diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs index c33a51a74..cec10b2a6 100644 --- a/services/identity/src/config.rs +++ b/services/identity/src/config.rs @@ -1,284 +1,291 @@ use std::{env, fmt, fs, io, path}; use base64::{engine::general_purpose, DecodeError, Engine as _}; use clap::{Parser, Subcommand}; use http::HeaderValue; use once_cell::sync::Lazy; use tower_http::cors::AllowOrigin; use tracing::{error, info}; use url::Url; use crate::constants::{ cors::ALLOW_ORIGIN_LIST, cors::PROD_ORIGIN_HOST_STR, DEFAULT_OPENSEARCH_ENDPOINT, DEFAULT_TUNNELBROKER_ENDPOINT, KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP, - OPENSEARCH_ENDPOINT, SECRETS_DIRECTORY, SECRETS_SETUP_FILE, - TUNNELBROKER_GRPC_ENDPOINT, + OPENSEARCH_ENDPOINT, REDACT_SENSITIVE_DATA, SECRETS_DIRECTORY, + SECRETS_SETUP_FILE, TUNNELBROKER_GRPC_ENDPOINT, }; /// Raw CLI arguments, should be only used internally to create ServerConfig static CLI: Lazy = Lazy::new(Cli::parse); pub static CONFIG: Lazy = Lazy::new(|| { ServerConfig::from_cli(&CLI).expect("Failed to load server config") }); pub(super) fn parse_cli_command() -> &'static Command { &Lazy::force(&CLI).command } pub(super) fn load_server_config() -> &'static ServerConfig { Lazy::force(&CONFIG) } #[derive(Parser)] #[clap(author, version, about, long_about = None)] #[clap(propagate_version = true)] struct Cli { #[clap(subcommand)] command: Command, /// AWS Localstack service URL #[arg(long, global = true)] #[arg(env = LOCALSTACK_ENDPOINT)] localstack_endpoint: Option, /// Tunnelbroker gRPC endpoint #[arg(long, global = true)] #[arg(env = TUNNELBROKER_GRPC_ENDPOINT)] #[arg(default_value = DEFAULT_TUNNELBROKER_ENDPOINT)] tunnelbroker_endpoint: String, /// OpenSearch domain endpoint #[arg(long, global = true)] #[arg(env = OPENSEARCH_ENDPOINT)] #[arg(default_value = DEFAULT_OPENSEARCH_ENDPOINT)] opensearch_endpoint: String, /// Allowed origins #[arg(long, global = true)] #[arg(env = ALLOW_ORIGIN_LIST)] #[arg(value_delimiter = ',')] allow_origin_list: Option>, + + /// Redact sensitive data + #[arg(long, global = true, default_value_t = false)] + #[arg(env = REDACT_SENSITIVE_DATA)] + redact_sensitive_data: bool, } #[derive(Subcommand)] pub enum Command { /// Runs the server Server, /// Generates and persists a keypair to use for PAKE registration and login Keygen { #[arg(short, long)] #[arg(default_value = SECRETS_DIRECTORY)] dir: String, }, /// Syncs DynamoDB users with identity-search search index SyncIdentitySearch, } #[derive(Clone)] pub struct ServerConfig { pub localstack_endpoint: Option, // Opaque 2.0 server secrets pub server_setup: comm_opaque2::ServerSetup, pub keyserver_public_key: Option, pub tunnelbroker_endpoint: String, pub opensearch_endpoint: String, pub allow_origin: Option, + pub redact_sensitive_data: bool, } impl ServerConfig { fn from_cli(cli: &Cli) -> Result { if !matches!(cli.command, Command::Server | Command::SyncIdentitySearch) { panic!("ServerConfig is only available for the `server` or `sync-identity-search` command"); } info!("Tunnelbroker endpoint: {}", &cli.tunnelbroker_endpoint); if let Some(endpoint) = &cli.localstack_endpoint { info!("Using Localstack endpoint: {}", endpoint); } info!