$ java -jar restheart.jar

$ java -jar restheart.jar -t

$ RHO="/fileRealmAuthenticator/users[userid='admin']/password->'secret'" java -jar core/target/restheart.jar -s

# RESTHeart Configuration File.
## See https://restheart.org/docs/setup/#configuration-files

---
# HTTP Listener
# WARNING: Using the http listener is not secure.
http-listener:
  enabled: true
  host: localhost
  port: 8080

# HTTPS Listener
https-listener:
  enabled: false
  host: localhost
  port: 4443
  # The https listener requires setting up a TLS certificate.
  # See https://restheart.org/docs/security/tls/
  keystore-path: null
  keystore-password: null
  certificate-password: null

# AJP Listener
ajp-listener:
  enabled: false
  host: localhost
  port: 8009

# Auth Token Authentication
# The verified token is generated by the enabled token manager
# See https://restheart.org/docs/security/authentication#token-authentication
tokenBasicAuthMechanism:
  enabled: true

# Basic Authentication
# See https://restheart.org/docs/security/authentication#basic-authentication
basicAuthMechanism:
  enabled: true
  authenticator: mongoRealmAuthenticator

# JSON Web Token Authentication
# See https://restheart.org/docs/security/authentication#jwt-authentication
jwtAuthenticationMechanism:
  enabled: false
  algorithm: HS256
  key: secret
  base64Encoded: false
  usernameClaim: sub
  rolesClaim: roles
  fixedRoles: []
  #  - jwt-role
  issuer: restheart.org
  audience: null

# Digest Authentication
# See https://restheart.org/docs/security/authentication#digest-authentication
digestAuthMechanism:
  # Disabled by default: requires plaintext passwords but mongoRealmAuthenticator uses bcrypt hashing
  enabled: false
  realm: RESTHeart Realm
  domain: localhost
  authenticator: mongoRealmAuthenticator

# For development purposes. Always authenticate the request with the given user
# See https://restheart.org/docs/security/authentication#identity-authentication
identityAuthMechanism:
  enabled: false
  username: admin
  roles:
    - admind
    - user

# fileRealmAuthenticator defines user credentials and roles inline or in a simple YAML con-file.
# See https://restheart.org/docs/security/authentication#file-realm-authenticator
fileRealmAuthenticator:
  enabled: false
  #conf-file: ./users.yml
  users:
    - userid: admin
      password: null
      roles: [admin]

# mongoRealmAuthenticator authenticates users defined in a MongoDB collection.
# See https://restheart.org/docs/security/authentication#mongo-realm-authenticator
mongoRealmAuthenticator:
  enabled: true
  users-db: restheart
  users-collection: users
  prop-id: _id
  prop-password: password
  json-path-roles: $.roles
  bcrypt-hashed-password: true
  bcrypt-complexity: 12
  # When true, API requests to create or update accounts will return HTTP 400
  # (Bad Request) if the provided password fails strength validation
  enforce-minimum-password-strength: false
  # Password strength levels: 0=Weak, 1=Fair, 2=Good, 3=Strong, 4=Very Strong
  minimum-password-strength: 3
  # When enabled, creates a default admin user at RestHeart startup if no admin user exists
  create-user: true
  # Defines the user document structure for the default admin user created at startup.
  # Password must be bcrypt-hashed when bcrypt-hashed-password=true
  # Default password is 'secret' (hashed below)
  # See https://bcrypt-generator.com for generating bcrypt hashes
  create-user-document: '{"_id": "admin", "password": "$2a$12$lZiMMNJ6pkyg4uq/I1cF5uxzUbU25aXHtg7W7sD2ED7DG1wzUoo6u", "roles": ["admin"]}'
  cache-enabled: false
  cache-size: 1_000
  cache-ttl: 60_000 # in milliseconds
  cache-expire-policy: AFTER_WRITE

