from pydantic_settings import BaseSettings from pydantic import field_validator from typing import List, Optional import os class Settings(BaseSettings): # Database MYSQL_HOST: str = "localhost" MYSQL_PORT: int = 3306 MYSQL_USER: str = "root" MYSQL_PASSWORD: str = "" MYSQL_DATABASE: str = "pjctrl" @property def DATABASE_URL(self) -> str: return f"mysql+pymysql://{self.MYSQL_USER}:{self.MYSQL_PASSWORD}@{self.MYSQL_HOST}:{self.MYSQL_PORT}/{self.MYSQL_DATABASE}" # Redis REDIS_HOST: str = "localhost" REDIS_PORT: int = 6379 REDIS_DB: int = 0 @property def REDIS_URL(self) -> str: return f"redis://{self.REDIS_HOST}:{self.REDIS_PORT}/{self.REDIS_DB}" # JWT - Must be set in environment, no default allowed JWT_SECRET_KEY: str = "" JWT_ALGORITHM: str = "HS256" JWT_EXPIRE_MINUTES: int = 10080 # 7 days @field_validator("JWT_SECRET_KEY") @classmethod def validate_jwt_secret_key(cls, v: str) -> str: """Validate that JWT_SECRET_KEY is set and not a placeholder.""" if not v or v.strip() == "": raise ValueError( "JWT_SECRET_KEY must be set in environment variables. " "Please configure it in the .env file." ) placeholder_values = [ "your-secret-key-change-in-production", "change-me", "secret", "your-secret-key", ] if v.lower() in placeholder_values: raise ValueError( "JWT_SECRET_KEY appears to be a placeholder value. " "Please set a secure secret key in the .env file." ) return v # Encryption - Master key for encrypting file encryption keys # Must be a 32-byte (256-bit) key encoded as base64 for AES-256 # Generate with: python -c "import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())" ENCRYPTION_MASTER_KEY: Optional[str] = None @field_validator("ENCRYPTION_MASTER_KEY") @classmethod def validate_encryption_master_key(cls, v: Optional[str]) -> Optional[str]: """Validate that ENCRYPTION_MASTER_KEY is properly formatted if set.""" if v is None or v.strip() == "": return None # Basic validation - should be base64 encoded 32 bytes import base64 try: decoded = base64.urlsafe_b64decode(v) if len(decoded) != 32: raise ValueError( "ENCRYPTION_MASTER_KEY must be a base64-encoded 32-byte key. " "Generate with: python -c \"import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())\"" ) except Exception as e: if "must be a base64-encoded" in str(e): raise raise ValueError( "ENCRYPTION_MASTER_KEY must be a valid base64-encoded string. " f"Error: {e}" ) return v # External Auth API AUTH_API_URL: str = "https://pj-auth-api.vercel.app" # CORS CORS_ORIGINS: List[str] = ["http://localhost:3000", "http://localhost:5173"] # System Admin SYSTEM_ADMIN_EMAIL: str = "ymirliu@panjit.com.tw" # File Upload UPLOAD_DIR: str = "./uploads" MAX_FILE_SIZE_MB: int = 50 @property def MAX_FILE_SIZE(self) -> int: return self.MAX_FILE_SIZE_MB * 1024 * 1024 # Allowed file extensions (whitelist) ALLOWED_EXTENSIONS: List[str] = [ # Documents "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "csv", # Images "jpg", "jpeg", "png", "gif", "bmp", "svg", "webp", # Archives "zip", "rar", "7z", "tar", "gz", # Data "json", "xml", "yaml", "yml", ] # Blocked file extensions (dangerous) BLOCKED_EXTENSIONS: List[str] = [ "exe", "bat", "cmd", "sh", "ps1", "dll", "msi", "com", "scr", "vbs", "js" ] class Config: env_file = ".env" case_sensitive = True settings = Settings()