alexei.dolgolyov/ledgrab
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity
Files
0c096db639cf04b5ee817fe514796017d0129ff4
ledgrab/server/config/default_config.yaml
T
alexei.dolgolyov 126d8f2449 feat(auth): add auth.expose_docs flag to view API docs without a token 
The /docs, /redoc and /openapi.json routes are gated by AuthRequired, so a
browser can't open them on plain navigation (no way to attach a Bearer token).
Add an opt-in auth.expose_docs flag (default off) that relaxes ONLY those three
routes to anonymous access (loopback + LAN) via a new verify_docs_access
dependency. Every real endpoint stays protected, and a startup WARNING fires
when the flag is on.

- config: AuthConfig.expose_docs: bool = False
- auth: verify_docs_access / DocsAccess dependency
- main: docs routes use DocsAccess; startup warning
- default_config.yaml: documented flag
- tests: docs anonymous when exposed; real endpoints still 401
2026-06-11 00:14:48 +03:00

61 lines
2.2 KiB
YAML
Raw Blame History

server:
host: "0.0.0.0"
port: 8080
log_level: "INFO"
# CORS: restrict to localhost by default.
# For LAN access, add your machine's IP, e.g. "http://192.168.1.100:8080"
cors_origins:
- "http://localhost:8080"
- "http://192.168.2.100:8080"
auth:
# API keys — required for any non-loopback (LAN) request.
# When empty (default):
# - loopback (127.0.0.1, ::1, localhost) requests are allowed anonymously
# - LAN requests are REJECTED with 401 (security default)
# To enable LAN access, uncomment the example below and replace the value
# with a secret you generated yourself (e.g. `openssl rand -hex 32`).
# Do NOT ship a hard-coded key here — a publicly-known token grants full
# LAN access to anyone on the network.
api_keys:
default: "development-key-change-in-production"
# api_keys:
# my-client: "replace-with-output-of-openssl-rand-hex-32"
# Expose the interactive API docs (/docs, /redoc, /openapi.json) WITHOUT a
# Bearer token so they can be opened directly in a browser. When true, this
# applies to loopback AND LAN clients. Only the API *surface* (route paths +
# parameter schemas) is exposed — calling an endpoint from Swagger still
# requires the token via its "Authorize" button, and every other route stays
# protected. Leave false unless you want browsable docs on your network.
expose_docs: false
# Storage paths default to ./data relative to the server's working directory.
# Set LEDGRAB_DATA_DIR in the environment to point at a different data root
# (the whole dir — both the database and assets), or uncomment the block
# below to pin an absolute database file.
# storage:
# database_file: "/absolute/path/to/ledgrab.db"
mqtt:
enabled: false
broker_host: "localhost"
broker_port: 1883
username: ""
password: ""
client_id: "ledgrab"
base_topic: "ledgrab"
logging:
format: "json" # json or text
file: "logs/ledgrab.log"
max_size_mb: 100
backup_count: 5
updates:
# When false (default), updates without a published sha256 checksum
# (sibling .sha256 asset OR 64-hex string in release body) are aborted
# before any installer/extractor runs. NEVER set true unless you
# control the release server end-to-end.
allow_unchecked: false
Reference in New Issue View Git Blame Copy Permalink