import os from datetime import timedelta from pathlib import Path import dj_database_url from dotenv import load_dotenv load_dotenv() BASE_DIR = Path(__file__).resolve().parent.parent # SECURITY: Use environment variable for SECRET_KEY in production SECRET_KEY = os.environ.get('SECRET_KEY', 'django-insecure-change-me-in-production') DEBUG = os.environ.get('DEBUG', 'False').lower() == 'true' ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '*').split(',') REST_FRAMEWORK = { "DEFAULT_AUTHENTICATION_CLASSES": [ "rest_framework_simplejwt.authentication.JWTAuthentication" ], "DEFAULT_PERMISSION_CLASSES": [ "rest_framework.permissions.IsAuthenticated" ] } SIMPLE_JWT = { "ACCESS_TOKEN_LIFETIME": timedelta(minutes=30), "REFRESH_TOKEN_LIFETIME": timedelta(days=1), } INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'api.apps.ApiConfig', 'rest_framework', 'corsheaders', ] MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'whitenoise.middleware.WhiteNoiseMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] SESSION_COOKIE_AGE = 3600 SESSION_EXPIRE_AT_BROWSER_CLOSE = True SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies' ROOT_URLCONF = 'nexus.urls' TEMPLATES = [ { 'BACKEND': 'django.template.backends.django.DjangoTemplates', 'DIRS': [BASE_DIR / 'templates'], 'APP_DIRS': True, 'OPTIONS': { 'context_processors': [ 'django.template.context_processors.debug', 'django.template.context_processors.request', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', ], }, }, ] WSGI_APPLICATION = 'nexus.wsgi.application' # Database configuration via environment variable DATABASES = { 'default': dj_database_url.config( default=os.environ.get("PSQL"), conn_max_age=600 ) } # Redis configuration (optional) REDIS_URL = os.environ.get('REDIS') AUTH_PASSWORD_VALIDATORS = [ {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'}, {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator'}, {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'}, {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'}, ] LANGUAGE_CODE = 'en-us' TIME_ZONE = 'America/Detroit' USE_I18N = True USE_TZ = True STATIC_URL = '/assets/' STATIC_ROOT = os.path.join(BASE_DIR, 'static') STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage' DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' # CORS Configuration CORS_ALLOW_ALL_ORIGINS = os.environ.get('CORS_ALLOW_ALL', 'False').lower() == 'true' CORS_ALLOWED_ORIGINS = [ origin.strip() for origin in os.environ.get('CORS_ALLOWED_ORIGINS', 'http://localhost:5173').split(',') if origin.strip() ] CORS_ALLOW_CREDENTIALS = True # CSRF Configuration CSRF_TRUSTED_ORIGINS = [ origin.strip() for origin in os.environ.get('CSRF_TRUSTED_ORIGINS', 'http://localhost:5173').split(',') if origin.strip() ] # Security settings for production if not DEBUG: SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_SSL_REDIRECT = True SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True