("Using OpenSearch endpoint: {}", cli.opensearch_endpoint); let mut path_buf = path::PathBuf::new(); path_buf.push(SECRETS_DIRECTORY); path_buf.push(SECRETS_SETUP_FILE); let server_setup = get_server_setup(path_buf.as_path())?; let keyserver_public_key = env::var(KEYSERVER_PUBLIC_KEY).ok(); let allow_origin = cli .allow_origin_list .as_ref() .map(|s| slice_to_allow_origin(s.as_slice())) .transpose()?; Ok(Self { localstack_endpoint: cli.localstack_endpoint.clone(), tunnelbroker_endpoint: cli.tunnelbroker_endpoint.clone(), opensearch_endpoint: cli.opensearch_endpoint.clone(), server_setup, keyserver_public_key, allow_origin, + redact_sensitive_data: cli.redact_sensitive_data, }) } } impl fmt::Debug for ServerConfig { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("ServerConfig") .field("localstack_endpoint", &self.localstack_endpoint) .field("server_setup", &"** redacted **") .field("keyserver_public_key", &self.keyserver_public_key) .field("tunnelbroker_endpoint", &self.tunnelbroker_endpoint) .field("opensearch_endpoint", &self.opensearch_endpoint) .field("allow_origin_list", &"** redacted **") .finish() } } #[derive(Debug, derive_more::Display, derive_more::From)] pub enum Error { #[display(...)] Opaque(comm_opaque2::ProtocolError), #[display(...)] Io(io::Error), #[display(...)] Env(env::VarError), #[display(...)] Json(serde_json::Error), #[display(...)] Decode(DecodeError), #[display(...)] InvalidHeaderValue(http::header::InvalidHeaderValue), #[display(...)] InvalidOrigin(InvalidOriginError), } #[derive(Debug, derive_more::Display)] pub enum InvalidOriginError { InvalidScheme, MissingHost, MissingPort, ParseError, } fn get_server_setup( path: &path::Path, ) -> Result, Error> { let encoded_server_setup = if let Ok(env_setup) = env::var(OPAQUE_SERVER_SETUP) { info!( "Using OPAQUE server setup from env var: {}", OPAQUE_SERVER_SETUP ); env_setup } else if let Ok(file_setup) = fs::read_to_string(path) { info!("Using OPAQUE server setup from file: {}", path.display()); file_setup } else { error!("Unable to locate OPAQUE server setup. Please run `keygen` command and run Identity service again."); return Err(Error::Io(io::Error::new( io::ErrorKind::NotFound, "Missing server credentials", ))); }; let decoded_server_setup = general_purpose::STANDARD_NO_PAD.decode(encoded_server_setup)?; comm_opaque2::ServerSetup::deserialize(&decoded_server_setup) .map_err(Error::Opaque) } fn slice_to_allow_origin(origins: &[String]) -> Result { let allow_origin_result: Result, Error> = origins .iter() .map(|s| { validate_origin(s)?; HeaderValue::from_str(s.trim()).map_err(Error::InvalidHeaderValue) }) .collect(); let allow_origin_list = allow_origin_result?; Ok(AllowOrigin::list(allow_origin_list)) } fn validate_origin(origin_str: &str) -> Result<(), Error> { let Ok(url) = Url::parse(origin_str) else { return Err(Error::InvalidOrigin(InvalidOriginError::ParseError)); }; if !matches!(url.scheme(), "http" | "https") { return Err(Error::InvalidOrigin(InvalidOriginError::InvalidScheme)); }; let Some(host_str) = url.host_str() else { return Err(Error::InvalidOrigin(InvalidOriginError::MissingHost)); }; if host_str == PROD_ORIGIN_HOST_STR { return Ok(()); } if url.port().is_none() { return Err(Error::InvalidOrigin(InvalidOriginError::MissingPort)); }; Ok(()) } #[cfg(test)] mod tests { use super::validate_origin; #[test] fn test_valid_origin() { let valid_origin = "http://localhost:3000"; assert!