# -----------------------------------------------------------------------------
# Checkpoint Middleware Configuration (checkpoint.toml)
#
# All durations are parsed via time.ParseDuration (e.g. "24h").
# Arrays and tables map directly to the Config struct fields.
# -----------------------------------------------------------------------------

# === GENERAL SETTINGS ===
# Number of leading zeros required in PoW hash
Difficulty = 4
# Validity period for issued tokens
TokenExpiration = "24h"
# Name of the cookie used to store the checkpoint token
CookieName = "checkpoint_token"
# Domain attribute for the cookie; empty = host-only (localhost)
CookieDomain = ""
# Length of the random salt in bytes for challenges
SaltLength = 16

# === RATE LIMITING & EXPIRATION ===
# Max PoW verification attempts per IP per hour
MaxAttemptsPerHour = 10
# Max age for used nonces before cleanup
MaxNonceAge = "24h"
# Time allowed for solving a challenge
ChallengeExpiration = "5m"

# === PERSISTENCE PATHS ===
# File where HMAC secret is stored
SecretConfigPath = "./data/checkpoint_secret.json"
# Directory for BadgerDB token store
TokenStoreDBPath = "./data/checkpoint_tokendb"
# Ordered fallback paths for interstitial HTML
InterstitialPaths = [
  "./public/static/pow-interstitial.html",
  "./develop/static/pow-interstitial.html"
]

# === SECURITY SETTINGS ===
# Enable Proof-of-Space-Time consistency checks
CheckPoSTimes = true
# Allowed ratio between slowest and fastest PoS runs
PoSTimeConsistencyRatio = 1.35

# === HTML CHECKPOINT EXCLUSIONS ===
# Path prefixes to skip PoW interstitial
HTMLCheckpointExclusions = ["/api"]
# File extensions to skip PoW check
HTMLCheckpointExcludedExtensions = { ".jpg" = true, ".jpeg" = true, ".png" = true, ".gif" = true, ".svg" = true, ".webp" = true, ".ico" = true, ".bmp" = true, ".tif" = true, ".tiff" = true, ".mp4" = true, ".webm" = true, ".css" = true, ".js" = true, ".mjs" = true, ".woff" = true, ".woff2" = true, ".ttf" = true, ".otf" = true, ".eot" = true, ".json" = true, ".xml" = true, ".txt" = true, ".pdf" = true, ".map" = true, ".wasm" = true }

# === QUERY SANITIZATION ===
# Regex patterns (case-insensitive) to block in query strings
DangerousQueryPatterns = [
  "(?i)union\\s+select",
  "(?i)drop\\s+table",
  "(?i)insert\\s+into",
  "(?i)<script",
  "(?i)javascript:",
  "(?i)onerror=",
]
# Block queries containing ';', '`', or '\\'
BlockDangerousPathChars = true

# === USER-AGENT VALIDATION ===
# Path prefixes to skip UA validation
UserAgentValidationExclusions = ["/api"]
# Required UA prefix per path prefix
[UserAgentRequiredPrefixes]
"/demo1" = "Dart/"

# === REVERSE PROXY MAPPINGS ===
# Hostname-to-backend URL map
[ReverseProxyMappings]
"jellyfin.caileb.com" = "http://192.168.0.2:8096"
"archive.caileb.com" = "http://192.168.0.2:7461"
"music.caileb.com" = "http://192.168.0.2:4533"
"gallery.caileb.com" = "http://192.168.0.2:2283"