# Example: IIIF Auth 2.0 — active pattern (inline users)
#
# Username/password login with the credentials inlined in YAML.
# Useful for very small deployments (a handful of staff accounts on
# a single instance). For anything larger, prefer auth-active-htpasswd.yaml
# — the file-on-disk pattern is mtime-watched so user changes don't
# need a restart, whereas this inline map does.
#
# Hashes must be bcrypt ($2a$/$2b$/$2y$) or apr1 ($apr1$). Generate via:
#   htpasswd -nB alice           # bcrypt, prints "alice:$2y$05$..."
#   htpasswd -nm alice           # apr1
# The "-n" flag prints to stdout instead of writing to a file.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    staff:
      pattern: active
      label:
        en: ["Staff access"]
      access_service:
        backend: builtin
      users:
        # Paste the bcrypt output minus the "username:" prefix.
        alice: "$2y$05$WUeqG4/ub35YKN34Ol6k1e0tXjFLxIUNtcce9H856FkWG0IBgP5MO"
        bob:   "$apr1$abcd1234$Z0AXMqVU0G8R3eFCKyhSx0"
      session_ttl: 8h
      token_ttl: 10m

  rules:
    - match: "staff/*"
      profile: staff

  cors:
    token_origins:
      - https://viewer.example.org
