You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: add auth checks to spec/validator and JWT_SECRET to infrastructure scripts
Add JWT_SECRET and CORS_ORIGINS to spec optional env vars, Authentication
section, and compatibility checklist. Validator now warns (not fails) when
JWT_SECRET or JWT library is missing. Infrastructure scripts generate,
rotate, and inject JWT_SECRET alongside existing DB/S3 credentials.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: docs/spec.md
+13Lines changed: 13 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,6 +85,8 @@ Applications must support configuration via environment variables.
85
85
|`S3_BUCKET`| Storage bucket name |
86
86
|`S3_ACCESS_KEY`| Storage access key |
87
87
|`S3_SECRET_KEY`| Storage secret key |
88
+
|`JWT_SECRET`| Secret key for JWT token signing |
89
+
|`CORS_ORIGINS`| Comma-separated allowed CORS origins |
88
90
|`EMAIL_API_KEY`| Transactional email API key |
89
91
|`EMAIL_FROM`| Sender email address |
90
92
@@ -177,6 +179,16 @@ Applications should follow basic security practices:
177
179
- Validate input data
178
180
- Enforce authentication where required
179
181
182
+
## Authentication
183
+
184
+
Applications that require user authentication should use:
185
+
186
+
-**JWT tokens** (HS256) for session management
187
+
-**bcrypt** for password hashing
188
+
-**HTTPBearer** scheme for token transport
189
+
190
+
The app-template provides this infrastructure out of the box. See the [app-template README](https://github.com/towlion/app-template#authentication) for usage.
191
+
180
192
## Compatibility Checklist
181
193
182
194
To remain compatible with the Towlion platform, applications must:
@@ -195,6 +207,7 @@ To remain compatible with the Towlion platform, applications must:
195
207
-[ ]`app/main.py` uses FastAPI
196
208
-[ ] Python dependencies (`requirements.txt` or `pyproject.toml`) include `fastapi` and `uvicorn`
197
209
-[ ] No hardcoded secrets in source code
210
+
-[ ]`deploy/env.template` contains `JWT_SECRET` (if using authentication)
0 commit comments