Caddy module to require at-proto authentication and restrict routes to DIDs
1{
2 admin off
3 atproto {
4 storage_path ./e2e.db
5 cookie_secret "testing-secret-must-be-at-least-32-bytes-long"
6 }
7}
8
9# --- Scenario 1: Standalone App (Composed) ---
10# Acts as its own portal using composition.
11http://localhost:8081 {
12 route {
13 atproto_portal {
14 domain localhost:8081
15 name "Standalone App 1"
16 }
17 atproto_gate {
18 # Portal is local
19 portal_url /
20 # Enable refresh by providing client_id
21 client_id https://localhost:8081/.well-known/oauth-client-metadata.json
22 allow @vvill.dev
23 }
24
25 # Protected content
26 respond "Welcome to Standalone App! You are authenticated."
27 }
28}
29
30# --- Scenario 2: Centralized Auth Hub ---
31
32# The Portal (Identity Provider)
33http://localhost:8082 {
34 route {
35 atproto_portal {
36 domain localhost:8082
37 name "Local E2E Hub"
38 }
39 }
40}
41
42# The Service (Relying Party)
43# Redirects users to port 8082 for login
44http://localhost:8083 {
45 route {
46 atproto_gate {
47 # Auth Hub mode (no 'domain' set)
48 portal_url http://localhost:8082
49 allow @vvill.dev
50 }
51
52 respond "Welcome to Service App! You authenticated via the Hub."
53 }
54}
55
56# --- Scenario 3: Standalone app with Custom Paths ---
57
58# Standalone app serves The Portal, gates access, then the App
59http://localhost:8084 {
60 route {
61 # First, auth portal
62 atproto_portal {
63 domain localhost:8084
64 name "Standalone App 3"
65 path_prefix /atproto
66 }
67 # Then, make sure user is authenticated
68 atproto_gate {
69 # Portal is local but at custom path.
70 # Gate appends /login to portal_url.
71 # So we set portal_url to /atproto
72 portal_url /atproto
73 client_id https://localhost:8084/.well-known/oauth-client-metadata.json
74 allow @vvill.dev
75 }
76 # Then, they have access to the App
77 respond "Welcome to Standalone App 3! Custom paths working."
78 }
79}