Changed environment variable names for auth settings.

.env.example

@@ -7,14 +7,14 @@ ADDRESS=0.0.0.0
 GC_INTERVAL=10
 GC_ENABLED=true
 MULTIPART_RETENTION_HOURS=24
-AUTH_ENABLED=false
-AUTH_REGION=us-east-1
-AUTH_SKEW_SECONDS=300
-AUTH_MAX_PRESIGN_SECONDS=86400
-# When AUTH_ENABLED=true you MUST set AUTH_MASTER_KEY to a strong random value, e.g.:
+FS_AUTH_ENABLED=false
+FS_AUTH_REGION=us-east-1
+FS_AUTH_CLOCK_SKEW_SECONDS=300
+FS_AUTH_MAX_PRESIGN_SECONDS=86400
+# When FS_AUTH_ENABLED=true you MUST set FS_MASTER_KEY to a strong random value, e.g.:
 #   openssl rand -base64 32
-AUTH_MASTER_KEY=REPLACE_WITH_SECURE_RANDOM_KEY
-AUTH_BOOTSTRAP_ACCESS_KEY=
-AUTH_BOOTSTRAP_SECRET_KEY=
-AUTH_BOOTSTRAP_POLICY=
+FS_MASTER_KEY=REPLACE_WITH_SECURE_RANDOM_KEY
+FS_ROOT_USER=
+FS_ROOT_PASSWORD=
+FS_ROOT_POLICY_JSON=
 ADMIN_API_ENABLED=true

README.md

@@ -44,9 +44,9 @@ Admin API (JSON):
 
 ## Auth Setup
 
-Required when `AUTH_ENABLED=true`:
-- `AUTH_MASTER_KEY` must be base64 for 32 decoded bytes (AES-256 key), e.g. `openssl rand -base64 32`
-- `AUTH_BOOTSTRAP_ACCESS_KEY` and `AUTH_BOOTSTRAP_SECRET_KEY` define initial credentials
+Required when `FS_AUTH_ENABLED=true`:
+- `FS_MASTER_KEY` must be base64 for 32 decoded bytes (AES-256 key), e.g. `openssl rand -base64 32`
+- `FS_ROOT_USER` and `FS_ROOT_PASSWORD` define initial credentials
 - `ADMIN_API_ENABLED=true` enables `/_admin/v1/*` routes (bootstrap key only)
 
 Reference: `auth/README.md`

auth/README.md

@@ -40,18 +40,18 @@ This folder implements S3-compatible request authentication using AWS Signature
 ## Config Model
 Auth is configured through env (read in `utils/config.go`, converted in `auth/config.go`):
 
-- `AUTH_ENABLED`
-- `AUTH_REGION`
-- `AUTH_SKEW_SECONDS`
-- `AUTH_MAX_PRESIGN_SECONDS`
-- `AUTH_MASTER_KEY`
-- `AUTH_BOOTSTRAP_ACCESS_KEY`
-- `AUTH_BOOTSTRAP_SECRET_KEY`
-- `AUTH_BOOTSTRAP_POLICY` (optional JSON)
+- `FS_AUTH_ENABLED`
+- `FS_AUTH_REGION`
+- `FS_AUTH_CLOCK_SKEW_SECONDS`
+- `FS_AUTH_MAX_PRESIGN_SECONDS`
+- `FS_MASTER_KEY`
+- `FS_ROOT_USER`
+- `FS_ROOT_PASSWORD`
+- `FS_ROOT_POLICY_JSON` (optional JSON)
 
 Important:
-- If `AUTH_ENABLED=true`, `AUTH_MASTER_KEY` is required.
-- `AUTH_MASTER_KEY` must be base64 that decodes to exactly 32 bytes (AES-256 key).
+- If `FS_AUTH_ENABLED=true`, `FS_MASTER_KEY` is required.
+- `FS_MASTER_KEY` must be base64 that decodes to exactly 32 bytes (AES-256 key).
 
