# TISBackup Authentication Configuration Examples
# Add to tisbackup_gui.ini under [authentication] section

# ============================================
# Option 1: No Authentication (NOT RECOMMENDED)
# ============================================
[authentication]
type = none


# ============================================
# Option 2: HTTP Basic Authentication
# ============================================
[authentication]
type = basic
username = admin
# Plain text password (NOT RECOMMENDED for production)
password = changeme
use_bcrypt = False
realm = TISBackup Admin

# RECOMMENDED: Use bcrypt hash
# Generate hash with: python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"
[authentication]
type = basic
username = admin
password = $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYWv.5qVQK6
use_bcrypt = True
realm = TISBackup Admin


# ============================================
# Option 3: Flask-Login (Username/Password with Sessions)
# ============================================
[authentication]
type = flask-login
# Users can be defined inline or in a file
users_file = /etc/tis/users.txt
use_bcrypt = True
login_view = login

# User file format (users.txt):
# username:bcrypt_password_hash
# Example:
# admin:$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYWv.5qVQK6
# operator:$2b$12$abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNO


# ============================================
# Option 4: OAuth2 - Google
# ============================================
[authentication]
type = oauth
provider = google
client_id = your-client-id.apps.googleusercontent.com
client_secret = your-client-secret
redirect_uri = http://localhost:8080/oauth/callback
# Restrict to specific domains
authorized_domains = example.com,mycompany.com
# Or restrict to specific users
authorized_users = admin@example.com,backup-admin@example.com

# To get Google OAuth credentials:
# 1. Go to https://console.cloud.google.com/apis/credentials
# 2. Create OAuth 2.0 Client ID
# 3. Add authorized redirect URI: http://your-server:8080/oauth/callback


# ============================================
# Option 5: OAuth2 - GitHub
# ============================================
[authentication]
type = oauth
provider = github
client_id = your-github-client-id
client_secret = your-github-client-secret
redirect_uri = http://localhost:8080/oauth/callback
# Restrict to specific GitHub users (by email)
authorized_users = admin@example.com

# To get GitHub OAuth credentials:
# 1. Go to Settings > Developer settings > OAuth Apps
# 2. Register a new application
# 3. Set Authorization callback URL: http://your-server:8080/oauth/callback


# ============================================
# Option 6: OAuth2 - GitLab
# ============================================
[authentication]
type = oauth
provider = gitlab
client_id = your-gitlab-application-id
client_secret = your-gitlab-secret
redirect_uri = http://localhost:8080/oauth/callback
authorized_domains = example.com

# To get GitLab OAuth credentials:
# 1. Go to User Settings > Applications
# 2. Create new application with scopes: read_user, email
# 3. Set Redirect URI: http://your-server:8080/oauth/callback


# ============================================
# Option 7: OAuth2 - Generic Provider
# ============================================
[authentication]
type = oauth
provider = generic
client_id = your-client-id
client_secret = your-client-secret
redirect_uri = http://localhost:8080/oauth/callback
# Custom OAuth endpoints
authorization_endpoint = https://auth.example.com/oauth/authorize
token_endpoint = https://auth.example.com/oauth/token
userinfo_endpoint = https://auth.example.com/oauth/userinfo
scopes = openid,email,profile
authorized_domains = example.com


# ============================================
# Security Notes
# ============================================
# 1. Always use HTTPS in production (reverse proxy with TLS)
# 2. Set strong Flask secret_key via TISBACKUP_SECRET_KEY env var
# 3. For Basic Auth, always use bcrypt hashed passwords
# 4. For OAuth, restrict access via authorized_domains or authorized_users
# 5. Keep client secrets secure and never commit to version control
# 6. Regularly rotate OAuth client secrets
# 7. Use environment variables for sensitive data when possible