Skip to content

[WIP] New auth #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
clay-rip wants to merge 2 commits into
base: 0.7.0
Choose a base branch
from
Draft

[WIP] New auth #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
109c12a
initial new auth commit
clay-rip Feb 21, 2026
ce8d985
Format "initial new auth commit"
invalid-email-address Feb 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,6 @@ CORS_ENABLED=true
# comma-separated list of allowed domains (no spaces)
ALLOWED_ORIGINS=https://pvzm.net,https://backend.pvzm.net

# ADMIN AUTHENTICATION
USE_GITHUB_AUTH=true
# Register a new OAuth app at https://github.com/settings/applications/new
GITHUB_CLIENT_ID=some-client-id
GITHUB_CLIENT_SECRET=some-client-secret
# Comma-separated list of GitHub usernames allowed to access admin (no spaces)
GITHUB_ALLOWED_USERS=username1,username2
# A random string used to encrypt cookies and sessions
SESSION_SECRET=some-random-secret

# OPTIONAL SERVICES

# use cloudflare turnstile for captcha
Expand Down Expand Up @@ -73,6 +63,18 @@ BLUESKY_IDENTIFIER=some-bluesky-identifier.example.com
BLUESKY_PASSWORD=some-bluesky-password
BLUESKY_PDS=https://pds.example.com

# authentication (better-auth)
# generate with: openssl rand -base64 32
AUTH_SECRET=some-auth-secret
# comma-separated list of better-auth user IDs that bypass role checks and always have admin access
# useful for bootstrapping - these users can perform admin operations regardless of their role in the DB
# ref: https://www.better-auth.com/docs/plugins/admin#admin-user-ids
AUTH_ADMIN_USER_IDS=
# optional: github oauth (sign in with github)
USE_GITHUB_AUTH=false
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

# posthog analytics
USE_POSTHOG_ANALYTICS=false
POSTHOG_API_KEY=phc_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Expand Down
64 changes: 32 additions & 32 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,38 +61,38 @@ Full API documentation is available at [docs.pvzm.net/api](https://docs.pvzm.net

The server can be configured using the following environment variables in a `.env` file:

| Variable | Description | Default |
| -------------------------- | -------------------------------------------------------------------- | ------------------------------------------- |
| PORT | Server port | 3000 |
| DB_PATH | Path to SQLite database | ./database.db |
| DATA_FOLDER_PATH | Path to level data storage | ./data |
| CREATE_DATA_FOLDER | Create data folder if it doesn't exist | true |
| USE_PUBLIC_FOLDER | Serve static files (e.g. `/index.html`, `/admin.html`) | true |
| PUBLIC_FOLDER_PATH | Path to static files folder | ./public |
| CREATE_PUBLIC_FOLDER | Create the public folder if it doesn't exist | true |
| USE_TEST_UI | Enable test UI route (`/index.html`) | true |
| USE_ADMIN_UI | Enable admin UI route (`/admin.html`) | true |
| GAME_URL | Game URL used in generated links (reports/uploads) | <https://pvzm.net> |
| GAME_URL_SECRET | Secret appended to game URL requests to bypass WAF/bot protection | |
| BACKEND_URL | Backend URL used in generated links (reports/uploads) | <https://backend.pvzm.net> |
| CORS_ENABLED | Enable CORS | true |
| ALLOWED_ORIGINS | Comma-separated list of allowed origins (no spaces) | `https://pvzm.net,https://backend.pvzm.net` |
| USE_GITHUB_AUTH | Enable GitHub OAuth protection for admin routes | true |
| GITHUB_CLIENT_ID | GitHub OAuth client ID | |
| GITHUB_CLIENT_SECRET | GitHub OAuth client secret | |
| GITHUB_ALLOWED_USERS | Comma-separated GitHub usernames allowed to access admin (no spaces) | |
| SESSION_SECRET | Session secret (cookie/session encryption) | default-secret |
| USE_TURNSTILE | Enable Cloudflare Turnstile captcha (upload endpoint) | true |
| TURNSTILE_SECRET | Turnstile secret key | |
| TURNSTILE_SITE_KEY | Turnstile site key | |
| TURNSTILE_TESTING | Accept dummy Turnstile tokens (DO NOT USE IN PRODUCTION) | false |
| USE_OPENAI_MODERATION | Enable OpenAI content moderation | true |
| OPENAI_API_KEY | OpenAI API key | |
| USE_REPORTING | Enable reporting endpoint | true |
| USE_UPLOAD_LOGGING | Send upload events to Discord webhook | true |
| DISCORD_REPORT_WEBHOOK_URL | Discord webhook URL for reports | |
| DISCORD_UPLOAD_WEBHOOK_URL | Discord webhook URL for uploads | |
| DISCORD_MENTION_USER_IDS | Comma-separated user IDs to mention in reports | |
| Variable | Description | Default |
| -------------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| PORT | Server port | 3000 |
| DB_PATH | Path to SQLite database | ./database.db |
| DATA_FOLDER_PATH | Path to level data storage | ./data |
| CREATE_DATA_FOLDER | Create data folder if it doesn't exist | true |
| USE_PUBLIC_FOLDER | Serve static files (e.g. `/index.html`, `/admin.html`) | true |
| PUBLIC_FOLDER_PATH | Path to static files folder | ./public |
| CREATE_PUBLIC_FOLDER | Create the public folder if it doesn't exist | true |
| USE_TEST_UI | Enable test UI route (`/index.html`) | true |
| USE_ADMIN_UI | Enable admin UI route (`/admin.html`) | true |
| GAME_URL | Game URL used in generated links (reports/uploads) | <https://pvzm.net> |
| GAME_URL_SECRET | Secret appended to game URL requests to bypass WAF/bot protection | |
| BACKEND_URL | Backend URL used in generated links (reports/uploads) | <https://backend.pvzm.net> |
| CORS_ENABLED | Enable CORS | true |
| ALLOWED_ORIGINS | Comma-separated list of allowed origins (no spaces) | `https://pvzm.net,https://backend.pvzm.net,https://docs.pvzm.net,https://staging.pvzm.net` |
| USE_GITHUB_AUTH | Enable GitHub OAuth protection for admin routes | true |
| GITHUB_CLIENT_ID | GitHub OAuth client ID | |
| GITHUB_CLIENT_SECRET | GitHub OAuth client secret | |
| GITHUB_ALLOWED_USERS | Comma-separated GitHub usernames allowed to access admin (no spaces) | |
| SESSION_SECRET | Session secret (cookie/session encryption) | default-secret |
| USE_TURNSTILE | Enable Cloudflare Turnstile captcha (upload endpoint) | true |
| TURNSTILE_SECRET | Turnstile secret key | |
| TURNSTILE_SITE_KEY | Turnstile site key | |
| TURNSTILE_TESTING | Accept dummy Turnstile tokens (DO NOT USE IN PRODUCTION) | false |
| USE_OPENAI_MODERATION | Enable OpenAI content moderation | true |
| OPENAI_API_KEY | OpenAI API key | |
| USE_REPORTING | Enable reporting endpoint | true |
| USE_UPLOAD_LOGGING | Send upload events to Discord webhook | true |
| DISCORD_REPORT_WEBHOOK_URL | Discord webhook URL for reports | |
| DISCORD_UPLOAD_WEBHOOK_URL | Discord webhook URL for uploads | |
| DISCORD_MENTION_USER_IDS | Comma-separated user IDs to mention in reports | |