 ## Persistence Model (bbolt)
 Implemented in metadata layer:
@@ -75,7 +75,7 @@ If bootstrap env key/secret are set:
 - secret is encrypted with AES-GCM and stored
 - policy is created:
   - default: full access (`s3:*`, `bucket=*`, `prefix=*`)
-  - or overridden by `AUTH_BOOTSTRAP_POLICY`
+  - or overridden by `FS_ROOT_POLICY_JSON`
 
 ## Request Authentication Flow
 For each non-health request:
@@ -87,8 +87,8 @@ For each non-health request:
   - region must match config
 3. Validate time:
   - `x-amz-date` format
-  - skew within `AUTH_SKEW_SECONDS`
-  - presigned expiry within `AUTH_MAX_PRESIGN_SECONDS`
+  - skew within `FS_AUTH_CLOCK_SKEW_SECONDS`
+  - presigned expiry within `FS_AUTH_MAX_PRESIGN_SECONDS`
 4. Load identity by access key id.
 5. Ensure identity status is active.
 6. Decrypt stored secret using master key.
@@ -133,7 +133,7 @@ Each audit entry includes method, path, remote IP, and request ID (if present).
 - Secret keys are recoverable by server design (required for SigV4 verification).
 - They are encrypted at rest, not hashed.
 - Master key rotation is not implemented yet.
-- Keep `AUTH_MASTER_KEY` protected (secret manager/systemd env file/etc.).
+- Keep `FS_MASTER_KEY` protected (secret manager/systemd env file/etc.).
 
 ## Current Scope / Limitations
 - No STS/session-token auth yet.

utils/config.go

@@ -48,14 +48,14 @@ func NewConfig() *Config {
 		MultipartCleanupRetention: time.Duration(
 			envIntRange("MULTIPART_RETENTION_HOURS", 24, 1, 24*30),
 		) * time.Hour,
-		AuthEnabled:            envBool("AUTH_ENABLED", false),
-		AuthRegion:             firstNonEmpty(strings.TrimSpace(os.Getenv("AUTH_REGION")), "us-east-1"),
-		AuthSkew:               time.Duration(envIntRange("AUTH_SKEW_SECONDS", 300, 30, 3600)) * time.Second,
-		AuthMaxPresign:         time.Duration(envIntRange("AUTH_MAX_PRESIGN_SECONDS", 86400, 60, 86400)) * time.Second,
-		AuthMasterKey:          strings.TrimSpace(os.Getenv("AUTH_MASTER_KEY")),
-		AuthBootstrapAccessKey: strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_ACCESS_KEY")),
-		AuthBootstrapSecretKey: strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_SECRET_KEY")),
-		AuthBootstrapPolicy:    strings.TrimSpace(os.Getenv("AUTH_BOOTSTRAP_POLICY")),
+		AuthEnabled:            envBool("FS_AUTH_ENABLED", false),
+		AuthRegion:             firstNonEmpty(strings.TrimSpace(os.Getenv("FS_AUTH_REGION")), "us-east-1"),
+		AuthSkew:               time.Duration(envIntRange("FS_AUTH_CLOCK_SKEW_SECONDS", 300, 30, 3600)) * time.Second,
+		AuthMaxPresign:         time.Duration(envIntRange("FS_AUTH_MAX_PRESIGN_SECONDS", 86400, 60, 86400)) * time.Second,
+		AuthMasterKey:          strings.TrimSpace(os.Getenv("FS_MASTER_KEY")),
+		AuthBootstrapAccessKey: strings.TrimSpace(os.Getenv("FS_ROOT_USER")),
+		AuthBootstrapSecretKey: strings.TrimSpace(os.Getenv("FS_ROOT_PASSWORD")),
+		AuthBootstrapPolicy:    strings.TrimSpace(os.Getenv("FS_ROOT_POLICY_JSON")),
 		AdminAPIEnabled:        envBool("ADMIN_API_ENABLED", true),
 	}