# Example: IIIF Auth 2.0 — active pattern (htpasswd credentials)
#
# Username/password login against an htpasswd-format file on disk.
# The file is mtime-watched, so adding or removing users is a file
# edit, not a restart. Bcrypt is recommended (htpasswd -B); apr1
# (htpasswd -m) is accepted for legacy compatibility.
#
# For very small deployments where putting hashes in YAML is
# acceptable, see auth-active-inline.yaml instead.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    staff:
      pattern: active
      label:
        en: ["Staff access"]
      heading:
        en: ["Please sign in"]
      description:
        en: ["This material is restricted to library staff."]
      access_service:
        backend: builtin
      htpasswd_file: /etc/iiiris/htpasswd
      # Generate the file via:
      #   htpasswd -cB /etc/iiiris/htpasswd alice
      #   htpasswd -B  /etc/iiiris/htpasswd bob
      # iiiris re-reads the file on mtime change; no restart needed
      # to add or remove users.
      session_ttl: 8h
      token_ttl: 10m

  rules:
    - match: "staff/*"
      profile: staff

  cors:
    token_origins:
      - https://viewer.example.org
