import logging from pydantic import Field, field_validator from pydantic_settings import BaseSettings class Settings(BaseSettings): PROJECT_NAME: str = "Syndarix" VERSION: str = "1.0.0" API_V1_STR: str = "/api/v1" # Environment (must be before SECRET_KEY for validation) ENVIRONMENT: str = Field( default="development", description="Environment: development, staging, or production", ) DEMO_MODE: bool = Field( default=False, description="Enable demo mode (relaxed security, demo users)", ) # Security: Content Security Policy # Set to False to disable CSP entirely (not recommended) # Set to True for strict CSP (blocks most external resources) # Set to "relaxed" for modern frontend development CSP_MODE: str = Field( default="relaxed", description="CSP mode: 'strict', 'relaxed', or 'disabled'" ) # Database configuration POSTGRES_USER: str = "postgres" POSTGRES_PASSWORD: str = "postgres" POSTGRES_HOST: str = "localhost" POSTGRES_PORT: str = "5432" POSTGRES_DB: str = "app" DATABASE_URL: str | None = None db_pool_size: int = 20 # Default connection pool size db_max_overflow: int = 50 # Maximum overflow connections db_pool_timeout: int = 30 # Seconds to wait for a connection db_pool_recycle: int = 3600 # Recycle connections after 1 hour # Redis configuration (Syndarix: cache, pub/sub, Celery broker) REDIS_URL: str = Field( default="redis://localhost:6379/0", description="Redis URL for cache, pub/sub, and Celery broker", ) # Celery configuration (Syndarix: background task processing) CELERY_BROKER_URL: str | None = Field( default=None, description="Celery broker URL (defaults to REDIS_URL if not set)", ) CELERY_RESULT_BACKEND: str | None = Field( default=None, description="Celery result backend URL (defaults to REDIS_URL if not set)", ) @property def celery_broker_url(self) -> str: """Get Celery broker URL, defaulting to Redis.""" return self.CELERY_BROKER_URL or self.REDIS_URL @property def celery_result_backend(self) -> str: """Get Celery result backend URL, defaulting to Redis.""" return self.CELERY_RESULT_BACKEND or self.REDIS_URL # SQL debugging (disable in production) sql_echo: bool = False # Log SQL statements sql_echo_pool: bool = False # Log connection pool events sql_echo_timing: bool = False # Log query execution times slow_query_threshold: float = 0.5 # Log queries taking longer than this @property def database_url(self) -> str: """ Get the SQLAlchemy database URL. If DATABASE_URL is explicitly set, use that. Otherwise, construct from components. """ if self.DATABASE_URL: return self.DATABASE_URL self.DATABASE_URL = f"postgresql://{self.POSTGRES_USER}:{self.POSTGRES_PASSWORD}@{self.POSTGRES_HOST}:{self.POSTGRES_PORT}/{self.POSTGRES_DB}" return self.DATABASE_URL # JWT configuration SECRET_KEY: str = Field( default="dev_only_insecure_key_change_in_production_32chars_min", min_length=32, description="JWT signing key. MUST be changed in production. Generate with: python -c 'import secrets; print(secrets.token_urlsafe(32))'", ) ALGORITHM: str = "HS256" ACCESS_TOKEN_EXPIRE_MINUTES: int = 15 # 15 minutes (production standard) REFRESH_TOKEN_EXPIRE_DAYS: int = 7 # 7 days # CORS configuration BACKEND_CORS_ORIGINS: list[str] = ["http://localhost:3000"] # Frontend URL for email links FRONTEND_URL: str = Field( default="http://localhost:3000", description="Frontend application URL for email links", ) # OAuth Configuration OAUTH_ENABLED: bool = Field( default=False, description="Enable OAuth authentication (social login)", ) OAUTH_AUTO_LINK_BY_EMAIL: bool = Field( default=True, description="Automatically link OAuth accounts to existing users with matching email", ) OAUTH_STATE_EXPIRE_MINUTES: int = Field( default=10, description="OAuth state parameter expiration