# Cookie Authentication
# see: https://restheart.org/docs/security/authentication#cookie-authentication

# Sets auth cookie on successful authentication when '?set-auth-cookie' is present
# Compatible with both rndTokenManager and jwtTokenManager
authCookieSetter:
  enabled: false          # Not enabled by default
  name: rh_auth           # The name of the cookie to be set
  domain: localhost       # The domain within which the cookie is valid.
  path: /                 # The cookie path, applicable to the entire domain.
  http-only: true         # If true enhances security by making the cookie inaccessible to JavaScript.
  same-site: true         # Restricts the cookie to first-party contexts, preventing CSRF attacks.
  same-site-mode: strict  # Strictly prevents the cookie from being sent along with cross-site requests.
  expires-ttl: 86_400     # Defines the duration in seconds for which the cookie is valid (default: 86400 seconds = 1 day). When using jwtTokenManager, this value should match the TTL configured at /jwtTokenManager/ttl.

# Creates Authorization header from auth cookie. Compatible with Basic and JWT auth.
authCookieHandler:
  enabled: false          # Not enabled by default

# Clears auth cookie on POST /logout, logging out the user
authCookieRemover:
  enabled: false          # Not enabled by default
  secure: false           # If request to clean the cookie should be authenticated
  defaultUri: /logout     # The endpoint that triggers this service.

# fileAclAuthorizer authorizes requests according to the Access Control List defined inline or in a YAML file.
# See https://restheart.org/docs/security/authorization#file-acl-authorizer
fileAclAuthorizer:
  enabled: false
  #conf-file: ./acl.yml
  permissions:
    - role: admin
      predicate: path-prefix('/')
      priority: 0

# mongoAclAuthorizer authorizes requests according to the Access Control List defined in a MongoDB collection.
# See https://restheart.org/docs/security/authorization#mongo-acl-authorizer
mongoAclAuthorizer:
  enabled: true
  acl-db: restheart
  acl-collection: acl
  # Clients with root-role can execute any request
  root-role: admin
  cache-enabled: true
  cache-size: 1_000
  cache-ttl: 5_000 # in milliseconds
  cache-expire-policy: AFTER_WRITE

# originVetoer protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted
# See https://restheart.org/docs/security/authorization#originvetoer
originVetoer:
  enabled: false
  whitelist:
    - https://restheart.org
    - http://localhost
  # Optional paths to skip Origin header checks. Supports patterns like /{var}/path/*
  # ignore-paths:
  #   - /{tenant}/bucket.files/{id}/binary
  #   - /coll/docid

# fullAuthorizer authorizes all requests
fullAuthorizer:
  enabled: false
  authentication-required: true

# Token Manager
# See https://restheart.org/docs/security/authentication#token-managers

# Generates and verifies auth tokens. First configured manager is used.
# Token returned via auth-token header on successful authentication.

# rndTokenService generates auth tokens using a random number generator.
rndTokenManager:
  enabled: true
  ttl: 15 # in minutes
  srv-uri: /tokens

# jwtTokenManager generates JWT auth tokens.
# Use this in clustered deployments, since all nodes sharing the key
# can verify the token independently
jwtTokenManager:
  enabled: false
  key: secret
  ttl: 15 # in minutes
  srv-uri: /tokens
  issuer: restheart.org
  audience: null
  # additional JWT claims from accounts properties
  account-properties-claims:
  # - foo # property name
  # - /nested/property # xpath expr for nested properties

# Provider the MongoClient via @Inject('mclient')
mclient:
  # See https://docs.mongodb.com/manual/reference/connection-string/
  connection-string: mongodb://127.0.0.1

# MongoDB REST and Websocket API
# See https://restheart.org/docs/tutorial
mongo:
  enabled: true
  uri: /

  # Expose MongoDB resources at specific URIs.
  # 'what': MongoDB resource (/db[/coll[/docid]]) or '*' for all databases
  # 'where': URI binding (absolute path or template like /{foo}/bar/*)
  # Note: Cannot mix absolute paths and path templates in 'where' URIs
  #
  # Examples:
  # The following exposes all MongoDb resources.
  # In this case the URI of a document is /db/coll/docid
  #
  #   - what: "*"
  #     where: /
  #
  # The following binds the URI /database to the db 'db'
  # In this case the URI of a document is /database/coll/docid
  #
  #   - what: /db
  #     where: /database
  #
  # The following binds the URI /api to the collection 'db.coll'
  # In this case the URI of a document is /api/docid
  #
  #   - what: /db/coll
  #     where: /api
  mongo-mounts:
    - what: /restheart
      where: /

