v2 optimise performance + security (#466)

* Update project struct

* fix: modify models

* fix: config & deps

- data_store
- memory_store
- events

* update twilio provider

* feat: add common config + jwt provider

* fix: warning

* fix: setup dependency injection

* chore: update all services

* chore: update graphql + http handler

* chore: fix remove logrus

* chore: add logs for gql

* chore: update encryption and make clientID & secret required

* chore: fix db tests

* chore: fix couchbase db test

* chore: add test for memory store

* chore: add test for magic link login

* chore: add test for logout

* chore: add test for update profile

* chore: add test for verify email

* chore: add test for resend verify email

* chore: add test for forgot password

* chore: add admin login and update user

* chore: add reset password test

* chore: add test for revoke gql

* chore: fix http handler

* chore add test for verify otp

* chore: add test for resend otp

* chore: add test for account deactivation

* added admin integration tests

* chore: add session test

* chore: add profile test

* chore: standardize params

* chore: add test for validate session

* chore: add oauth config

* chore: add logs deps

* chore: fix add jwk config

* chore: fix context

* chore: update web apps

* chore: delete node_modules

* chore: update gitignore

* chore: fix vulnerabilities

* fix docker build

* chore: use db as memory store provider

* chore: update the storage session provider requirement

* chore: update tests

* chore: fix dashboard

* chore: update migration.md

* chore: update migration.md

---------

Co-authored-by: lemonnn-8 <pani.anand90@gmail.com>

Author: lakhansamani

.claude/settings.local.json

@@ -0,0 +1,11 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(go test:*)",
+      "Bash(docker exec:*)",
+      "Bash(go build:*)",
+      "Bash(docker rm:*)",
+      "Bash(docker run:*)"
+    ]
+  }
+}

.dockerignore

@@ -7,6 +7,12 @@ ROADMAP.md
 build
 .env
 data.db
-app/node_modules
-app/build
+web/app/node_modules
+web/app/build
+web/app/.vite
+web/dashboard/node_modules
+web/dashboard/build
+web/dashboard/.vite
 certs/
+*.log
+.DS_Store

.env.sample

@@ -1,5 +1,21 @@
-ENV=production
-DATABASE_URL=data.db
-DATABASE_TYPE=sqlite
-CUSTOM_ACCESS_TOKEN_SCRIPT="function(user,tokenPayload){var data = tokenPayload;data.extra = {'x-extra-id': user.id};return data;}"
-DISABLE_PLAYGROUND=true
+# Authorizer v2 - Configuration Reference
+#
+# v2 does NOT read from .env. All configuration must be passed via CLI arguments
+# when starting the server. This file serves as a reference for mapping env vars
+# to CLI flags. See MIGRATION.md for the full mapping.
+#
+# Example: ./authorizer --database-type=sqlite --database-url=data.db \
+#   --client-id=... --client-secret=... --admin-secret=...
+#
+# v1 env var          → v2 CLI flag
+# -----------------   → -------------------
+# ENV                 → --env
+# DATABASE_TYPE       → --database-type
+# DATABASE_URL        → --database-url
+# CLIENT_ID           → --client-id (required)
+# CLIENT_SECRET       → --client-secret (required)
+# ADMIN_SECRET        → --admin-secret
+# JWT_TYPE            → --jwt-type
+# JWT_SECRET          → --jwt-secret
+# DISABLE_PLAYGROUND  → --enable-playground=false
+# CUSTOM_ACCESS_TOKEN_SCRIPT → --custom-access-token-script

.env.test

@@ -1,15 +1,28 @@
-ENV=test
-DATABASE_URL=test.db
-DATABASE_TYPE=sqlite
-CUSTOM_ACCESS_TOKEN_SCRIPT="function(user,tokenPayload){var data = tokenPayload;data.extra = {'x-extra-id': user.id};return data;}"
-SMTP_HOST=smtp.mailtrap.io
-SMTP_PORT=2525
-SMTP_USERNAME=test
-SMTP_PASSWORD=test
-SENDER_EMAIL="info@authorizer.dev"
-TWILIO_API_KEY=test
-TWILIO_API_SECRET=test
-TWILIO_ACCOUNT_SID=ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-TWILIO_SENDER=909921212112
-SENDER_NAME="Authorizer"
-AWS_REGION=ap-south-1
+# Authorizer v2 - Test Configuration Reference
+#
+# v2 does NOT read from .env. For integration tests, config is set in
+# internal/integration_tests/test_helper.go (getTestConfig()).
+#
+# This file documents typical test env values for reference when running
+# the server manually with test settings. Use CLI flags:
+#
+# go run main.go --database-type=sqlite --database-url=test.db \
+#   --jwt-type=HS256 --jwt-secret=test --admin-secret=admin \
+#   --client-id=123456 --client-secret=secret
+#
+# v1 env vars (reference only):
+# ENV=test
+# DATABASE_URL=test.db
+# DATABASE_TYPE=sqlite
+# ADMIN_SECRET=admin
+# SMTP_HOST=smtp.mailtrap.io
+# SMTP_PORT=2525
+# SMTP_USERNAME=test
+# SMTP_PASSWORD=test
+# SENDER_EMAIL=info@authorizer.dev
+# SENDER_NAME=Authorizer
+# TWILIO_ACCOUNT_SID=ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# TWILIO_API_KEY=test
+# TWILIO_API_SECRET=test
+# TWILIO_SENDER=909921212112
+# AWS_REGION=ap-south-1

