serve:
  proxy:
    port: 4455
    trust_forwarded_headers: true
    cors:
      enabled: true
      allowed_origins:
        - "https://account.example.com"
        - "https://auth.example.com"
        - "https://app.example.com"
        - "https://admin.example.com"
        - "https://api.example.com"
        - "http://localhost:4455"
        - "http://localhost:5173"
        - "https://local.example.com:5173"
        - "http://localhost:8000"
      allowed_methods:
        - GET
        - POST
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
        - X-Session-Token
        - Cookie
        - Accept
      exposed_headers:
        - Content-Type
        - Set-Cookie
      allow_credentials: true
      debug: false

  api:
    port: 4456

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/oathkeeper/access-rules/django.yml
    - file:///etc/oathkeeper/access-rules/kratos-public.yml
    - file:///etc/oathkeeper/access-rules/kratos-admin.yml

authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

  bearer_token:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      token_from:
        header: Authorization
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"

  noop:
    enabled: true

  anonymous:
    enabled: true
    config:
      subject: guest

authorizers:
  allow:
    enabled: true

  deny:
    enabled: true

mutators:
  noop:
    enabled: true

  id_token:
    enabled: true
    config:
      issuer_url: https://auth.example.com/
      jwks_url: file:///etc/oathkeeper/id_token.jwks.json
      ttl: 1h
      claims: |
        {
          "session": {{ .Extra | toJson }}
        }

  header:
    enabled: true
    config:
      headers:
        # 🔒 SECURITY: Shared secret - must match Django OATHKEEPER_SECRET
        X-Oathkeeper-Secret: "${OATHKEEPER_SECRET}"
        X-User-ID: "{{ print .Subject }}"
        X-User-Email: "{{ print .Extra.identity.traits.email }}"
        X-User-First-Name: "{{ print .Extra.identity.traits.name.first }}"
        X-User-Last-Name: "{{ print .Extra.identity.traits.name.last }}"
        X-User-Phone: "{{ print .Extra.identity.traits.phone }}"
        X-User-Profile-Type: "{{ print .Extra.identity.traits.profile_type }}"
        X-Django-Profile-ID: "{{ with .Extra.identity.metadata_public }}{{ with .django_profile_id }}{{ . }}{{ end }}{{ end }}"

  cookie:
    enabled: true
    config:
      cookies:
        user_id: "{{ print .Subject }}"

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true

    redirect:
      enabled: true
      config:
        to: https://account.example.com/login
        when:
          - error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html

log:
  level: debug
  format: text