# Example: IIIF Auth 2.0 — clickthrough pattern
#
# The simplest interactive pattern: the viewer presents a single
# "I agree" button to the user; clicking it mints a session with no
# identity captured. Use for terms-of-use acknowledgement, content
# warnings, or any case where the operator wants the user to assert
# something before viewing — but doesn't need to know who the user
# is.
#
# Drop into your iiiris config (or include it as a partial alongside
# the rest of your YAML). After restart, identifiers matching the
# rule will be gated; `info.json` advertises the auth service tree
# automatically.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    reading-room:
      pattern: clickthrough          # one of: clickthrough | active | kiosk | external
      label:
        en: ["Reading Room"]         # advertised in info.json's access service
      heading:
        en: ["Restricted material"]  # shown on the login page and on denied probe responses
      description:
        en: ["You agree to abide by the reading room's use policy."]
      confirm_label: "I agree"       # the button text on the built-in login page
      access_service:
        backend: builtin             # iiiris hosts the page; "header" / "external" / "oidc" delegate
      # Optional: custom HTML template instead of the built-in.
      # template: /etc/iiiris/templates/clickthrough.html
      session_ttl: 24h
      token_ttl: 5m
      # Optional: deny-degrade. When set, denied requests are rewritten
      # to this size and served from the same source, instead of
      # returning 401. Same source bytes, same cache, smaller dimensions.
      # substitute:
      #   max_size: "!400,400"

  rules:
    # Identifiers matching `restricted/*` are gated by the reading-room
    # profile. First match wins; identifiers matching no rule are public.
    - match: "restricted/*"
      profile: reading-room

  cors:
    # Required: the viewer origins permitted to request access tokens
    # via the postMessage iframe flow. Empty list = no origin can
    # obtain a token (and the spec-required cross-origin viewer flow
    # is broken). `["*"]` is permitted as an explicit opt-in.
    token_origins:
      - https://viewer.example.org

  # Trust X-Forwarded-For from these reverse-proxy CIDRs (used by the
  # kiosk pattern's IP allowlist; harmless for clickthrough).
  trusted_proxies:
    - 10.0.0.0/8