.github/CONTRIBUTING.md

@@ -32,68 +32,61 @@ Please ask as many questions as you need, either directly in the issue or on [Di
 
 ### Prerequisites
 
-- OS: Linux or macOS or windows
-- Go: (Golang)(https://golang.org/dl/) >= v1.15
+- OS: Linux or macOS or Windows
+- [Go](https://golang.org/dl/) >= 1.24 (see `go.mod`)
+- [Node.js](https://nodejs.org/) >= 18 and npm (only if building web app or dashboard)
 
 ### Familiarize yourself with Authorizer
 
 1. [Architecture of Authorizer](http://docs.authorizer.dev/)
 2. [GraphQL APIs](https://docs.authorizer.dev/core/graphql-api/)
+3. [Migration Guide (v1 → v2)](../MIGRATION.md) – v2 uses CLI-based configuration
 
 ### Project Setup for Authorizer core
 
 1. Fork the [authorizer](https://github.com/authorizerdev/authorizer) repository (**Skip this step if you have access to repo**)
 2. Clone repo: `git clone https://github.com/authorizerdev/authorizer.git` or use the forked url from step 1
-3. Change directory to authorizer: `cd authorizer`
-4. Create Env file `cp .env.sample .env`. Check all the supported env [here](https://docs.authorizer.dev/core/env/)
-5. Build Dashboard `make build-dashboard`
-6. Build App `make build-app`
-7. Build Server `make clean && make`
-   > Note: if you don't have [`make`](https://www.ibm.com/docs/en/aix/7.2?topic=concepts-make-command), you can `cd` into `server` dir and build using the `go build` command. In that case you will have to build `dashboard` & `app` manually using `npm run build` on both dirs.
-8. Run binary `./build/server`
+3. Change directory: `cd authorizer`
+4. Build the server: `make build` (or `go build -o build/authorizer .`)
+5. (Optional) Build the web app and dashboard: `make build-app` and `make build-dashboard`
+6. Run locally: `make dev` (uses SQLite and demo secrets for development)
+
+> **v2:** The server does **not** read from `.env`. All configuration is passed via CLI arguments. See [MIGRATION.md](../MIGRATION.md).
 
 ### Updating GraphQL schema
 
-- Modify `server/graph/schema.graphqls` file
-- Run `make generate-graphql` this will update the models and required methods
-- If a new mutation or query is added
-  - Write the implementation for the new resolver in `server/resolvers/NEW_RESOLVER.GO`
-  - Update `server/graph/schema.resolvers.go` with the new resolver method
+- Modify `internal/graph/schema.graphqls` (or other files in `internal/graph/`)
+- Run `make generate-graphql` to regenerate models and resolvers
+- If a new mutation or query is added, implement the resolver in `internal/graph/` (resolver layout follows schema)
 
 ### Adding support for new database
 
 - Run `make generate-db-template dbname=NEW_DB_NAME`
-  eg `make generate-db-template dbname=dynamodb`
+  - e.g. `make generate-db-template dbname=dynamodb`
 
-This command will generate a folder in server/db/providers/ with name specified in the above command.
-One will have to implement methods present in that folder.
+This generates a folder in `internal/storage/db/` with the specified name. Implement the methods in that folder.
 
-> Note: Connection for database and schema changes are written in `server/db/providers/DB_NAME/provider.go` > `NewProvider` method is called for any given db based on the env variables present.
+> Note: Database connection and schema changes are in `internal/storage/db/DB_NAME/provider.go`; `NewProvider` is called for the configured database type.
 
