diff --git a/auth0/README.md b/auth0/README.md deleted file mode 100644 index 6c0692b6..00000000 --- a/auth0/README.md +++ /dev/null @@ -1,101 +0,0 @@ -## Quick Start - -### Setting up env locally - -``` -AUTH0_ENV=development -AUTH0_DEPLOY_CLIENT_SECRET= -POSTMARK_SMTP_PASS= -``` - -- `AUTH0_ENV` - This is either `development`, `staging`, or `production`. This should **always** be `development` when working locally. -- `AUTH0_DEPLOY_CLIENT_SECRET` - The secret for the `auth0-deploy-cli-extension` application in Auth0 dashboard -- `POSTMARK_SMTP_PASS` - Go to Postmark => Servers => "Mail Server" => Message Streams => "Default Transactional Message Stream" => Settings - -You will need to install the Auth0 Client to test templates (you might need to change the commands depending on your platform): - -```bash -# Linux example -wget -c https://github.com/auth0/auth0-cli/releases/download/v0.11.2/auth0-cli_0.11.2_Linux_x86_64.tar.gz -O - | sudo tar -xz -C /usr/local/bin/ -``` - -### How deployments work - -Per the [Auth0 docs](https://github.com/auth0/auth0-deploy-cli/tree/master/examples/directory), this repository uses Github Actions to define each Auth0 tenant configuration. - -Maybe has 3 tenants: - -1. `maybe-finance-development` -2. `maybe-finance-staging` -3. `maybe-finance-production` - -On each push to a branch with `auth0` in it (e.g. `someuser/pr-title-auth0`), the configuration in `tenant.yaml` will be deployed to the **staging** tenant. - -On each push to `main`, the configuration in `tenant.yaml` will be deployed to the **production** tenant. - -These rules are defined in `.github/workflows/deploy-auth0-staging.yml` and `.github/workflows/deploy-auth0-prod.yml` respectively. - -## Editing and Testing - -### `tenant.yaml` - -The `tenant.yaml` file will accept any options present in the [Auth0 Management API](https://auth0.com/docs/api/management/v2). - -[Here is a sample `tenant.yaml` file](https://github.com/auth0/auth0-deploy-cli/blob/master/examples/yaml/tenant.yaml). - -For example, you can define tenant-wide settings using the Management API [tenant endpoint](https://auth0.com/docs/api/management/v2#!/Tenants/tenant_settings_route) (abbreviated): - -```json -# Abbreviated Management API V2 tenant endpoint GET response -{ - "flags": { - "revoke_refresh_token_grant": false, - ... - }, - "friendly_name": "My Company", - "picture_url": "https://mycompany.org/logo.png", - "support_email": "support@mycompany.org", - ... -} -``` - -```yaml -# tenant.yaml - -tenant: - flags: - revoke_refresh_token_grant: false - friendly_name: Maybe Finance - picture_url: https://assets.maybe.co/images/maybe.svg - support_email: hello@maybe.co -``` - -### Testing custom templates - -Testing custom templates (`/auth0/emailTemplates` and `/auth0/pages`) happens in 3 steps: - -1. Run `live-server` with `yarn auth0:edit`. You can make HTML/CSS changes in this view -2. To deploy to the dev tenant, run `yarn auth0:deploy` (make sure your `.env` is setup per instructions at top of this README) -3. To test the new deployment, run `yarn auth0:test` - -Unfortunately, you will have to deploy **every time** you make changes to properly test since Auth0 does not have many developer tools. - -References: - -- Auth0 client