spec_type: authentication
name: Authentication Configuration
version: "1.0"

methods:
  - type: email_password
    enabled: true
    password_policy:
      min_length: 12
      require_uppercase: true
      require_lowercase: true
      require_numbers: true
      require_special: true
      max_age_days: 90
      
  - type: oauth2
    enabled: true
    providers:
      - name: google
        client_id_env: GOOGLE_CLIENT_ID
        scopes: [email, profile]
      - name: github
        client_id_env: GITHUB_CLIENT_ID
        scopes: [user:email]
        
  - type: mfa
    enabled: true
    options:
      - totp
      - sms
      - email

session:
  type: jwt
  access_token_expiry: 15m
  refresh_token_expiry: 7d
  secure_cookie: true
  same_site: strict