Skip to content

Security: shortmesh/Authy-API

Security

docs/SECURITY.md

Security Configuration

Modes

  • development (default): HTTP allowed, no TLS required
  • production: HTTPS enforced for server and external services

Set via APP_MODE=development or APP_MODE=production

Database Encryption

Default: SQLCipher with AES-256 encryption at rest

Optional: Standard SQLite (unencrypted) can be enabled for development

Warning

Production deployments should use SQLCipher to protect sensitive data at rest

Disable Encryption (Not Recommended)

To disable encryption for development purposes:

  1. Set DISABLE_DB_ENCRYPTION=true in .env
  2. Run normally: make run, make migrate-up, or make build

The build system automatically detects the DISABLE_DB_ENCRYPTION setting and compiles with the appropriate SQLite driver (SQLCipher or standard SQLite).

Manual Build (Advanced)

go run cmd/api/main.go                  # Standard SQLite
go run -tags sqlcipher cmd/api/main.go  # SQLCipher

go build -o bin/api cmd/api/main.go                  # Standard SQLite
go build -tags sqlcipher -o bin/api cmd/api/main.go  # SQLCipher

Note

  • When DISABLE_DB_ENCRYPTION=false, a DB_ENCRYPTION_KEY must be set
  • When DISABLE_DB_ENCRYPTION=true, the DB_ENCRYPTION_KEY is ignored
  • Production mode logs a warning if encryption is disabled but doesn't enforce it

Production Requirements

Server TLS

Required in production unless behind a reverse proxy:

APP_MODE=production
TLS_CERT_FILE=/path/to/cert.crt
TLS_KEY_FILE=/path/to/key.key

Tip

If using reverse proxy for TLS termination (e.g., nginx, Caddy):

APP_MODE=production
ALLOW_INSECURE_SERVER=true

External Services

Production mode requires HTTPS for Interface API:

APP_MODE=production
INTERFACE_API_URL=https://interface.example.com

Caution

To allow insecure protocols in production (not recommended):

ALLOW_INSECURE_EXTERNAL=true

Configuration Examples

Development

APP_MODE=development
HOST=127.0.0.1
PORT=8080
DISABLE_DB_ENCRYPTION=false
INTERFACE_API_URL=http://localhost:8080

Production with TLS

APP_MODE=production
HOST=0.0.0.0
PORT=8443
TLS_CERT_FILE=/etc/ssl/certs/api.crt
TLS_KEY_FILE=/etc/ssl/private/api.key
DISABLE_DB_ENCRYPTION=false
INTERFACE_API_URL=https://interface.example.com

Production Behind Reverse Proxy

APP_MODE=production
HOST=127.0.0.1
PORT=8080
ALLOW_INSECURE_SERVER=true
DISABLE_DB_ENCRYPTION=false
INTERFACE_API_URL=https://interface.example.com

Common Errors

"TLS_CERT_FILE and TLS_KEY_FILE must be set"

  • Set cert/key paths or use ALLOW_INSECURE_SERVER=true with reverse proxy

"production mode requires HTTPS for external service"

  • Update URLs to secure protocols or set ALLOW_INSECURE_EXTERNAL=true

There aren't any published security advisories