( validate_origin(valid_origin).is_ok(), "Expected a valid origin, but got an invalid one" ); } #[test] fn test_invalid_origin_missing_scheme() { let invalid_origin = "localhost:3000"; assert!( validate_origin(invalid_origin).is_err(), "Expected an invalid origin (missing scheme), but got a valid one" ); } #[test] fn test_invalid_origin_missing_host() { let invalid_origin = "http://:3000"; assert!( validate_origin(invalid_origin).is_err(), "Expected an invalid origin (missing host), but got a valid one" ); } #[test] fn test_valid_origin_missing_port() { // If the host is web.comm.app, we do not require a port let valid_origin = "https://web.comm.app"; assert!( validate_origin(valid_origin).is_ok(), "Expected origin missing port to be valid" ); } #[test] fn test_invalid_origin_missing_port() { // If the host is not web.comm.app, we require a port let invalid_origin = "http://localhost"; assert!( validate_origin(invalid_origin).is_err(), "Expected an invalid origin (missing port), but got a valid one" ); } #[test] fn test_invalid_origin_invalid_scheme() { // We only allow http and https origins let invalid_origin = "ftp://example.com"; assert!( validate_origin(invalid_origin).is_err(), "Expected an invalid origin (invalid scheme), but got a valid one" ); } } diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs index 8c984648e..9aafdf76f 100644 --- a/services/identity/src/constants.rs +++ b/services/identity/src/constants.rs @@ -1,353 +1,354 @@ use tokio::time::Duration; // Secrets pub const SECRETS_DIRECTORY: &str = "secrets"; pub const SECRETS_SETUP_FILE: &str = "server_setup.txt"; // DynamoDB // User table information, supporting opaque_ke 2.0 and X3DH information // Users can sign in either through username+password or Eth wallet. // // This structure should be aligned with the messages defined in // shared/protos/identity_unauthenticated.proto // // Structure for a user should be: // { // userID: String, // opaqueRegistrationData: Option, // username: Option, // walletAddress: Option, // devices: HashMap // } // // A device is defined as: // { // deviceType: String, # client or keyserver // keyPayload: String, // keyPayloadSignature: String, // identityPreKey: String, // identityPreKeySignature: String, // identityOneTimeKeys: Vec, // notifPreKey: String, // notifPreKeySignature: String, // notifOneTimeKeys: Vec, // socialProof: Option // } // } // // Additional context: // "devices" uses the signing public identity key of the device as a key for the devices map // "keyPayload" is a JSON encoded string containing identity and notif keys (both signature and verification) // if "deviceType" == "keyserver", then the device will not have any notif key information pub const USERS_TABLE: &str = "identity-users"; pub const USERS_TABLE_PARTITION_KEY: &str = "userID"; pub const USERS_TABLE_REGISTRATION_ATTRIBUTE: &str = "opaqueRegistrationData"; pub const USERS_TABLE_USERNAME_ATTRIBUTE: &str = "username"; pub const USERS_TABLE_DEVICES_MAP_DEVICE_TYPE_ATTRIBUTE_NAME: &str = "deviceType"; pub const USERS_TABLE_WALLET_ADDRESS_ATTRIBUTE: &str = "walletAddress"; pub const USERS_TABLE_SOCIAL_PROOF_ATTRIBUTE_NAME: &str = "socialProof"; pub const USERS_TABLE_DEVICELIST_TIMESTAMP_ATTRIBUTE_NAME: &str = "deviceListTimestamp"; pub const USERS_TABLE_FARCASTER_ID_ATTRIBUTE_NAME: &str = "farcasterID"; pub const USERS_TABLE_USERNAME_LOWER_ATTRIBUTE_NAME: &str = "usernameLower"; pub const USERS_TABLE_USERNAME_INDEX: &str = "username-index"; pub const USERS_TABLE_WALLET_ADDRESS_INDEX: &str = "walletAddress-index"; pub const USERS_TABLE_FARCASTER_ID_INDEX: &str = "farcasterID-index"; pub const USERS_TABLE_USERNAME_LOWER_INDEX: &str = "usernameLower-index"; pub mod token_table { pub const NAME: &str = "identity-tokens"; pub const PARTITION_KEY: &str = "userID"; pub const SORT_KEY: &str = "signingPublicKey"; pub const ATTR_CREATED: &str = "created"; pub const ATTR_AUTH_TYPE: &str = "authType"; pub const ATTR_VALID: &str = "valid"; pub const ATTR_TOKEN: &str = "token"; } pub const NONCE_TABLE: &str = "identity-nonces"; pub const NONCE_TABLE_PARTITION_KEY: &str = "nonce"; pub const NONCE_TABLE_CREATED_ATTRIBUTE: &str = "created"; pub const NONCE_TABLE_EXPIRATION_TIME_ATTRIBUTE: &str = "expirationTime"; pub const NONCE_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str = "expirationTimeUnix"; pub const WORKFLOWS_IN_PROGRESS_TABLE: &str = "identity-workflows-in-progress"; pub const WORKFLOWS_IN_PROGRESS_PARTITION_KEY: &str = "id"; pub const WORKFLOWS_IN_PROGRESS_WORKFLOW_ATTRIBUTE: &str = "workflow"; pub const WORKFLOWS_IN_PROGRESS_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str = "expirationTimeUnix"; // Usernames reserved because they exist in Ashoat's keyserver already pub const RESERVED_USERNAMES_TABLE: &str = "identity-reserved-usernames"; pub const RESERVED_USERNAMES_TABLE_PARTITION_KEY: &str = "username"; pub const RESERVED_USERNAMES_TABLE_USER_ID_ATTRIBUTE: &str = "userID"; pub const RESERVED_USERNAMES_TABLE_USERNAME_LOWER_ATTRIBUTE: &str = "usernameLower"; pub const RESERVED_USERNAMES_TABLE_USERNAME_LOWER_INDEX: &str = "usernameLower-index"; // Users table social proof attribute pub const SOCIAL_PROOF_MESSAGE_ATTRIBUTE: &str = "siweMessage"; pub const SOCIAL_PROOF_SIGNATURE_ATTRIBUTE: &str = "siweSignature"; pub mod devices_table { /// table name pub const NAME: &str = "identity-devices"; pub const TIMESTAMP_INDEX_NAME: &str = "deviceList-timestamp-index"; pub const DEVICE_ID_INDEX_NAME: &str = "deviceID-index"; /// partition key pub const ATTR_USER_ID: &str = "userID"; /// sort key pub const ATTR_ITEM_ID: &str = "itemID"; // itemID prefixes (one shouldn't be a prefix of the other) pub const DEVICE_ITEM_KEY_PREFIX: &str = "device-"; pub const DEVICE_LIST_KEY_PREFIX: &str = "devicelist-"; // device-specific attrs pub const ATTR_DEVICE_KEY_INFO: &str = "deviceKeyInfo"; pub const ATTR_CONTENT_PREKEY: &str = "contentPreKey"; pub const ATTR_NOTIF_PREKEY: &str = "notifPreKey"; pub const ATTR_PLATFORM_DETAILS: &str = "platformDetails"; pub const ATTR_LOGIN_TIME: &str = "loginTime"; // IdentityKeyInfo constants pub const ATTR_KEY_PAYLOAD: &str = "keyPayload"; pub const ATTR_KEY_PAYLOAD_SIGNATURE: &str = "keyPayloadSignature"; // PreKey