => [
        'check_username_request' => null,
        'password_reset_request' => null,
        'registration_attempt'   => null,
        'sign_in_attempt'        => [
            'method'   => 'ip',
            'interval' => 3600,
            'delays'   => [
                4 => 5,
                5 => 10,
                6 => 20,
                7 => 40,
                8 => 80,
                9 => 600,
            ],
        ],
        'verification_request'   => null,
    ],

    /*
    * ----------------------------------------------------------------------
    * Configuration for the 'email verification' feature
    * ----------------------------------------------------------------------
    */
    'verification' => [
        'algorithm' => 'sha512',
        'timeout'   => 10800,
    ],
];