  # Default representation format https://restheart.org/docs/mongodb-rest/representation-format/#other-representation-formats
  default-representation-format: STANDARD

  # Default etag check policy https://restheart.org/docs/mongodb-rest/etag/#etag-policy
  etag-check-policy:
    db: REQUIRED_FOR_DELETE
    coll: REQUIRED_FOR_DELETE
    doc: OPTIONAL

  # get collection cache speedups GET /coll?cache requests
  get-collection-cache-enabled: true
  get-collection-cache-size: 100
  get-collection-cache-ttl: 10_000 # Time To Live, in milliseconds default 10 seconds
  get-collection-cache-docs: 1_000 # number of documents to cache for each request

  # Check if aggregation variables use operators. https://restheart.org/docs/mongodb-rest/aggregations/#security-considerations
  aggregation-check-operators: true

  # default-pagesize is the number of documents returned when the pagesize query
  # parameter is not specified
  # See https://restheart.org/docs/read-docs#paging
  default-pagesize: 100

  # max-pagesize sets the maximum allowed value of the pagesize query parameter
  # Generally, the greater the pagesize, the more json serialization overhead occurs
  # The rule of thumb is not exceeding 1000
  max-pagesize: 1_000

  # Caches db/collection properties for better performance, avoiding 2 extra queries per document GET.
  # In multi-node deployments, property changes may take up to TTL milliseconds to sync across nodes.
  # Database and collection properties typically change only during development.
  local-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  local-cache-ttl: 60_000 # in milliseconds

  # cache for JSON Schemas
  schema-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  schema-cache-ttl: 60_000 # in milliseconds

  # The time limit in milliseconds for processing queries. Set to 0 for no time limit.
  query-time-limit: 0 # in milliseconds
  # The time limit in milliseconds for processing aggregations. Set to 0 for no time limit.
  aggregation-time-limit: 0 # in milliseconds

# MongoDB GraphQL API
# See https://restheart.org/docs/mongodb-graphql/
graphql:
  uri: /graphql
  db: restheart
  collection: gql-apps
  # app cache can be disabled if needed, such as during testing or development
  app-cache-enabled: true
  # app cache entries are automatically revalidated every TTR milliseconds
  app-cache-ttr: 60_000 # in milliseconds
  # default-limit is used for queries that don't specify a limit
  default-limit: 100
  # max-limit is the maximum value for a Query limit
  max-limit: 1_000
  # The time limit in milliseconds for processing queries. Set to 0 for no time limit.
  query-time-limit: 0 # in milliseconds
  verbose: false

# Automatically creates indexes on {"descriptor.uri":1} and {"descriptor.name":1}
# for GraphQL applications to improve query performance when fetching app definitions
# at scale. Enable if you have many GraphQL applications.
createIndexesOnGqlApps:
  enabled: false

# Proxied resources - expose external APIs with RESTHeart acting as a reverse proxy
# See https://restheart.org/docs/proxy
# options:#
#  - location (required) The location URI to bound to the HTTP proxied server.
#  - proxy-pass (required) The URL of the HTTP proxied server. It can be an array of URLs for load balancing.
#  - name (optional) The name of the proxy. It is required to identify 'restheart'.
#  - rewrite-host-header (optional, default true) should the HOST header be rewritten to use the target host of the call.
#  - connections-per-thread (optional, default 10) Controls the number of connections to create per thread.
#  - soft-max-connections-per-thread (optional, default 5) Controls the number of connections to create per thread.
#  - max-queue-size (optional, default 0) Controls the number of connections to create per thread.
#  - connections-ttl (optional, default -1) Connections Time to Live in seconds.
#  - problem-server-retry (optional, default 10) Time in seconds between retries for problem server.
proxies:
#   - location: /anything
#     proxy-pass: https://httpbin.org/anything
#     name: anything