time in minutes", ) # Google OAuth OAUTH_GOOGLE_CLIENT_ID: str | None = Field( default=None, description="Google OAuth client ID from Google Cloud Console", ) OAUTH_GOOGLE_CLIENT_SECRET: str | None = Field( default=None, description="Google OAuth client secret from Google Cloud Console", ) # GitHub OAuth OAUTH_GITHUB_CLIENT_ID: str | None = Field( default=None, description="GitHub OAuth client ID from GitHub Developer Settings", ) OAUTH_GITHUB_CLIENT_SECRET: str | None = Field( default=None, description="GitHub OAuth client secret from GitHub Developer Settings", ) # OAuth Provider Mode (for MCP clients - skeleton) OAUTH_PROVIDER_ENABLED: bool = Field( default=False, description="Enable OAuth provider mode (act as authorization server for MCP clients)", ) OAUTH_ISSUER: str = Field( default="http://localhost:8000", description="OAuth issuer URL (your API base URL)", ) @property def enabled_oauth_providers(self) -> list[str]: """Get list of enabled OAuth providers based on configured credentials.""" providers = [] if self.OAUTH_GOOGLE_CLIENT_ID and self.OAUTH_GOOGLE_CLIENT_SECRET: providers.append("google") if self.OAUTH_GITHUB_CLIENT_ID and self.OAUTH_GITHUB_CLIENT_SECRET: providers.append("github") return providers # Admin user FIRST_SUPERUSER_EMAIL: str | None = Field( default=None, description="Email for first superuser account" ) FIRST_SUPERUSER_PASSWORD: str | None = Field( default=None, description="Password for first superuser (min 12 characters)" ) @field_validator("SECRET_KEY") @classmethod def validate_secret_key(cls, v: str, info) -> str: """Validate SECRET_KEY is secure, especially in production.""" # Get environment from values if available values_data = info.data if info.data else {} env = values_data.get("ENVIRONMENT", "development") if v.startswith("your_secret_key_here"): if env == "production": raise ValueError( "SECRET_KEY must be set to a secure random value in production. " "Generate one with: python -c 'import secrets; print(secrets.token_urlsafe(32))'" ) # Warn in development but allow logger = logging.getLogger(__name__) logger.warning( "⚠️ Using default SECRET_KEY. This is ONLY acceptable in development. " "Generate a secure key with: python -c 'import secrets; print(secrets.token_urlsafe(32))'" ) if len(v) < 32: raise ValueError( "SECRET_KEY must be at least 32 characters long for security" ) return v @field_validator("FIRST_SUPERUSER_PASSWORD") @classmethod def validate_superuser_password(cls, v: str | None, info) -> str | None: """Validate superuser password strength.""" if v is None: return v # Get environment from values if available values_data = info.data if info.data else {} demo_mode = values_data.get("DEMO_MODE", False) if demo_mode: # In demo mode, allow specific weak passwords for demo accounts demo_passwords = {"Demo123!", "Admin123!"} if v in demo_passwords: return v if len(v) < 12: raise ValueError("FIRST_SUPERUSER_PASSWORD must be at least 12 characters") # Check for common weak passwords weak_passwords = { "admin123", "Admin123", "password123", "Password123", "123456789012", } if v in weak_passwords: raise ValueError( "FIRST_SUPERUSER_PASSWORD is too weak. " "Use a strong, unique password with mixed case, numbers, and symbols." ) # Basic strength check has_lower = any(c.islower() for c in v) has_upper = any(c.isupper() for c in v) has_digit = any(c.isdigit() for c in v) if not (has_lower and has_upper and has_digit): raise ValueError( "FIRST_SUPERUSER_PASSWORD must contain lowercase, uppercase, and digits" ) return v model_config = { "env_file": "../.env", "env_file_encoding": "utf-8", "case_sensitive": True, "extra": "ignore", # Ignore extra fields from .env (e.g., frontend-specific vars) } settings = Settings()