reference - https://github.com/auth0/auth0.js/tree/master/example -- Auth0 developer tool docs - https://auth0.github.io/auth0-cli/ -- Relevant Auth0 docs - https://auth0.com/docs/brand-and-customize/universal-login-page-templates#using-the-auth0-cli- - -### Password Reset - -Of special note is the `/auth0/pages/password_reset.html` page. Auth0 currently does not have an API for password resets, but an Auth0 employee created an -[open source example](https://github.com/auth0/auth0-custom-password-reset-hosted-page) of how to tap into the login page endpoints to customize it. If this page ever breaks (due to changes in internal Auth0 API) we can easily revert back to Universal PW reset in `tenant.yaml`: - -```yaml -emailTemplates: - - template: reset_email - body: ./emailTemplates/reset_email.html - enabled: false # CHANGE THIS -``` - -Setting this to false will revert to the default Auth0 password reset widget (not Maybe branded, but fully functional) diff --git a/auth0/config.js b/auth0/config.js deleted file mode 100644 index 291734b4..00000000 --- a/auth0/config.js +++ /dev/null @@ -1,90 +0,0 @@ -require('dotenv').config() -const path = require('path') -const cli = require('auth0-deploy-cli') -const env = require('./env') - -// CI is always set to true in Github Actions environment -if (process.env.ENV === 'production' && !process.env.CI) { - throw new Error('Cannot deploy to production outside of CI/CD workflow!') -} - -let AUTH0_DOMAIN -let AUTH0_CUSTOM_DOMAIN -let AUTH0_CLIENT_ID -let CLIENT_BASE_URLS -let SERVER_BASE_URLS -let ADMIN_ROLE_ID -let BETA_TESTER_ROLE_ID - -const trustedOrigins = ['https://*.maybe.co', 'https://*.vercel.app'] -const logoutOrigins = [...trustedOrigins] - -switch (env.AUTH0_ENV) { - case 'development': - AUTH0_DOMAIN = 'REPLACE_THIS' - AUTH0_CUSTOM_DOMAIN = AUTH0_DOMAIN - AUTH0_CLIENT_ID = 'REPLACE_THIS' - // 8484 is for the local auth0-client testing - CLIENT_BASE_URLS = [ - 'http://localhost:4200', - 'http://localhost:8484', - 'https://localhost.maybe.co', - ] - CLIENT_LOGOUT_URLS = [...logoutOrigins, 'http://localhost:4200'] - SERVER_BASE_URLS = ['http://localhost:3333'] - ADMIN_ROLE_ID = 'REPLACE_THIS' - BETA_TESTER_ROLE_ID = 'REPLACE_THIS' - break - case 'staging': - AUTH0_DOMAIN = 'REPLACE_THIS' - AUTH0_CUSTOM_DOMAIN = AUTH0_DOMAIN - AUTH0_CLIENT_ID = 'REPLACE_THIS' - CLIENT_BASE_URLS = ['https://staging-app.maybe.co', ...trustedOrigins] - CLIENT_LOGOUT_URLS = logoutOrigins - SERVER_BASE_URLS = ['https://staging-api.maybe.co'] - ADMIN_ROLE_ID = 'REPLACE_THIS' - BETA_TESTER_ROLE_ID = 'REPLACE_THIS' - break - case 'production': - AUTH0_DOMAIN = 'REPLACE_THIS' - AUTH0_CUSTOM_DOMAIN = 'login.maybe.co' - AUTH0_CLIENT_ID = 'REPLACE_THIS' - CLIENT_BASE_URLS = ['https://app.maybe.co', ...trustedOrigins] - CLIENT_LOGOUT_URLS = logoutOrigins - SERVER_BASE_URLS = ['https://api.maybe.co'] - ADMIN_ROLE_ID = 'REPLACE_THIS' - BETA_TESTER_ROLE_ID = 'REPLACE_THIS' - break - default: - throw new Error("Invalid environment: should be 'development' | 'staging' | 'production'") -} - -// https://auth0.com/docs/deploy/deploy-cli-tool/import-export-tenant-configuration-to-yaml-file#example-configuration-file -module.exports = { - config: { - AUTH0_DOMAIN: AUTH0_CUSTOM_DOMAIN, - AUTH0_CLIENT_ID, - AUTH0_CLIENT_SECRET: env.AUTH0_DEPLOY_CLIENT_SECRET, - - /* If something exists in the tenant, but NOT the tenant.yaml file, the resource in the - tenant will NOT be deleted (hence, `false`) - keeping this set to false as a safeguard */ - AUTH0_ALLOW_DELETE: false, - - // https://auth0.com/docs/deploy/deploy-cli-tool/environment-variables-and-keyword-mappings - AUTH0_KEYWORD_REPLACE_MAPPINGS: { - // While the JWT is issued from login.maybe.co in production, the management API still must use the default auth0.com domain - AUTH0_DOMAIN, - CLIENT_BASE_URLS, - CLIENT_LOGOUT_URLS, - SERVER_BASE_URLS, - SERVER_CALLBACK_URLS: SERVER_BASE_URLS.map((url) => `${url}/admin/callback`), - POSTMARK_SMTP_PASS: env.POSTMARK_SMTP_PASS, - ADMIN_ROLE_ID: ADMIN_ROLE_ID, - BETA_TESTER_ROLE_ID: BETA_TESTER_ROLE_ID, - APPLE_SIGN_IN_SECRET_KEY: env.APPLE_SIGN_IN_SECRET_KEY, - }, - }, - input_file: path.join(__dirname, 'tenant.yaml'), - sync: cli.export, - deploy: cli.deploy, -} diff --git a/auth0/deploy.js b/auth0/deploy.js deleted file mode 100644 index e5ab1a47..00000000 --- a/auth0/deploy.js +++ /dev/null @@ -1,15 +0,0 @@ -const { config, deploy, input_file } = require('./config') - -deploy({ - config: { - ...config, - - // The deploy client only works with the DEFAULT Auth0 domain, NOT with custom domains - AUTH0_DOMAIN: config.AUTH0_KEYWORD_REPLACE_MAPPINGS.AUTH0_DOMAIN, - }, - input_file, -}) - .then(() => - console.log(`Deployed ${config.AUTH0_KEYWORD_REPLACE_MAPPINGS.AUTH0_DOMAIN} successfully!`) - ) - .catch((err) => console.log(`Deploy failed: ${err}`)) diff --git a/auth0/emailTemplates/reset_email.html b/auth0/emailTemplates/reset_email.html deleted file mode 100644 index c94b8319..00000000 --- a/auth0/emailTemplates/reset_email.html +++ /dev/null @@ -1,432 +0,0 @@ - - - - - - - - - Password Reset - - - - - - - - Use this link to reset your password. The link is only valid for 24 hours. - - - - - - - diff --git a/auth0/emailTemplates/verify_email.html b/auth0/emailTemplates/verify_email.html deleted file mode 100644 index 55126c23..00000000 --- a/auth0/emailTemplates/verify_email.html +++ /dev/null @@ -1,427 +0,0 @@ - - - - - - - - - Verify Email - - - - - - - - Verify your account and start using Maybe today! - - - - - - - diff --git a/auth0/env.js b/auth0/env.js deleted file mode 100644 index e23a4665..00000000 --- a/auth0/env.js +++ /dev/null @@ -1,12 +0,0 @@ -const z = require('zod') - -const envSchema = z.object({ - AUTH0_DEPLOY_CLIENT_SECRET: z.string(), - AUTH0_ENV: z.string().default('development'), - POSTMARK_SMTP_PASS: z.string(), - APPLE_SIGN_IN_SECRET_KEY: z.string(), -}) - -const env = envSchema.parse(process.env) - -module.exports = env diff --git a/auth0/pages/guardian_multifactor.html b/auth0/pages/guardian_multifactor.html deleted file mode 100644 index f9f56b01..00000000 --- a/auth0/pages/guardian_multifactor.html +++ /dev/null @@ -1,95 +0,0 @@ - - - - - - MFA Auth Maybe Finance - - - - - - - -
-
-
- -
-
-
-
- - - - - - diff --git a/auth0/pages/login.html b/auth0/pages/login.html deleted file mode 100644 index a4b3232c..00000000 --- a/auth0/pages/login.html +++ /dev/null @@ -1,685 +0,0 @@ - - - - - - Maybe Login - - - - - - - - - - - - - - - - - - - - -
-
- -
- - -
-