constants pub const ATTR_PREKEY: &str = "preKey"; pub const ATTR_PREKEY_SIGNATURE: &str = "preKeySignature"; // PlatformDetails constants pub const ATTR_DEVICE_TYPE: &str = "deviceType"; pub const ATTR_CODE_VERSION: &str = "codeVersion"; pub const ATTR_STATE_VERSION: &str = "stateVersion"; pub const ATTR_MAJOR_DESKTOP_VERSION: &str = "majorDesktopVersion"; // device-list-specific attrs pub const ATTR_TIMESTAMP: &str = "timestamp"; pub const ATTR_DEVICE_IDS: &str = "deviceIDs"; pub const ATTR_CURRENT_SIGNATURE: &str = "curPrimarySignature"; pub const ATTR_LAST_SIGNATURE: &str = "lastPrimarySignature"; // one-time key constants pub const ATTR_CONTENT_OTK_COUNT: &str = "contentOTKCount"; pub const ATTR_NOTIF_OTK_COUNT: &str = "notifOTKCount"; // deprecated attributes pub const OLD_ATTR_DEVICE_TYPE: &str = "deviceType"; pub const OLD_ATTR_CODE_VERSION: &str = "codeVersion"; } // One time keys table, which need to exist in their own table to ensure // atomicity of additions and removals pub mod one_time_keys_table { pub const NAME: &str = "identity-one-time-keys"; pub const PARTITION_KEY: &str = "userID#deviceID#olmAccount"; pub const SORT_KEY: &str = "timestamp#keyNumber"; pub const ATTR_ONE_TIME_KEY: &str = "oneTimeKey"; } // Tokio pub const MPSC_CHANNEL_BUFFER_CAPACITY: usize = 1; pub const IDENTITY_SERVICE_SOCKET_ADDR: &str = "[::]:50054"; pub const IDENTITY_SERVICE_WEBSOCKET_ADDR: &str = "[::]:51004"; pub const SOCKET_HEARTBEAT_TIMEOUT: Duration = Duration::from_secs(3); // Token pub const ACCESS_TOKEN_LENGTH: usize = 512; // Temporary config pub const AUTH_TOKEN: &str = "COMM_IDENTITY_SERVICE_AUTH_TOKEN"; pub const KEYSERVER_PUBLIC_KEY: &str = "KEYSERVER_PUBLIC_KEY"; // Nonce pub const NONCE_LENGTH: usize = 17; pub const NONCE_TTL_DURATION: Duration = Duration::from_secs(120); // seconds // Device list pub const DEVICE_LIST_TIMESTAMP_VALID_FOR: Duration = Duration::from_secs(300); // Workflows in progress pub const WORKFLOWS_IN_PROGRESS_TTL_DURATION: Duration = Duration::from_secs(120); // LocalStack pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT"; // OPAQUE Server Setup pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP"; // Identity Search pub const OPENSEARCH_ENDPOINT: &str = "OPENSEARCH_ENDPOINT"; pub const DEFAULT_OPENSEARCH_ENDPOINT: &str = "identity-search-domain.us-east-2.opensearch.localhost.localstack.cloud:4566"; pub const IDENTITY_SEARCH_INDEX: &str = "users"; pub const IDENTITY_SEARCH_RESULT_SIZE: u32 = 20; // Log Error Types pub mod error_types { pub const GENERIC_DB_LOG: &str = "DB Error"; pub const OTK_DB_LOG: &str = "One-time Key DB Error"; pub const DEVICE_LIST_DB_LOG: &str = "Device List DB Error"; pub const TOKEN_DB_LOG: &str = "Token DB Error"; pub const FARCASTER_DB_LOG: &str = "Farcaster DB Error"; pub const SYNC_LOG: &str = "Sync Error"; pub const SEARCH_LOG: &str = "Search Error"; pub const SIWE_LOG: &str = "SIWE Error"; pub const GRPC_SERVICES_LOG: &str = "gRPC Services Error"; pub const TUNNELBROKER_LOG: &str = "Tunnelbroker Error"; pub const HTTP_LOG: &str = "HTTP Error"; } // Tonic Status Messages pub mod tonic_status_messages { pub const UNEXPECTED_MESSAGE_DATA: &str = "unexpected_message_data"; pub const