 ### Testing
 
-Make sure you test before creating PR.
-
-If you want to test for all the databases that authorizer supports you will have to run `mongodb` & `arangodb` instances locally.
+Make sure you test before creating a PR.
 
-Setup mongodb & arangodb using Docker
+The main `make test` target spins up Postgres, Redis, ScyllaDB, MongoDB, ArangoDB, DynamoDB, and Couchbase via Docker, runs the Go test suite, then tears down containers.
 
-```
-docker run --name mongodb -d -p 27017:27017 mongo
+For local development without full DB matrix:
 
-// -e ARANGO_ROOT_PASSWORD=root
-docker run --name arangodb -d -p 8529:8529 -e ARANGO_NO_AUTH=1 arangodb/arangodb:3.8.4
+```sh
+make dev   # run server for manual testing
+go test -v ./...   # run tests (requires Docker for full suite)
 ```
 
-> Note: If you are not making any changes in db schema / db operations, you can disable those db tests [here](https://github.com/authorizerdev/authorizer/blob/main/server/__test__/resolvers_test.go#L14)
-
-If you are adding new resolver,
+If you are adding a new resolver:
 
-1. create new resolver test file [here](https://github.com/authorizerdev/authorizer/tree/main/server/__test__)
-   Naming convention filename: `resolver_name_test.go` function name: `resolverNameTest(t *testing.T, s TestSetup)`
-2. Add your tests [here](https://github.com/authorizerdev/authorizer/blob/main/server/__test__/resolvers_test.go#L38)
+1. Create a new test file in `internal/integration_tests/` (naming: `resolver_name_test.go`)
+2. Follow the existing pattern using `getTestConfig()` and `initTestSetup()`
 
-**Command to run tests:**
+**Command to run full test suite:**
 