Log in to Maybe

-
- -
-

Sign up for Maybe

-

- Already have an account? - -

-
- -
-

Reset Password

-

- Enter your email address and we'll send you a link to reset your - password. -

-
- -
-

Check your email

-

- You should receive a reset link shortly. If you do not receive an email, - please contact us. -

-
-
- - - - -
- -
- - - - - - - - -
-
- - -
-

- By signing up, you acknowledge that you have read and understood, and agree to - Maybe's - Terms and Conditions and - Privacy Policy. -

-
-
- - diff --git a/auth0/pages/password_reset.html b/auth0/pages/password_reset.html deleted file mode 100644 index fe32958e..00000000 --- a/auth0/pages/password_reset.html +++ /dev/null @@ -1,427 +0,0 @@ - - - - - - - - - - - - - -
- - - - - Something went wrong. Please try again. -
-
- - - - - Your password was reset. -
-
-
-
- - -
- -
-
- - - - - -
- - - - -
-
- - - - -
- - - Back to login -
-
-
-
- - - - - diff --git a/auth0/rules/assignRolesOnLogin.js b/auth0/rules/assignRolesOnLogin.js deleted file mode 100644 index 60dd0bfd..00000000 --- a/auth0/rules/assignRolesOnLogin.js +++ /dev/null @@ -1,45 +0,0 @@ -function assignRolesOnLogin(user, context, callback) { - // This rule does not apply to unverified users - never assign a privileged role without verification! - if (!user.email || !user.email_verified) { - return callback(null, user, context); - } - - const maybeEmailDomain = 'maybe.co'; - const emailSplit = user.email.split('@'); - const isMaybeEmployee = emailSplit[emailSplit.length - 1].toLowerCase() === maybeEmailDomain; - - if (!isMaybeEmployee) { - return callback(null, user, context); - } - - // Use latest version that is allowed here - https://auth0-extensions.github.io/canirequire/#auth0 - const ManagementClient = require('auth0@2.35.0').ManagementClient; - - const cli = new ManagementClient({ - token: auth0.accessToken, - domain: auth0.domain, - }); - - const admins = ['REPLACE_THIS']; - - const rolesToAssign = []; - - // https://auth0.com/docs/rules/configuration#use-the-configuration-object - if (admins.includes(user.email)) { - rolesToAssign.push(configuration.ADMIN_ROLE_ID); - } - - // https://auth0.com/docs/rules/configuration#use-the-configuration-object - if (isMaybeEmployee) { - rolesToAssign.push(configuration.BETA_TESTER_ROLE_ID); - } - - // If we make it here, we know the user has verified their email and their email is in the Maybe Finance Gmail domain - cli.assignRolestoUser({ id: user.user_id }, { roles: rolesToAssign }, function (err) { - if (err) { - console.log(err); - } - - return callback(null, user, context); - }); -} diff --git a/auth0/rules/enhanceIdToken.js b/auth0/rules/enhanceIdToken.js deleted file mode 100644 index 098f7d9f..00000000 --- a/auth0/rules/enhanceIdToken.js +++ /dev/null @@ -1,53 +0,0 @@ -function enhanceIdToken(user, context, callback) { - // Does not have to be a valid URL, just has to be unique and start with http / https - const namespace = 'https://maybe.co'; - - const assignedRoles = (context.authorization || {}).roles; - - let idTokenClaims = context.idToken || {}; - let accessTokenClaims = context.accessToken || {}; - - let identityClaim; - - if (user.identities && user.identities.length) { - const primaryIdentities = user.identities.filter((identity) => { - // https://auth0.com/docs/manage-users/user-accounts/user-account-linking#how-it-works - const isSecondary = 'profileData' in identity; - - return !isSecondary; - }); - - if (primaryIdentities.length === 0) { - identityClaim = undefined; - } - - // Based on prior checks, this should represent the primary identity - const primaryIdentity = primaryIdentities[0]; - - identityClaim = { - connection: primaryIdentity.connection, - provider: primaryIdentity.provider, - isSocial: primaryIdentity.isSocial, - }; - } - - // Access token claims are populated on the parsed server-side JWT - accessTokenClaims[`${namespace}/name`] = user.name; - accessTokenClaims[`${namespace}/email`] = user.email; - accessTokenClaims[`${namespace}/picture`] = user.picture; - accessTokenClaims[`${namespace}/roles`] = assignedRoles; - accessTokenClaims[`${namespace}/user-metadata`] = user.user_metadata; - accessTokenClaims[`${namespace}/app-metadata`] = user.app_metadata; - accessTokenClaims[`${namespace}/primary-identity`] = identityClaim; - - // ID token