import os from dotenv import load_dotenv from pathlib import Path from datetime import timedelta load_dotenv() BASE_DIR = Path(__file__).resolve().parent.parent SECRET_KEY = os.getenv('SECRET_KEY') FRONTEND_URL = os.getenv('FRONTEND_URL', 'http://localhost:5173') DEBUG = os.getenv('DEBUG') == 'False' ALLOWED_HOSTS = ['api.agent.melgalis.lv', 'www.api.agent.melgalis.lv', 'mim.melgalis.lv', 'localhost', '127.0.0.1'] ADMIN_EMAIL = "akakeiss@gmail.com" INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'rest_framework', 'corsheaders', 'mim_auth', 'projects', 'invoices', 'pieteikumi', 'ai_chat', 'telegram_bot', # Drošība: JWT tokenu melnais saraksts 'rest_framework_simplejwt.token_blacklist', ] MIDDLEWARE = [ 'corsheaders.middleware.CorsMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'whitenoise.middleware.WhiteNoiseMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] ROOT_URLCONF = 'core.urls' TEMPLATES = [ { 'BACKEND': 'django.template.backends.django.DjangoTemplates', 'DIRS': [], 'APP_DIRS': True, 'OPTIONS': { 'context_processors': [ 'django.template.context_processors.request', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', ], }, }, ] WSGI_APPLICATION = 'core.wsgi.application' AUTH_USER_MODEL = 'mim_auth.UserPanelis' DATABASES = { 'default': { 'ENGINE': 'django.db.backends.mysql', 'NAME': os.getenv('DB_NAME'), 'USER': os.getenv('DB_USER'), 'PASSWORD': os.getenv('DB_PASSWORD'), 'HOST': os.getenv('DB_HOST', '127.0.0.1'), 'PORT': os.getenv('DB_PORT', '3306'), } } AUTH_PASSWORD_VALIDATORS = [ {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'}, {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator'}, {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'}, {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'}, ] LANGUAGE_CODE = 'en-us' TIME_ZONE = 'UTC' USE_I18N = True USE_TZ = True STATIC_URL = '/static/' STATIC_ROOT = BASE_DIR / 'staticfiles' STORAGES = { "default": { "BACKEND": "django.core.files.storage.FileSystemStorage", }, "staticfiles": { "BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage", }, } # ── CORS ───────────────────────────────────────────────────── CORS_ALLOWED_ORIGINS = [ "https://mim.melgalis.lv", "http://localhost:5173", "https://mim.lv", "https://www.mim.lv", "http://www.mim.lv", ] CORS_ALLOW_ALL_ORIGINS = False CORS_ALLOW_METHODS = ["DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT"] CORS_ALLOW_HEADERS = [ "accept", "accept-encoding", "authorization", "content-type", "dnt", "origin", "user-agent", "x-csrftoken", "x-requested-with", ] CORS_ALLOW_CREDENTIALS = True # ── REST Framework + Rate Limiting (HIGH-01) ────────────────── REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'mim_auth.authentication.CookieJWTAuthentication', ), # === DROŠĪBA: Rate Limiting === 'DEFAULT_THROTTLE_CLASSES': [ 'rest_framework.throttling.AnonRateThrottle', 'rest_framework.throttling.UserRateThrottle', ], 'DEFAULT_THROTTLE_RATES': { 'anon': '30/hour', # Neautentificēti: 30 pieprasījumi stundā 'user': '500/hour', # Autentificēti: 500 pieprasījumi stundā 'login': '10/hour', # Login mēģinājumi: 10/h (custom) 'otp': '5/hour', # OTP mēģinājumi: 5/h (custom) 'password_reset': '3/hour', # Paroles reset: 3/h }, } # ── JWT Konfigurācija (CRIT-07) ─────────────────────────────── SIMPLE_JWT = { 'ACCESS_TOKEN_LIFETIME': timedelta(minutes=30), 'REFRESH_TOKEN_LIFETIME': timedelta(minutes=600), 'ROTATE_REFRESH_TOKENS': True, 'BLACKLIST_AFTER_ROTATION': True, 'SIGNING_KEY': SECRET_KEY, 'AUTH_HEADER_TYPES': ('Bearer',), 'AUTH_COOKIE': 'access_token', } # ── E-pasts ─────────────────────────────────────────────────── EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' EMAIL_HOST = os.getenv('EMAIL_HOST') EMAIL_PORT = int(os.getenv('EMAIL_PORT', 587)) EMAIL_USE_SSL = os.getenv('EMAIL_USE_SSL') == 'True' EMAIL_USE_TLS = os.getenv('EMAIL_USE_TLS') == 'True' EMAIL_HOST_USER = os.getenv('EMAIL_HOST_USER') EMAIL_HOST_PASSWORD = os.getenv('EMAIL_HOST_PASSWORD') DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' # ── Telegram & Gemini ───────────────────────────────────────── TELEGRAM_BOT_TOKEN = os.getenv("TELEGRAM_BOT_TOKEN") TELEGRAM_WEBHOOK_SECRET = os.getenv("TELEGRAM_WEBHOOK_SECRET") TELEGRAM_ADMIN_CHAT_ID = os.getenv("TELEGRAM_ADMIN_CHAT_ID") API_BASE_URL = os.getenv("API_BASE_URL", "https://api.agent.melgalis.lv") PORTAL_URL = os.getenv("PORTAL_URL", "https://mim.melgalis.lv") WEBSITE_URL = os.getenv("WEBSITE_URL", "https://mim.lv") GEMINI_API_KEY = os.getenv("GEMINI_API_KEY") TURNSTILE_SECRET_KEY = os.getenv("TURNSTILE_SECRET_KEY") # ══════════════════════════════════════════════════════════════ # 🔒 DROŠĪBAS IESTATĪJUMI (MED-01, LOW-05) # ══════════════════════════════════════════════════════════════ # HSTS — piespiež HTTPS (MED-01) SECURE_HSTS_SECONDS = 31536000 # 1 gads SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_HSTS_PRELOAD = True # SSL novirze (ieslēgt tikai ja serveris atbalsta) SECURE_SSL_REDIRECT = not DEBUG # Tikai produkcijā # Sīkdatņu drošība SESSION_COOKIE_SECURE = not DEBUG CSRF_COOKIE_SECURE = not DEBUG SESSION_COOKIE_HTTPONLY = True CSRF_COOKIE_HTTPONLY = True # Clickjacking aizsardzība (LOW-05) X_FRAME_OPTIONS = 'DENY' # XSS un satura drošība SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True # === OTP iestatījumi === OTP_EXPIRY_SECONDS = 300 # 5 minūtes OTP_MAX_ATTEMPTS = 5 # Maks mēģinājumi