view release on metacpan or  search on metacpan

DEPLOYMENT.md  view on Meta::CPAN

```sql
CREATE INDEX idx_auth_code_code ON auth_codes(code);
CREATE INDEX idx_auth_code_expires ON auth_codes(expires_at);
CREATE INDEX idx_session_user ON sessions(user_id);
CREATE INDEX idx_session_created ON sessions(created_at);
```

### Connection Pooling

```perl
<Model::DB>
    <connect_info>
        <0>
            dbi:Pg:dbname=oidc;host=localhost
        </0>
        <1>
            postgres
        </1>
        <2>
            password
        </2>
        <3>
            {
                AutoCommit = 1
                RaiseError = 1
                PrintError = 0
                pg_enable_utf8 = 1
            }
        </3>
    </connect_info>
    <storage>
        <0>pg
        <1></1>
        <2>
            {
                pool_type = Static
                pool_size = 10
            }
        </2>
    </storage>
</Model::DB>
```

## Backup and Recovery

### Database Backups

```bash
# Daily backup
0 2 * * * /usr/bin/pg_dump -U postgres oidc | gzip > /backups/oidc-$(date +\%Y\%m\%d).sql.gz

# Keep 30 days of backups
find /backups -name 'oidc-*.sql.gz' -mtime +30 -delete
```

### Key Backups

```bash
# Store keys in secure backup location
cp /secure/path/private.pem /secure/backup/private-$(date +\%Y\%m\%d).pem.gpg
gpg --encrypt --recipient <key-id> /secure/backup/private-*.pem
```

## Troubleshooting

### Common Issues

**Tokens Invalid After Key Rotation**
- Ensure both old and new keys are published in JWKS during rotation period
- Clients need time to receive updated keys

**Token Verification Fails**
- Check clock skew (sync NTP on all servers)
- Verify issuer URL matches configuration
- Ensure token hasn't expired

**CORS Errors**
- Add appropriate `Access-Control-*` headers
- Check allowed origins in frontend configuration

**Session Loss**
- Verify session storage is persistent (not in-memory)
- Check session cookie settings (Secure, HttpOnly)
- Check session expiration time

**`invalid_grant` errors under FastCGI / pre-forking server**
- The default in-memory store is per-process; codes created in one worker are
  not visible to others. Switch to the Redis store (see [Redis Store](#redis-store-fastcgi-and-multi-process-deployments)).

**Redis connection refused at startup**
- The Redis connection is lazy — it is opened on the first request, not at boot.
  Connection errors appear in request logs, not startup logs. Verify Redis is
  reachable with `redis-cli -h <host> ping` from the application host.

**`Neither Redis::Fast nor Redis is installed`**
- Install one of the Redis Perl clients: `cpanm Redis::Fast` (preferred) or
  `cpanm Redis`.

## Maintenance

### Regular Tasks

1. **Daily**: Monitor error logs, check application health
2. **Weekly**: Review failed authentication attempts
3. **Monthly**: Check performance metrics, update dependencies
4. **Quarterly**: Security audit, penetration testing
5. **Annually**: Key rotation, compliance review

### Update Procedure

```bash
# Test updates in staging first
cpanm -n --installdeps .

# Back up database
pg_dump oidc > oidc-$(date +%Y%m%d).sql

# Update code
git pull origin main

# Restart application