## License

Expand Down
23 changes: 9 additions & 14 deletions deno.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,31 +32,26 @@
}
},
"imports": {
"@atproto/api": "npm:@atproto/api@^0.18.20",
"@db/sqlite": "jsr:@db/sqlite@^0.13.0",
"@napi-rs/canvas": "npm:@napi-rs/canvas@^0.1.65",
"@atproto/api": "npm:@atproto/api@^0.18.21",
"@napi-rs/canvas": "npm:@napi-rs/canvas@^0.1.93",
"@mathis/turnstile-verify": "jsr:@mathis/turnstile-verify@^1.2.0",
"@msgpack/msgpack": "npm:@msgpack/msgpack@^3.1.3",
"@openai/openai": "jsr:@openai/openai@^6.17.0",
"@std/msgpack": "jsr:@std/msgpack@1.0.3",
"@openai/openai": "jsr:@openai/openai@^6.22.0",
"@std/fs": "jsr:@std/fs@^1.0.22",
"@types/cors": "npm:@types/cors@^2.8.19",
"@types/express": "npm:@types/express@^5.0.6",
"@types/node": "npm:@types/node@^25.2.0",
"@types/pako": "npm:@types/pako@^2.0.4",
"@types/node": "npm:@types/node@^25.3.0",
"bad-words": "npm:bad-words@^4.0.0",
"better-auth": "npm:better-auth@^1.4.18",
"cors": "npm:cors@^2.8.6",
"discord.js": "npm:discord.js@^14.25.1",
"express-msgpack": "npm:express-msgpack@^6.0.0",
"express-session": "npm:express-session@^1.19.0",
"express": "npm:express@^5.2.1",
"memorystore": "npm:memorystore@^1.6.7",
"passport": "npm:passport@^0.7.0",
"passport-github2": "npm:passport-github2@^0.1.12",
"pako": "npm:pako@^2.1.0",
"posthog-node": "npm:posthog-node@^5.24.9"
"posthog-node": "npm:posthog-node@^5.24.17"
},
"compilerOptions": {
"strict": true,
"strictNullChecks": true
}
},
"nodeModulesDir": "auto"
}
Loading