PROJECT-CONTORL/backend/app/core/config.py

from pydantic_settings import BaseSettings
from pydantic import field_validator
from typing import List, Optional
import os


class Settings(BaseSettings):
    # Database
    MYSQL_HOST: str = "localhost"
    MYSQL_PORT: int = 3306
    MYSQL_USER: str = "root"
    MYSQL_PASSWORD: str = ""
    MYSQL_DATABASE: str = "pjctrl"

    @property
    def DATABASE_URL(self) -> str:
        return f"mysql+pymysql://{self.MYSQL_USER}:{self.MYSQL_PASSWORD}@{self.MYSQL_HOST}:{self.MYSQL_PORT}/{self.MYSQL_DATABASE}"

    # Redis
    REDIS_HOST: str = "localhost"
    REDIS_PORT: int = 6379
    REDIS_DB: int = 0

    @property
    def REDIS_URL(self) -> str:
        return f"redis://{self.REDIS_HOST}:{self.REDIS_PORT}/{self.REDIS_DB}"

    # JWT - Must be set in environment, no default allowed
    JWT_SECRET_KEY: str = ""
    JWT_ALGORITHM: str = "HS256"
    JWT_EXPIRE_MINUTES: int = 10080  # 7 days

    @field_validator("JWT_SECRET_KEY")
    @classmethod
    def validate_jwt_secret_key(cls, v: str) -> str:
        """Validate that JWT_SECRET_KEY is set and not a placeholder."""
        if not v or v.strip() == "":
            raise ValueError(
                "JWT_SECRET_KEY must be set in environment variables. "
                "Please configure it in the .env file."
            )
        placeholder_values = [
            "your-secret-key-change-in-production",
            "change-me",
            "secret",
            "your-secret-key",
        ]
        if v.lower() in placeholder_values:
            raise ValueError(
                "JWT_SECRET_KEY appears to be a placeholder value. "
                "Please set a secure secret key in the .env file."
            )
        return v

    # Encryption - Master key for encrypting file encryption keys
    # Must be a 32-byte (256-bit) key encoded as base64 for AES-256
    # Generate with: python -c "import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())"
    ENCRYPTION_MASTER_KEY: Optional[str] = None

    @field_validator("ENCRYPTION_MASTER_KEY")
    @classmethod
    def validate_encryption_master_key(cls, v: Optional[str]) -> Optional[str]:
        """Validate that ENCRYPTION_MASTER_KEY is properly formatted if set."""
        if v is None or v.strip() == "":
            return None
        # Basic validation - should be base64 encoded 32 bytes
        import base64
        try:
            decoded = base64.urlsafe_b64decode(v)
            if len(decoded) != 32:
                raise ValueError(
                    "ENCRYPTION_MASTER_KEY must be a base64-encoded 32-byte key. "
                    "Generate with: python -c \"import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())\""
                )
        except Exception as e:
            if "must be a base64-encoded" in str(e):
                raise
            raise ValueError(
                "ENCRYPTION_MASTER_KEY must be a valid base64-encoded string. "
                f"Error: {e}"
            )
        return v

    # External Auth API
    AUTH_API_URL: str = "https://pj-auth-api.vercel.app"

    # CORS
    CORS_ORIGINS: List[str] = ["http://localhost:3000", "http://localhost:5173"]

    # System Admin
    SYSTEM_ADMIN_EMAIL: str = "ymirliu@panjit.com.tw"

    # File Upload
    UPLOAD_DIR: str = "./uploads"
    MAX_FILE_SIZE_MB: int = 50

    @property
    def MAX_FILE_SIZE(self) -> int:
        return self.MAX_FILE_SIZE_MB * 1024 * 1024

    # Allowed file extensions (whitelist)
    ALLOWED_EXTENSIONS: List[str] = [
        # Documents
        "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "txt", "csv",
        # Images
        "jpg", "jpeg", "png", "gif", "bmp", "svg", "webp",
        # Archives
        "zip", "rar", "7z", "tar", "gz",
        # Data
        "json", "xml", "yaml", "yml",
    ]

    # Blocked file extensions (dangerous)
    BLOCKED_EXTENSIONS: List[str] = [
        "exe", "bat", "cmd", "sh", "ps1", "dll", "msi", "com", "scr", "vbs", "js"
    ]

    # Rate Limiting Configuration
    # Tiers: standard, sensitive, heavy
    # Format: "{requests}/{period}" (e.g., "60/minute", "20/minute", "5/minute")
    RATE_LIMIT_STANDARD: str = "60/minute"  # Task CRUD, comments
    RATE_LIMIT_SENSITIVE: str = "20/minute"  # Attachments, password change, report export
    RATE_LIMIT_HEAVY: str = "5/minute"  # Report generation, bulk operations

    class Config:
        env_file = ".env"
        case_sensitive = True


settings = Settings()