 ```sh
 make test

.github/workflows/release.yaml

@@ -22,82 +22,80 @@ jobs:
     name: Release Authorizer
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: '16'
-      - # Add support for more platforms with QEMU (optional)
-        # https://github.com/docker/setup-qemu-action
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+          node-version: '20'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           platforms: linux/amd64,linux/arm64
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v5
         with:
-          go-version: '^1.19.1'
+          go-version: '1.24'
       - name: Install dependencies
         run: |
-          sudo apt-get install build-essential wget zip  libc6-dev-arm64-cross && \
-          echo "/usr/bin/x86_64-w64-mingw32-gcc" >> GITHUB_PATH && \
+          sudo apt-get install -y build-essential wget zip && \
           wget --no-check-certificate --progress=dot:mega https://github.com/wangyoucao577/assets-uploader/releases/download/v0.3.0/github-assets-uploader-v0.3.0-linux-amd64.tar.gz -O github-assets-uploader.tar.gz && \
           tar -zxf github-assets-uploader.tar.gz && \
           sudo mv github-assets-uploader /usr/sbin/ && \
-          sudo rm -f github-assets-uploader.tar.gz && \
-          github-assets-uploader -version && \
-          make build-app && \
+          rm -f github-assets-uploader.tar.gz && \
+          github-assets-uploader -version
+      - name: Build web app and dashboard
+        run: |
+          make build-app
           make build-dashboard
-      - name: Print Go paths
-        run: whereis go
-      - name: Print Go Version
-        run: go version
       - name: Install gox
         run: go install github.com/mitchellh/gox@latest
       - name: Set VERSION env
         run: echo VERSION=$(basename ${GITHUB_REF}) >> ${GITHUB_ENV}
-      - name: Copy .env file
-        run: mv .env.sample .env
       - name: Build package
         run: |
-          make clean && \
-          make build && \
-          mkdir -p authorizer-${VERSION}-darwin-arm64/build authorizer-${VERSION}-darwin-arm64/app authorizer-${VERSION}-darwin-arm64/dashboard && cp build/darwin/arm64/server authorizer-${VERSION}-darwin-arm64/build/ && cp .env authorizer-${VERSION}-darwin-arm64/.env && cp -rf app/build authorizer-${VERSION}-darwin-arm64/app/build && cp -rf templates authorizer-${VERSION}-darwin-arm64/ && cp -rf dashboard/build authorizer-${VERSION}-darwin-arm64/dashboard/build && tar cvfz authorizer-${VERSION}-darwin-arm64.tar.gz authorizer-${VERSION}-darwin-arm64 && \
-          mkdir -p authorizer-${VERSION}-darwin-amd64/build authorizer-${VERSION}-darwin-amd64/app authorizer-${VERSION}-darwin-amd64/dashboard && cp build/darwin/amd64/server authorizer-${VERSION}-darwin-amd64/build/ && cp .env authorizer-${VERSION}-darwin-amd64/.env && cp -rf app/build authorizer-${VERSION}-darwin-amd64/app/build && cp -rf templates authorizer-${VERSION}-darwin-amd64/ && cp -rf dashboard/build authorizer-${VERSION}-darwin-amd64/dashboard/build && tar cvfz authorizer-${VERSION}-darwin-amd64.tar.gz authorizer-${VERSION}-darwin-amd64 && \
-          mkdir -p authorizer-${VERSION}-linux-amd64/build authorizer-${VERSION}-linux-amd64/app authorizer-${VERSION}-linux-amd64/dashboard && cp build/linux/amd64/server authorizer-${VERSION}-linux-amd64/build/ && cp .env authorizer-${VERSION}-linux-amd64/.env && cp -rf app/build authorizer-${VERSION}-linux-amd64/app/build && cp -rf templates authorizer-${VERSION}-linux-amd64/ && cp -rf dashboard/build authorizer-${VERSION}-linux-amd64/dashboard/build && tar cvfz authorizer-${VERSION}-linux-amd64.tar.gz authorizer-${VERSION}-linux-amd64 && \
-          mkdir -p authorizer-${VERSION}-linux-arm64/build authorizer-${VERSION}-linux-arm64/app authorizer-${VERSION}-linux-arm64/dashboard && cp build/linux/arm64/server authorizer-${VERSION}-linux-arm64/build/ && cp .env authorizer-${VERSION}-linux-arm64/.env && cp -rf app/build authorizer-${VERSION}-linux-arm64/app/build && cp -rf templates authorizer-${VERSION}-linux-arm64/ && cp -rf dashboard/build authorizer-${VERSION}-linux-arm64/dashboard/build && tar cvfz authorizer-${VERSION}-linux-arm64.tar.gz authorizer-${VERSION}-linux-arm64 && \
-          mkdir -p authorizer-${VERSION}-windows-amd64/build authorizer-${VERSION}-windows-amd64/app authorizer-${VERSION}-windows-amd64/dashboard && cp build/windows/amd64/server.exe authorizer-${VERSION}-windows-amd64/build/ && cp .env authorizer-${VERSION}-windows-amd64/.env && cp -rf app/build authorizer-${VERSION}-windows-amd64/app/build && cp -rf templates authorizer-${VERSION}-windows-amd64/ && cp -rf dashboard/build authorizer-${VERSION}-windows-amd64/dashboard/build && zip -vr authorizer-${VERSION}-windows-amd64.zip authorizer-${VERSION}-windows-amd64
+          make clean
+          make build
+          for arch in darwin-arm64 darwin-amd64 linux-amd64 linux-arm64; do
+            os=$(echo $arch | cut -d- -f1)
+            cpu=$(echo $arch | cut -d- -f2)
+            dir=authorizer-${VERSION}-${arch}
+            mkdir -p $dir/web/app $dir/web/dashboard $dir/web/templates
+            cp build/${os}/${cpu}/authorizer $dir/
+            cp .env.sample $dir/
+            cp -rf web/app/build $dir/web/app/
+            cp -rf web/app/favicon_io $dir/web/app/
+            cp -rf web/dashboard/build $dir/web/dashboard/
+            cp -rf web/dashboard/favicon_io $dir/web/dashboard/
+            cp -rf web/dashboard/public $dir/web/dashboard/ 2>/dev/null || true
+            cp -rf web/templates/* $dir/web/templates/
+            tar cvfz authorizer-${VERSION}-${arch}.tar.gz $dir
+          done
       - name: Upload assets
         run: |
           github-assets-uploader -f authorizer-${VERSION}-darwin-arm64.tar.gz -mediatype application/gzip -repo authorizerdev/authorizer -token ${{secrets.RELEASE_TOKEN}} -tag ${VERSION}
           github-assets-uploader -f authorizer-${VERSION}-darwin-amd64.tar.gz -mediatype application/gzip -repo authorizerdev/authorizer -token ${{secrets.RELEASE_TOKEN}} -tag ${VERSION}
           github-assets-uploader -f authorizer-${VERSION}-linux-amd64.tar.gz -mediatype application/gzip -repo authorizerdev/authorizer -token ${{secrets.RELEASE_TOKEN}} -tag ${VERSION}
           github-assets-uploader -f authorizer-${VERSION}-linux-arm64.tar.gz -mediatype application/gzip -repo authorizerdev/authorizer -token ${{secrets.RELEASE_TOKEN}} -tag ${VERSION}
-          github-assets-uploader -f authorizer-${VERSION}-windows-amd64.zip -mediatype application/zip -repo authorizerdev/authorizer -token ${{secrets.RELEASE_TOKEN}} -tag ${VERSION}
       - name: Log in to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
-          images: lakhansamani/authorizer
+          images: authorizerdev/authorizer
           tags: |
-            type=schedule
-            type=ref,event=branch
             type=ref,event=tag
             type=ref,event=pr
-
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
           build-args: |
-            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            VERSION=${{ env.VERSION }}

