FLASK_APP=manage.py
FLASK_ENV=development
FLASK_DEBUG=1

# ═════════════════════════════════════════════════════════════════════════════
# Docker / Production
# ═════════════════════════════════════════════════════════════════════════════
COMPOSE_PROJECT_NAME=authy2
FLASK_ENV=production
POSTGRES_USER=appuser
POSTGRES_PASSWORD=change-me-in-production
POSTGRES_DB=secuird
DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
SQLALCHEMY_DATABASE_URI=${DATABASE_URL}
REDIS_URL=redis://redis:6379/0
SESSION_REDIS_URL=redis://redis:6379/0
RATELIMIT_STORAGE_URL=redis://redis:6379/1
HTTP_PORT=80
HTTPS_PORT=443
API_PORT=5000

# Database (overridden by Docker values above)
SQLALCHEMY_ECHO=False
SQLALCHEMY_LOG_LEVEL=WARNING

# Security / Encryption
SECRET_KEY=change-me-in-production
ENCRYPTION_KEY=change-me-in-production-32-bytes!!
# Used to encrypt SSH CA private keys stored in the database
CA_ENCRYPTION_KEY=change-me-in-production
BCRYPT_LOG_ROUNDS=12

# Session cookies
SESSION_COOKIE_SECURE=True
SESSION_COOKIE_SAMESITE=Lax
# Only needed when sharing cookies across subdomains (e.g. api.example.com + ui.example.com)
# SESSION_COOKIE_DOMAIN=example.com
MAX_SESSION_DURATION=86400

# ─────────────────────────────────────────────────────────────────────────────
# JWT
# ─────────────────────────────────────────────────────────────────────────────
JWT_SECRET_KEY=change-me-in-production
JWT_ACCESS_TOKEN_EXPIRES=3600
JWT_REFRESH_TOKEN_EXPIRES=2592000

# ─────────────────────────────────────────────────────────────────────────────
# Redis  (session storage + rate limiting)
# ─────────────────────────────────────────────────────────────────────────────
REDIS_URL=redis://localhost:6379/0
SESSION_REDIS_URL=redis://localhost:6379/0
RATELIMIT_STORAGE_URL=redis://localhost:6379/1

# ─────────────────────────────────────────────────────────────────────────────
# CORS
# ─────────────────────────────────────────────────────────────────────────────
CORS_ORIGINS=http://localhost:8080,http://localhost:5173

# ─────────────────────────────────────────────────────────────────────────────
# Frontend / App URLs
# All three should point at the browser-facing SPA. They are used for:
#   FRONTEND_URL  → OAuth callback redirects after provider auth
#   APP_URL       → Password-reset and email-verify links in emails
#   OIDC_UI_URL   → OIDC /authorize redirects to the React consent/login UI
# ─────────────────────────────────────────────────────────────────────────────
FRONTEND_URL=http://localhost:8080
APP_URL=http://localhost:8080
OIDC_UI_URL=http://localhost:8080

# ─────────────────────────────────────────────────────────────────────────────
# OIDC / OAuth issuer
# ─────────────────────────────────────────────────────────────────────────────
OIDC_ISSUER_URL=http://localhost:5000
OIDC_BASE_URL=http://localhost:5000

# ─────────────────────────────────────────────────────────────────────────────
# WebAuthn
# ─────────────────────────────────────────────────────────────────────────────
WEBAUTHN_RP_ID=localhost
WEBAUTHN_RP_NAME=Secuird
WEBAUTHN_ORIGIN=http://localhost:8080

# ─────────────────────────────────────────────────────────────────────────────
# SSH CA  (pick one)
# ─────────────────────────────────────────────────────────────────────────────
SSH_CA_KEY_PATH=/path/to/ca-users
# SSH_CA_PRIVATE_KEY=   # raw key content; takes priority over SSH_CA_KEY_PATH

# ─────────────────────────────────────────────────────────────────────────────
# Email / SMTP
# ─────────────────────────────────────────────────────────────────────────────
EMAIL_ENABLED=False
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USE_TLS=True
SMTP_USERNAME=
SMTP_PASSWORD=
FROM_ADDRESS=noreply@gatehouse.local

# Email Provider (smtp, mailgun, sendgrid)
# Note: SMTP is the default. Set to "mailgun" or "sendgrid" to use those providers
EMAIL_PROVIDER=smtp

# Mailgun Configuration (used when EMAIL_PROVIDER=mailgun)
# MAILGUN_API_KEY=your-mailgun-api-key
# MAILGUN_DOMAIN=mg.yourdomain.com
# MAILGUN_API_URL=https://api.mailgun.net/v3

# SendGrid Configuration (used when EMAIL_PROVIDER=sendgrid)
# SENDGRID_API_KEY=SG.your-sendgrid-api-key
# SENDGRID_FROM_EMAIL=noreply@yourdomain.com

# ─────────────────────────────────────────────────────────────────────────────
# Logging
# ─────────────────────────────────────────────────────────────────────────────
LOG_LEVEL=INFO
LOG_TO_STDOUT=True

# ─────────────────────────────────────────────────────────────────────────────
# Rate Limiting
# ─────────────────────────────────────────────────────────────────────────────
RATELIMIT_ENABLED=True
# Per-endpoint auth limits (optional — defaults shown)
# RATELIMIT_AUTH_REGISTER=10 per minute; 50 per hour
# RATELIMIT_AUTH_LOGIN=20 per minute; 100 per hour
# RATELIMIT_AUTH_TOTP_VERIFY=20 per minute; 100 per hour
# RATELIMIT_AUTH_FORGOT_PASSWORD=5 per minute; 20 per hour
# RATELIMIT_AUTH_RESET_PASSWORD=10 per minute; 30 per hour

ZEROTIER_API_TOKEN=
ZEROTIER_API_URL=

# ─────────────────────────────────────────────────────────────────────────────
# OIDC token lifetimes & security (optional — defaults shown)
# ─────────────────────────────────────────────────────────────────────────────
# OIDC_ACCESS_TOKEN_LIFETIME=3600
# OIDC_REFRESH_TOKEN_LIFETIME=2592000
# OIDC_ID_TOKEN_LIFETIME=3600
# OIDC_AUTHORIZATION_CODE_LIFETIME=600
# OIDC_REQUIRE_PKCE=True
# OIDC_ALLOW_IMPLICIT_FLOW=False
# OIDC_KEY_ROTATION_DAYS=90
# OIDC_KEY_GRACE_PERIOD_DAYS=30
# OIDC_RATE_LIMIT_AUTHORIZE=10/minute
# OIDC_RATE_LIMIT_TOKEN=20/minute
# OIDC_RATE_LIMIT_USERINFO=60/minute