bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

chore: clean up OAuth env vars and add seal secret to dev

- Remove unused OAUTH_CLIENT_ID, OAUTH_REDIRECT_URI, OAUTH_PRIVATE_JWK from .env.prod.example
- Add OAUTH_SEAL_SECRET to .env.dev for local development
- Clarify that OAUTH_SEAL_SECRET is required, client secret/kid are optional

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 99ad3ede 7221afe7

options
unified split
Changed files
+9 -14
.env.dev
.env.prod.example
+5
.env.dev 
···

       
115

       
 

       
# Also supports base64: prefix for consistency


     

       
116

       
 

       
OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d


     

       
117

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
118

       
 

       
# AppView public URL (used for OAuth callback and client metadata)


     

       
119

       
 

       
# Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252)


     

       
120

       
 

       
# Prod: https://coves.social


     
···

       
115

       
 

       
# Also supports base64: prefix for consistency


     

       
116

       
 

       
OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d


     

       
117

       
 

       



     

       
118

       
+

       
# Seal secret for OAuth session tokens (AES-256-GCM encryption)


     

       
119

       
+

       
# Generate with: openssl rand -base64 32


     

       
120

       
+

       
# This must be 32 bytes when base64-decoded for AES-256


     

       
121

       
+

       
# OAUTH_SEAL_SECRET=ryW6xNVxYhP6hCDA90NGCmK58Q2ONnkYXbHL0oZN2no=


     

       
122

       
+

       



     

       
123

       
 

       
# AppView public URL (used for OAuth callback and client metadata)


     

       
124

       
 

       
# Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252)


     

       
125

       
 

       
# Prod: https://coves.social
+4 -14
.env.prod.example 
···

       
81

       
 

       
# AppView public URL (used for OAuth callback and client metadata)


     

       
82

       
 

       
APPVIEW_PUBLIC_URL=https://coves.social


     

       
83

       
 

       



     

       
84

       
-

       
# OAuth client ID (usually your client-metadata.json URL)


     

       
85

       
-

       
OAUTH_CLIENT_ID=https://coves.social/oauth/client-metadata.json


     

       
86

       
-

       



     

       
87

       
-

       
# OAuth callback URI


     

       
88

       
-

       
OAUTH_REDIRECT_URI=https://coves.social/oauth/callback


     

       
89

       
-

       



     

       
90

       
-

       
# Generate EC P-256 private key in JWK format


     

       
91

       
-

       
# See: https://atproto.com/specs/oauth#client-metadata


     

       
92

       
-

       
# Generate with: go run cmd/genjwks/main.go


     

       
93

       
-

       
OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}


     

       
94

       
-

       



     

       
95

       
-

       
# Seal secret for encrypting mobile session tokens (AES-256-GCM)


     

       
96

       
-

       
# Generate with: openssl rand -base64 32


     

       
97

       
 

       
OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES


     

       
98

       
 

       



     

       
99

       
-

       
# Optional: OAuth client secret and key ID (for confidential clients)


     

       

       

       
     

       
100

       
 

       
# OAUTH_CLIENT_SECRET=


     

       
101

       
 

       
# OAUTH_CLIENT_KID=


     

       
102

       
 

       



     
···

       
81

       
 

       
# AppView public URL (used for OAuth callback and client metadata)


     

       
82

       
 

       
APPVIEW_PUBLIC_URL=https://coves.social


     

       
83

       
 

       



     

       
84

       
+

       
# Seal secret for encrypting session tokens (AES-256-GCM)


     

       
85

       
+

       
# REQUIRED - Generate with: openssl rand -base64 32


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
86

       
 

       
OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES


     

       
87

       
 

       



     

       
88

       
+

       
# Optional: OAuth client secret and key ID (for confidential clients only)


     

       
89

       
+

       
# Most deployments use public clients and don't need these


     

       
90

       
 

       
# OAUTH_CLIENT_SECRET=


     

       
91

       
 

       
# OAUTH_CLIENT_KID=


     

       
92