SIGNATURE_INVALID: &str = "signature_invalid"; pub const MALFORMED_KEY: &str = "malformed_key"; pub const VERIFICATION_FAILED: &str = "verification_failed"; pub const MALFORMED_PAYLOAD: &str = "malformed_payload"; pub const INVALID_DEVICE_LIST_PAYLOAD: &str = "invalid_device_list_payload"; pub const USERNAME_ALREADY_EXISTS: &str = "username_already_exists"; pub const USERNAME_RESERVED: &str = "username_reserved"; pub const WALLET_ADDRESS_TAKEN: &str = "wallet_address_taken"; pub const WALLET_ADDRESS_NOT_RESERVED: &str = "wallet_address_not_reserved"; pub const DEVICE_ID_ALREADY_EXISTS: &str = "device_id_already_exists"; pub const USER_NOT_FOUND: &str = "user_not_found"; pub const INVALID_NONCE: &str = "invalid_nonce"; pub const NONCE_EXPIRED: &str = "nonce_expired"; pub const FID_TAKEN: &str = "fid_taken"; pub const CANNOT_LINK_FID: &str = "cannot_link_fid"; pub const INVALID_PLATFORM_METADATA: &str = "invalid_platform_metadata"; pub const MISSING_CREDENTIALS: &str = "missing_credentials"; pub const BAD_CREDENTIALS: &str = "bad_credentials"; pub const SESSION_NOT_FOUND: &str = "session_not_found"; pub const INVALID_TIMESTAMP: &str = "invalid_timestamp"; pub const INVALID_USERNAME: &str = "invalid_username"; pub const USERNAME_NOT_RESERVED: &str = "username_not_reserved"; pub const NEED_KEYSERVER_MESSAGE_TO_CLAIM_USERNAME: &str = "need_keyserver_message_to_claim_username"; pub const UNEXPECTED_INITIAL_DEVICE_LIST: &str = "unexpected_initial_device_list"; pub const DEVICE_LIST_ERROR: &str = "device_list_error"; pub const DEVICE_NOT_IN_DEVICE_LIST: &str = "device_not_in_device_list"; pub const NO_IDENTIFIER_PROVIDED: &str = "no_identifier_provided"; pub const USER_ALREADY_HAS_KEYSERVER: &str = "user_already_has_keyserver"; pub const RETRY: &str = "retry"; pub const INVALID_DEVICE_LIST_UPDATE: &str = "invalid_device_list_update"; pub const INVALID_DEVICE_LIST_SIGNATURE: &str = "invalid_device_list_signature"; pub const UNEXPECTED_ERROR: &str = "unexpected_error"; pub const NO_DEVICE_LIST: &str = "no_device_list"; pub const USER_ID_MISSING: &str = "user_id_missing"; pub const DEVICE_ID_MISSING: &str = "device_id_missing"; pub const MISSING_CONTENT_KEYS: &str = "missing_content_keys"; pub const MISSING_NOTIF_KEYS: &str = "missing_notif_keys"; pub const KEYSERVER_NOT_FOUND: &str = "keyserver_not_found"; pub const PASSWORD_USER: &str = "password_user"; pub const WALLET_USER: &str = "wallet_user"; pub const INVALID_MESSAGE: &str = "invalid_message"; pub const INVALID_MESSAGE_FORMAT: &str = "invalid_message_format"; pub const MISSING_PLATFORM_OR_CODE_VERSION_METADATA: &str = "missing_platform_or_code_version_metadata"; pub const MISSING_KEY: &str = "missing_key"; pub const MESSAGE_NOT_AUTHENTICATED: &str = "message_not_authenticated"; pub const RETRY_FROM_NATIVE: &str = "retry_from_native"; } // Tunnelbroker pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT"; pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051"; // X3DH key management // Threshold for requesting more one_time keys pub const ONE_TIME_KEY_MINIMUM_THRESHOLD: usize = 5; // Number of keys to be refreshed when below the threshold pub const ONE_TIME_KEY_REFRESH_NUMBER: u32 = 5; // Minimum supported