timemaster/backend/app/core/config.py

from pydantic_settings import BaseSettings, SettingsConfigDict
from pydantic import model_validator
from functools import lru_cache


class Settings(BaseSettings):
    model_config = SettingsConfigDict(env_file=".env", extra="ignore")

    # App
    app_name: str = "TimeMaster"
    app_env: str = "development"
    secret_key: str = "change-me-in-production"
    frontend_url: str = "http://localhost:5173"
    allowed_hosts: list[str] = []

    # Database
    database_url: str = "postgresql+asyncpg://timemaster:secret@localhost:5432/timemaster_db"

    # Redis
    redis_url: str = "redis://localhost:6379/0"

    # JWT
    access_token_expire_minutes: int = 30
    refresh_token_expire_days: int = 30
    algorithm: str = "HS256"

    # Email
    resend_api_key: str = ""
    email_from: str = "noreply@timemaster.app"
    email_from_name: str = "TimeMaster"

    # First superadmin
    first_superadmin_email: str = ""
    first_superadmin_password: str = ""

    # CalDAV / outbound HTTP
    # Kommaseparierte CIDR-Whitelist für interne CalDAV-Server (z.B. Nextcloud im LAN).
    # Diese CIDRs sind vom SSRF-Schutz ausgenommen.
    # Beispiel: CALDAV_ALLOWED_CIDRS=192.168.1.0/24,10.10.5.50/32
    caldav_allowed_cidrs: list[str] = []

    @model_validator(mode='after')
    def validate_secret_key(self):
        if self.app_env == 'production' and self.secret_key == 'change-me-in-production':
            raise ValueError('SECRET_KEY must be changed in production! Set SECRET_KEY env variable.')
        if len(self.secret_key) < 32:
            raise ValueError('SECRET_KEY must be at least 32 characters long.')
        return self

    @property
    def is_production(self) -> bool:
        return self.app_env == "production"


@lru_cache
def get_settings() -> Settings:
    return Settings()


settings = get_settings()