# Static Web Resources - serve static files with RESTHeart acting a web server
# See https://restheart.org/docs/static-resources
static-resources:
#  - what: /path/to/resources
#    where: /static
#    welcome-file: index.html
#    embedded: false

# Service to GET and DELETE (invalidate) the user auth token generated by the TokenManager
authTokenService:
  uri: /tokens

# Simple ping service
# Must respond with HTTP 200 OK
# If enable-extended-response is true, returns the following JSON response
# {
#    "client_ip": "<caller ip>",
#    "host": "<hostname>",
#    "message": "Greetings from RESTHeart!",
#    "version": "<RESTHeart version>"
# }
ping:
  enabled: true
  msg: Greetings from RESTHeart!
  enable-extended-response: true

# Returns the roles of the authenticated user
roles:
  uri: /roles

# A global blacklist for mongodb operators in filter query parameter
filterOperatorsBlacklist:
  blacklist: [ "$where" ]
  enabled: true

# bruteForceAttackGuard defends from brute force password cracking attacks
# by returning `429 Too Many Requests` when more than
# `max-failed-attempts` requests with wrong credentials
# are received in last 10 seconds from the same ip
bruteForceAttackGuard:
  enabled: false
  # Max number of failed attempts in 10 seconds sliding window
  # before returning 429 Too Many Requests
  max-failed-attempts: 5
  # If true, the source ip is obtained from X-Forwarded-For header
  # this requires that header being set by the proxy, dangerous otherwise
  trust-x-forwarded-for: false
  # When X-Forwarded-For has multiple values,
  # take into account the n-th from last element
  # e.g. with [x.x.x.x, y.y.y.y., z.z.z.z, k.k.k.k]
  # 0 -> k.k.k.k
  # 2 -> y.y.y.y
  x-forwarded-for-value-from-last-element: 0

# Sets the X-Powered-By: restheart.org response header
xPoweredBy:
  enabled: true

# Sets the Date response header
dateHeader:
  enabled: true

# Logging
# See https://restheart.org/docs/logging
# Options:
# - log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# - log-to-console: true => log messages to the console (default value: true)
# - ansi-console: use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
# - log-to-file: true => log messages to a file (default value: false)
# - log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# - packages: only messages form these packages are logged, e.g. [ "org.restheart", "com.restheart", "io.undertow", "org.mongodb" ]
# - full-stacktrace: true to log the full stacktrace of exceptions
# - requests-log-mode: 0 => no log, 1 => light log, 2 => detailed dump (use 2 only for development, it can log credentials)
# - tracing-headers (default, empty = no tracing): add tracing HTTP headers (Use with %X{header-name} in logback.xml); see https://restheart.org/docs/auditing

logging:
  log-level: INFO
  log-to-console: true
  ansi-console: true
  log-to-file: false
  log-file-path: restheart.log
  packages: [ "org.restheart", "com.restheart" ]
  full-stacktrace: false
  requests-log-mode: 1
  tracing-headers:
  #  - x-b3-traceid      # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
  #  - x-b3-spanid
  #  - x-b3-parentspanid
  #  - x-b3-sampled      # ^^
  #  - uber-trace-id     # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
  #  - traceparent       # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
  #  - tracestate        # ^^

# Metrics see https://restheart.org/docs/metrics

metrics:
  enabled: true
  uri: /metrics

requestsMetricsCollector:
  enabled: false
  include: [ "/*" ]
  exclude: [ "/metrics", "/metrics/*" ]

jvmMetricsCollector:
  enabled: false

# Base configuration for core module
core:
  # The name of this instance. Displayed in log, also allows to implement instance specific custom code
  name: default

