···6565 signing_jwk:
6666 ~s({"crv":"P-256","d":"h0MvqcXLcKqWZFnqUCAuc6Bmt6gGzj5F5sFOCaUD4Jw","kty":"EC","x":"u0_K5EPDBIlGVp_rUUKucDviS-Owhiv4jnpMCeI7ojY","y":"v_XGrdUIww1wsRA7TUqMWIAJXmi2V8mnoF24Vg5OkvQ"})
67676868+config :annot_at, AnnotAt.Vault,
6969+ ciphers: [
7070+ default:
7171+ {Cloak.Ciphers.AES.GCM,
7272+ tag: "AES.GCM.V1", key: Base.decode64!("8h8cn7yiPKyVKiCURGpw7/lUPqxEOahH2C+0CdGQIbI=")}
7373+ ]
7474+6875# Import environment specific config. This must remain at the bottom
6976# of this file so it overrides the configuration defined above.
7077import_config "#{config_env()}.exs"
+6-49
config/runtime.exs
···7171 ],
7272 secret_key_base: secret_key_base
73737474- # ## SSL Support
7575- #
7676- # To get SSL working, you will need to add the `https` key
7777- # to your endpoint configuration:
7878- #
7979- # config :annot_at, AnnotAtWeb.Endpoint,
8080- # https: [
8181- # ...,
8282- # port: 443,
8383- # cipher_suite: :strong,
8484- # keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"),
8585- # certfile: System.get_env("SOME_APP_SSL_CERT_PATH")
8686- # ]
8787- #
8888- # The `cipher_suite` is set to `:strong` to support only the
8989- # latest and more secure SSL ciphers. This means old browsers
9090- # and clients may not be supported. You can set it to
9191- # `:compatible` for wider support.
9292- #
9393- # `:keyfile` and `:certfile` expect an absolute path to the key
9494- # and cert in disk or a relative path inside priv, for example
9595- # "priv/ssl/server.key". For all supported SSL configuration
9696- # options, see https://hexdocs.pm/plug/Plug.SSL.html#configure/1
9797- #
9898- # We also recommend setting `force_ssl` in your config/prod.exs,
9999- # ensuring no data is ever sent via http, always redirecting to https:
100100- #
101101- # config :annot_at, AnnotAtWeb.Endpoint,
102102- # force_ssl: [hsts: true]
103103- #
104104- # Check `Plug.SSL` for all available options in `force_ssl`.
105105-106106- # ## Configuring the mailer
107107- #
108108- # In production you need to configure the mailer to use a different adapter.
109109- # Here is an example configuration for Mailgun:
110110- #
111111- # config :annot_at, AnnotAt.Mailer,
112112- # adapter: Swoosh.Adapters.Mailgun,
113113- # api_key: System.get_env("MAILGUN_API_KEY"),
114114- # domain: System.get_env("MAILGUN_DOMAIN")
115115- #
116116- # Most non-SMTP adapters require an API client. Swoosh supports Req, Hackney,
117117- # and Finch out-of-the-box. This configuration is typically done at
118118- # compile-time in your config/prod.exs:
119119- #
120120- # config :swoosh, :api_client, Swoosh.ApiClient.Req
121121- #
122122- # See https://hexdocs.pm/swoosh/Swoosh.html#module-installation for details.
7474+ config :annot_at, AnnotAt.Vault,
7575+ ciphers: [
7676+ default:
7777+ {Cloak.Ciphers.AES.GCM,
7878+ tag: "AES.GCM.V1", key: Base.decode64!(System.fetch_env!("CLOAK_KEY"))}
7979+ ]
12380end
+3-3
lib/annot_at/accounts/atproto_session.ex
···88 field :auth_server_issuer, :string
99 # Space-separated scopes from token response
1010 field :granted_scopes, :string
1111- field :access_token, :string
1212- field :refresh_token, :string
1111+ field :access_token, AnnotAt.Encrypted.Binary
1212+ field :refresh_token, AnnotAt.Encrypted.Binary
1313 # ES256 keypair for this session
1414- field :dpop_private_jwk, :string
1414+ field :dpop_private_jwk, AnnotAt.Encrypted.Binary
1515 # Access token expiry
1616 field :expires_at, :utc_datetime
1717
+2-2
lib/annot_at/accounts/oauth_login_request.ex
···1111 field :pds_host, :string
1212 field :auth_server_issuer, :string
1313 # PKCE verifier, its challenge went out in PAR, the verifier redeems the code
1414- field :pkce_verifier, :string
1414+ field :pkce_verifier, AnnotAt.Encrypted.Binary
1515 # Per-session DPoP key (serialized), tokens get bound to it at exchange
1616- field :dpop_private_jwk, :string
1616+ field :dpop_private_jwk, AnnotAt.Encrypted.Binary
17171818 timestamps(type: :utc_datetime)
1919 end