claims are populated in the parsed client-side React hook - idTokenClaims[`${namespace}/roles`] = assignedRoles; - idTokenClaims[`${namespace}/user-metadata`] = user.user_metadata; - idTokenClaims[`${namespace}/app-metadata`] = user.app_metadata; - idTokenClaims[`${namespace}/primary-identity`] = identityClaim; - - context.idToken = idTokenClaims; - context.accessToken = accessTokenClaims; - - return callback(null, user, context); -} diff --git a/auth0/rules/mfaAuth.js b/auth0/rules/mfaAuth.js deleted file mode 100644 index 4c00d9fe..00000000 --- a/auth0/rules/mfaAuth.js +++ /dev/null @@ -1,23 +0,0 @@ -// https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa -function mfaAuth(user, context, callback) { - const ENABLED_CLIENT_IDS = [ - 'REPLACE_THIS', - ]; - - // Only enable MFA on the Next.js app (client IDs above) - if (ENABLED_CLIENT_IDS.indexOf(context.clientID) !== -1) { - // This makes MFA optional for users (they can enroll via their profile within the app) - if (user.user_metadata && user.user_metadata.enrolled_mfa) { - context.multifactor = { - // See options here - https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa#use-rules - // `any` is the generic option (i.e. Google Authenticator or something similar) - provider: 'any', - - // If set to true, MFA will turn off for 30 days for the user's current browser - allowRememberBrowser: true, - }; - } - } - - return callback(null, user, context); -} diff --git a/auth0/rules/updateUserMetadata.js b/auth0/rules/updateUserMetadata.js deleted file mode 100644 index c031c4e3..00000000 --- a/auth0/rules/updateUserMetadata.js +++ /dev/null @@ -1,27 +0,0 @@ -function updateUserMetadata(user, context, callback) { - // Use latest version that is allowed here (2.4.0 as of today) - https://auth0-extensions.github.io/canirequire/#auth0 - const ManagementClient = require('auth0@2.35.0').ManagementClient; - - const cli = new ManagementClient({ - token: auth0.accessToken, - domain: auth0.domain, - }); - - const metadata = { - firstName: - (user.user_metadata && user.user_metadata.firstName) || - user.first_name || - user.given_name || - '', - lastName: - (user.user_metadata && user.user_metadata.lastName) || - user.last_name || - user.family_name || - '', - }; - - // Maps data from various identity providers to a normalized identity - cli.updateUserMetadata({ id: user.user_id }, metadata, function (err, updatedUser) { - return callback(null, updatedUser, context); - }); -} diff --git a/auth0/rules/verifyUserOnPasswordReset.js b/auth0/rules/verifyUserOnPasswordReset.js deleted file mode 100644 index 44f067a9..00000000 --- a/auth0/rules/verifyUserOnPasswordReset.js +++ /dev/null @@ -1,34 +0,0 @@ -// If the user successfully performs a password reset, we *know* their email is valid, so go ahead and verify it if not already verified -function verifyUserWithPasswordReset(user, context, callback) { - const request = require('request'); - const userApiUrl = auth0.baseUrl + '/users/'; - - // This rule is only for Auth0 databases - if (context.connectionStrategy !== 'auth0') { - return callback(null, user, context); - } - - if (user.email_verified || !user.last_password_reset) { - return callback(null, user, context); - } - - // Set email verified if a user has already updated his/her password - request.patch( - { - url: userApiUrl + user.user_id, - headers: { - Authorization: 'Bearer ' + auth0.accessToken, - }, - json: { email_verified: true }, - timeout: 5000, - }, - function (err, response, body) { - // Setting email verified isn't propagated to id_token in this - // authentication cycle so explicitly set it to true given no errors. - context.idToken.email_verified = !err && response.statusCode === 200; - - // Return with success at this point. - return callback(null, user, context); - } - ); -} diff --git a/auth0/sync.js b/auth0/sync.js deleted file mode 100644 index 49736cfa..00000000 --- a/auth0/sync.js +++ /dev/null @@ -1,26 +0,0 @@ -const { config, sync } = require('./config') - -const firstArg = process.argv.slice(2)[0] - -if (firstArg === '--force') { - sync({ - config: { - ...config, - - // The deploy client only works with the DEFAULT Auth0 domain, NOT with custom domains - AUTH0_DOMAIN: config.AUTH0_KEYWORD_REPLACE_MAPPINGS.AUTH0_DOMAIN, - }, - format: 'yaml', - output_folder: __dirname, - }) - .then(() => - console.log( - `Synced ${config.AUTH0_KEYWORD_REPLACE_MAPPINGS.AUTH0_DOMAIN} successfully!