Configuration - AlyBadawy/Securial GitHub Wiki

โš™๏ธ Configuration

Securial uses a simple initializer (config/initializers/securial.rb) to let you tweak its behaviour.

When you run the installer (see the Installation page), this file is created for you. Inside it you call Securial.configure and set the options described below.

That file has information about how to configure Securial.

[!TIP] Make sure to restart your Rails server after making changes to this file.

๐Ÿ”ง Logging Configuration

Securial allows you to configure how logging is handled:

  • log_to_file: Set to true to enable file logging; which will log all interaction by Securial to log/securial.log
  • log_to_stdout: Set to true to enable STDOUT logging (useful for development).
  • log_file_level: Set the logging level for file logging (:debug, :info, :warn, :error, :fatal, or :unknown).
  • log_stdout_level: Set the logging level for STDOUT logging.

๐Ÿ‘ค User Roles

Securial provides role-based access controls:

  • admin_role: Defines the role that has administrative access. Setting this will create a special URL for the admins to access privileged areas. for example setting the admin_role to "superuser" will create end points in /securial/superusers/ like:
    • /securial/superusers/users
    • /securial/superusers/roles

Read more about the managing users in the Wiki โ€บ User management

๐Ÿ•’ Session Configuration

Control how session management is handled:

  • session_expiration_duration: Set how long a session is valid before it expires. This should be an ActiveSupport::Duration like 3.minutes. Once this duration lapses, the user will need to refresh the token or log in again.

  • session_renewal_duration: Set how long of a grace period the user has to refresh a session token after it has expired. After that grace period, the user will have to login again to obtain a new session token, and refresh token.

  • session_secret: A secret key used for signing session tokens. This should be kept safe, and it's recommended to store this is an environment variable or secret. Changing this value will invalidate all sessions.

  • session_algorithm: Choose the signing algorithm (:hs256, :hs384, :hs512).

Read more about sessions and authentication in the Wiki โ€บ Authentication

๐Ÿ“ฌ Mailer Configuration

Settings related to email delivery:

Configure email notifications for events like signโ€‘up, signโ€‘in, account updates and password resets. Each notification type has an *_enabled flag and a custom subject line. Set mailer_sender to the address from which your notifications are sent.\

๐Ÿ” Password Configuration

Security-related settings for password management:

  • password_reset_email_subject: Subject line for password reset emails.
  • password_min_length: Minimum length for user passwords.
  • password_max_length: Maximum allowable length for passwords.
  • password_complexity: Regex used to validate password strength.
  • password_expires_in: Duration after which a password must be changed.
  • reset_password_token_expires_in: Duration for which a password reset token remains valid.
  • reset_password_token_secret: Secret used to sign reset tokens.

Read more about passwords and authentication in the Wiki โ€บ Authentication

๐Ÿ“‘ Response formatting & security

  • response_keys_format โ€“ Choose how JSON keys are cased (:snake_case, :lowerCamelCase, :UpperCamelCase).
  • timestamps_in_response โ€“ Decide whether timestamps appear in API responses (:all, :admins_only or :none).
  • security_headers โ€“ Enforce HTTP security headers (:strict, :default, :none).
  • Rate limiting โ€“ Enable request rate limiting with rate_limiting_enabled and configure the maximum requests per minute and the response message.

For advanced use cases or further customization, refer to the source code or open an issue on the GitHub repository.