.gitignore

@@ -1,10 +1,10 @@
 server/server
 server/.env
 data
-app/node_modules
-app/build
-dashboard/node_modules
-dashboard/build
+web/app/node_modules
+web/app/build
+web/dashboard/node_modules
+web/dashboard/build
 build
 .env
 data.db
@@ -20,4 +20,5 @@ certs/
 *-wal
 .idea
 *.iml
-*.code-workspace
+node_modules/*
+*.code-workspace

CHANGELOG.md

@@ -0,0 +1,61 @@
+# Changelog
+
+All notable changes to Authorizer will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.0.0] - 2025-02-28
+
+### Added
+
+- **CLI-based configuration**: All configuration is now passed at server start via CLI root arguments. No env store in cache or database.
+- **New security flags**:
+  - `--disable-admin-header-auth`: When `true`, server does not accept `X-Authorizer-Admin-Secret` header; only secure admin cookie is honored. Recommended for production.
+  - `--enable-graphql-introspection`: Controls GraphQL introspection on `/graphql` (default `true`; set `false` for hardened production).
+- **Metrics endpoint**: Metrics server on port 8081 (configurable via `--metrics-port`).
+- **Restructured project layout**:
+  - Root-level `main.go` and `cmd/` for CLI
+  - `internal/` for core packages (config, graph, storage, etc.)
+  - `web/app` and `web/dashboard` for embedded UIs
+  - `web/templates` for HTML templates
+- **Build outputs**: Binary named `authorizer`; output to `build/<os>/<arch>/authorizer`.
+- **Docker improvements**:
+  - Multi-arch builds (linux/amd64, linux/arm64)
+  - `ENTRYPOINT [ "./authorizer" ]` for passing CLI args at runtime
+  - Alpine 3.23 base images
+- **Makefile targets**: `make dev`, `make bootstrap`, `make build-local-image`, `make build-push-image`.
+
+### Changed
+
+- **BREAKING**: Configuration is no longer read from `.env` or OS environment variables. Pass config via CLI flags.
+- **BREAKING**: `--client-id` and `--client-secret` are **required**; server exits if missing.
+- **BREAKING**: Deprecated mutations `_admin_signup`, `_update_env`, `_generate_jwt_keys` now return errors directing users to configure via CLI.
+- **BREAKING**: Dashboard cannot update server configuration. Admin secret, JWT keys, and all env must be set at startup.
+- **BREAKING**: Flag names use kebab-case (e.g. `--database-url` instead of `database_url`).
+- **BREAKING**: Some inverted boolean flags (e.g. `DISABLE_LOGIN_PAGE` → `--enable-login-page` with `false` to disable).
+- **BREAKING**: Go version requirement: >= 1.24 (see `go.mod`).
+- **BREAKING**: Node.js >= 18 for web app and dashboard builds.
+- Database provider template path: `internal/storage/db/provider_template` (was `server/db/providers/provider_template`).
+- GraphQL schema and resolvers moved to `internal/graph/`.
+- Tests moved to `internal/integration_tests/`; run with `go test -v ./...` from repo root.
+
+### Deprecated
+
+- `database_url`, `database_type`, `log_level`, `redis_url` flags (use kebab-case `--database-url`, etc.).
+- `env_file` flag (no longer supported).
+
+### Fixed
+
+- Corrected Makefile `generate-db-template` and DB-specific test targets to use current project structure.
+- Docker build and release workflow updated for v2 layout and binary name.
+
+### Migration
+
+See [MIGRATION.md](MIGRATION.md) for a detailed guide from v1 to v2.
+
+---
+
+## [1.x] - Legacy
+
+Authorizer v1 used environment-based configuration stored in cache/DB and configurable via dashboard or `_update_env` mutation. For v1 documentation, see [docs.authorizer.dev](https://docs.authorizer.dev/) and the [v1 release branch](https://github.com/authorizerdev/authorizer).