  # The directory containing the plugins jars.
  # The path is either absolute (starts with /) or relative to the restheart.jar file
  # Just add the plugins jar to plugins-directory and they will be automatically
  # added to the classpath and registered.
  plugins-directory: plugins

  # Limit the scanning of classes annotated with @RegisterPlugin
  # to the specified packages. It can speedup the boot time
  # in case of huge plugin jars. It is usually not required.
  # Use an empty array to not limit scanning.
  # Always add the package org.restheart to the list
  plugins-packages: []

  # Set to true for verbose logging of jar scanning for plugins
  plugins-scanning-verbose: false

  # Optionally define the base url of this instance
  # Useful when RESTHeart is mediated by a reverse proxy or an API gateway to determine the instance's correct URL
  base-url: null

  # Number of I/O threads created for non-blocking tasks. Suggested value: core.
  # If <= 0, use the number of cores.
  io-threads: 0

  # Initial number of platform carrier threads for executing worker virtual threads in blocking operations.
  # Suggested value: 1.5*core.
  # If <= 0, use 1.5 times the number of cores.
  workers-scheduler-parallelism: 0

  # Max number of platform carrier threads for executing worker virtual threads in blocking operations.
  workers-scheduler-max-pool-size: 256

  # Set to true to pool buffers for io-threads. buffers pooling is always disabled for virtual worker threads.
  buffers-pooling: true

  # Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
  # Setting to 1024 * 16 - 20; the 20 is to allow some space for getProtocol headers, see UNDERTOW-1209
  buffer-size: 16364

  # Specifies whether the buffer pool for I/O threads should use direct buffers.
  # Direct buffers enable the JVM to leverage native I/O operations if supported by the system.
  # Virtual working threads always use heap buffers because they are faster for their operations.
  direct-buffers: true

  # In order to save bandwidth, force requests to support the giz encoding (if not, requests will be rejected)
  force-gzip-encoding: false

  # true to allow unescaped characters in URL
  allow-unescaped-characters-in-url: true

# Connection Options
connection-options:
  # Enable HTTP/2 support
  # Note: HTTP2 as implemented by major browsers requires the use of TLS
  # How to enable TLS https://restheart.org/docs/security/tls/
  # How to check HTTP/2 protocol https://stackoverflow.com/a/54164719/4481670
  ENABLE_HTTP2: true

  # The maximum size of a HTTP header block, in bytes.
  # If a client sends more data that this as part of the request header then the connection will be closed.
  # Defaults to 1Mbyte.
  MAX_HEADER_SIZE: 1048576

  # The default maximum size of a request entity.
  # Defaults to unlimited.
  MAX_ENTITY_SIZE: -1

  #The default maximum size of the HTTP entity body when using the mutiltipart parser.
  # Generally this will be larger than MAX_ENTITY_SIZE
  # If this is not specified it will be the same as MAX_ENTITY_SIZE
  MULTIPART_MAX_ENTITY_SIZE: -1

  # The idle timeout in milliseconds after which the channel will be closed.
  # If the underlying channel already has a read or write timeout set
  # The smaller of the two values will be used for read/write timeouts.
  # Defaults to unlimited (-1).
  IDLE_TIMEOUT: -1

  # The maximum allowed time of reading HTTP request in milliseconds.
  # -1 or missing value disables this functionality.
  REQUEST_PARSE_TIMEOUT: -1

  # The amount of time the connection can be idle with no current requests
  # before it is closed;
  # Defaults to unlimited (-1).
  NO_REQUEST_TIMEOUT: -1

  # The maximum number of query parameters that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 1000.
  MAX_PARAMETERS: 1_000

  # The maximum number of headers that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.
  MAX_HEADERS: 200

  # The maximum number of cookies that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.
  MAX_COOKIES: 200

  # The charset to use to decode the URL and query parameters.
  # Defaults to UTF-8.
  URL_CHARSET: UTF-8

  # If this is true then a Connection: keep-alive header will be added to responses,
  # even when it is not strictly required by the specification.
  # Defaults to true
  ALWAYS_SET_KEEP_ALIVE: true