code versions pub const MIN_SUPPORTED_NATIVE_VERSION: u64 = 270; // Request metadata pub mod request_metadata { pub const CODE_VERSION: &str = "code_version"; pub const STATE_VERSION: &str = "state_version"; pub const MAJOR_DESKTOP_VERSION: &str = "major_desktop_version"; pub const DEVICE_TYPE: &str = "device_type"; pub const USER_ID: &str = "user_id"; pub const DEVICE_ID: &str = "device_id"; pub const ACCESS_TOKEN: &str = "access_token"; } // CORS pub mod cors { use std::time::Duration; pub const DEFAULT_MAX_AGE: Duration = Duration::from_secs(24 * 60 * 60); pub const DEFAULT_EXPOSED_HEADERS: [&str; 3] = ["grpc-status", "grpc-message", "grpc-status-details-bin"]; pub const DEFAULT_ALLOW_HEADERS: [&str; 12] = [ "x-grpc-web", "content-type", "x-user-agent", "grpc-timeout", "authorization", super::request_metadata::CODE_VERSION, super::request_metadata::STATE_VERSION, super::request_metadata::MAJOR_DESKTOP_VERSION, super::request_metadata::DEVICE_TYPE, super::request_metadata::USER_ID, super::request_metadata::DEVICE_ID, super::request_metadata::ACCESS_TOKEN, ]; pub const ALLOW_ORIGIN_LIST: &str = "ALLOW_ORIGIN_LIST"; pub const PROD_ORIGIN_HOST_STR: &str = "web.comm.app"; } // Tracing pub const COMM_SERVICES_USE_JSON_LOGS: &str = "COMM_SERVICES_USE_JSON_LOGS"; +pub const REDACT_SENSITIVE_DATA: &str = "REDACT_SENSITIVE_DATA"; // Regex pub const VALID_USERNAME_REGEX_STRING: &str = r"^[a-zA-Z0-9][a-zA-Z0-9-_]{0,190}$"; // Retry // TODO: Replace this with `ExponentialBackoffConfig` from `comm-lib` pub mod retry { pub const MAX_ATTEMPTS: usize = 8; pub const CONDITIONAL_CHECK_FAILED: &str = "ConditionalCheckFailed"; pub const TRANSACTION_CONFLICT: &str = "TransactionConflict"; } // One-time keys pub const ONE_TIME_KEY_UPLOAD_LIMIT_PER_ACCOUNT: usize = 24; pub const ONE_TIME_KEY_SIZE: usize = 43; // as defined in olm pub const MAX_ONE_TIME_KEYS: usize = 100; // as defined in olm diff --git a/services/terraform/remote/service_identity.tf b/services/terraform/remote/service_identity.tf index b84c38366..ec90cabc4 100644 --- a/services/terraform/remote/service_identity.tf +++ b/services/terraform/remote/service_identity.tf @@ -1,301 +1,305 @@ locals { identity_service_image_tag = local.is_staging ? "0.31-staging" : "0.29" identity_service_server_image = "commapp/identity-server:${local.identity_service_image_tag}" identity_service_container_name = "identity-server" # Port that the container is listening on identity_service_container_grpc_port = 50054 identity_sc_port_name = "identity-service-ecs-grpc" identity_sc_dns_name = "identity-service" # Port that Websocket server listens on identity_service_container_ws_port = 51004 identity_sc_ws_port_name = "identity-service-ecs-ws" # URL accessible by other services in the same Service Connect namespace # This renders to e.g. 'http://identity-service:50054' identity_local_url = "http://${local.identity_sc_dns_name}:${local.identity_service_container_grpc_port}" # Port that is exposed to the public SSL endpoint (appended to domain name) identity_service_grpc_public_port = 50054 identity_service_domain_name = "identity.${local.root_domain}" opaque_server_setup_secret_name = "identity/ServerSetup" staging_allow_origin_list = <