` - ) - ) - .catch((err) => console.log(`Sync failed: ${err}`)) -} else { - console.log( - 'Syncing not recommended (see README.md). Instead, you should make changes locally and deploy to the tenant. \n\nIf you are sure you want to do this, run: \n\n`node sync --force`\n' - ) -} diff --git a/auth0/tenant.yaml b/auth0/tenant.yaml deleted file mode 100644 index 0d8fe146..00000000 --- a/auth0/tenant.yaml +++ /dev/null @@ -1,360 +0,0 @@ -rules: - - name: mfaAuth - script: ./rules/mfaAuth.js - stage: login_success - enabled: true - order: 1 - - name: verifyUserOnPasswordReset - script: ./rules/verifyUserOnPasswordReset.js - stage: login_success - enabled: true - order: 2 - - name: assignRolesOnLogin - script: ./rules/assignRolesOnLogin.js - stage: login_success - enabled: true - order: 3 - - name: updateUserMetadata - script: ./rules/updateUserMetadata.js - stage: login_success - enabled: true - order: 4 - - name: enhanceIdToken - script: ./rules/enhanceIdToken.js - stage: login_success - enabled: true - order: 5 - - -rulesConfigs: - - key: "ADMIN_ROLE_ID" - value: '##ADMIN_ROLE_ID##' - - key: "BETA_TESTER_ROLE_ID" - value: '##BETA_TESTER_ROLE_ID##' - -hooks: [] - -pages: - - name: guardian_multifactor - enabled: false - html: ./pages/guardian_multifactor.html - - name: login - enabled: true - html: ./pages/login.html - - name: password_reset - enabled: true - html: ./pages/password_reset.html - -resourceServers: - - name: maybe-finance-api - identifier: https://maybe-finance-api/v1 - allow_offline_access: true - signing_alg: RS256 - skip_consent_for_verifiable_first_party_clients: true - token_lifetime: 86400 # 24 hours - token_lifetime_for_web: 7200 - -clients: - - name: Maybe - app_type: spa - allowed_clients: [] - callbacks: @@CLIENT_BASE_URLS@@ - allowed_logout_urls: @@CLIENT_LOGOUT_URLS@@ - allowed_origins: @@CLIENT_BASE_URLS@@ - web_origins: @@CLIENT_BASE_URLS@@ - client_aliases: [] - cross_origin_auth: false - custom_login_page_on: true - grant_types: - - authorization_code - - implicit - - refresh_token - - password - - http://auth0.com/oauth/grant-type/password-realm - is_first_party: true - is_token_endpoint_ip_header_trusted: false - jwt_configuration: - alg: RS256 - lifetime_in_seconds: 36000 - secret_encoded: false - native_social_login: - apple: - enabled: false - facebook: - enabled: false - oidc_conformant: true - refresh_token: - expiration_type: expiring - leeway: 0 - token_lifetime: 2592000 # 30 days - idle_token_lifetime: 1296000 # 15 days - infinite_token_lifetime: false - infinite_idle_token_lifetime: false - rotation_type: rotating - sso_disabled: false - token_endpoint_auth_method: none - - - name: Maybe Admin - allowed_clients: [] - app_type: regular_web - callbacks: @@SERVER_CALLBACK_URLS@@ - allowed_logout_urls: @@SERVER_BASE_URLS@@ - allowed_origins: @@SERVER_BASE_URLS@@ - web_origins: @@SERVER_BASE_URLS@@ - client_aliases: [] - cross_origin_auth: false - custom_login_page_on: true - grant_types: - - authorization_code - - implicit - - refresh_token - - client_credentials - - password - is_first_party: true - is_token_endpoint_ip_header_trusted: false - jwt_configuration: - alg: RS256 - lifetime_in_seconds: 36000 - secret_encoded: false - native_social_login: - apple: - enabled: false - facebook: - enabled: false - oidc_conformant: true - refresh_token: - expiration_type: non-expiring - leeway: 0 - infinite_token_lifetime: true - infinite_idle_token_lifetime: true - token_lifetime: 31557600 - idle_token_lifetime: 2592000 - rotation_type: non-rotating - sso_disabled: false - token_endpoint_auth_method: client_secret_post - - - name: auth0-deploy-cli-extension - app_type: non_interactive - cross_origin_auth: false - custom_login_page_on: true - grant_types: - - client_credentials - is_first_party: true - is_token_endpoint_ip_header_trusted: false - jwt_configuration: - alg: RS256 - lifetime_in_seconds: 36000 - secret_encoded: false - oidc_conformant: true - refresh_token: - expiration_type: non-expiring - leeway: 0 - infinite_token_lifetime: true - infinite_idle_token_lifetime: true - token_lifetime: 31557600 - idle_token_lifetime: 2592000 - rotation_type: non-rotating - sso_disabled: false - token_endpoint_auth_method: client_secret_post - - - name: server-m2m-cli - allowed_clients: [] - allowed_origins: [] - app_type: non_interactive - callbacks: [] - client_aliases: [] - cross_origin_auth: false - custom_login_page_on: true - grant_types: - - client_credentials - is_first_party: true - is_token_endpoint_ip_header_trusted: false - jwt_configuration: - alg: RS256 - lifetime_in_seconds: 36000 - secret_encoded: false - native_social_login: - apple: - enabled: false - facebook: - enabled: false - oidc_conformant: true - refresh_token: - expiration_type: non-expiring - leeway: 0 - infinite_token_lifetime: true - infinite_idle_token_lifetime: true - token_lifetime: 31557600 - idle_token_lifetime: 2592000 - rotation_type: non-rotating - sso_disabled: false - token_endpoint_auth_method: client_secret_post - -databases: - - name: Username-Password-Authentication - strategy: auth0 - enabled_clients: - - auth0-deploy-cli-extension - - Maybe - - Maybe Admin - is_domain_connection: false - options: - mfa: - active: true - return_enroll_settings: true - passwordPolicy: good - strategy_version: 2 - brute_force_protection: true - realms: - - Username-Password-Authentication - -connections: - - name: google-oauth2 - strategy: google-oauth2 - enabled_clients: - - auth0-deploy-cli-extension - - Maybe - - Maybe Admin - - server-m2m-cli - is_domain_connection: false - options: - email: true - scope: - - email - - profile - profile: true - - name: apple - strategy: apple - enabled_clients: - - auth0-deploy-cli-extension - - Maybe - - Maybe Admin - - server-m2m-cli - is_domain_connection: false - options: - client_id: co.maybe.webapp - app_secret: @@APPLE_SIGN_IN_SECRET_KEY@@ - team_id: 8TQ4KDWF2S - kid: 47WD7B27JK - email: true - name: true - scope: - - email - - name - -tenant: - enabled_locales: - - en - # https://auth0.com/docs/authorization/flows/call-your-api-using-resource-owner-password-flow#configure-tenant - default_directory: Username-Password-Authentication - default_audience: https://maybe-finance-api/v1 - flags: - new_universal_login_experience_enabled: true - universal_login: true - revoke_refresh_token_grant: false - disable_clickjack_protection_headers: false - friendly_name: Maybe Finance - picture_url: >- - https://assets.maybe.co/images/maybe.svg - universal_login: - colors: - page_background: '#242629' - primary: '#3bc9db' - support_email: hello@maybe.co - -emailProvider: - name: smtp - credentials: - smtp_host: smtp.postmarkapp.com - smtp_port: 587 - smtp_user: REPLACE_THIS - smtp_pass: '##POSTMARK_SMTP_PASS##' - default_from_address: account@maybe.co - enabled: true - -emailTemplates: - - template: reset_email - body: ./emailTemplates/reset_email.html - enabled: true - from: reset@maybe.co - subject: Reset your password - syntax: liquid - urlLifetimeInSeconds: 86400 - - template: verify_email - body: ./emailTemplates/verify_email.html - enabled: true - from: 'account@maybe.co' - resultUrl: '{{ application.callback_domain }}' - subject: 'Verify your email for Maybe Finance' - syntax: liquid - urlLifetimeInSeconds: 432000 - -clientGrants: - - client_id: server-m2m-cli - audience: https://##AUTH0_DOMAIN##/api/v2/ - scope: - - read:users - - update:users - - delete:users - - read:users_app_metadata - - update:users_app_metadata - - delete:users_app_metadata - - create:users_app_metadata - -guardianFactors: - - name: duo - enabled: false - - name: email - enabled: true - - name: otp - enabled: true - - name: push-notification - enabled: false - - name: recovery-code - enabled: true - - name: sms - enabled: false - - name: webauthn-platform - enabled: false - - name: webauthn-roaming - enabled: false - -guardianFactorProviders: [] - -guardianFactorTemplates: [] - -guardianPolicies: - policies: [] - -guardianPhoneFactorSelectedProvider: - provider: auth0 - -guardianPhoneFactorMessageTypes: - message_types: [] - -roles: - - name: Admin - description: Maybe Employee Admin - permissions: [] - - name: CIUser - description: Identifies our CI users for e2e testing - permissions: [] - -branding: - colors: - page_background: '#242629' - primary: '#3bc9db' - logo_url: >- - https://assets.maybe.co/images/maybe.svg - -prompts: - universal_login_experience: new - identifier_first: false - -migrations: {} - -actions: [] - -triggers: {} - -organizations: []