""" Django settings for Rofoof backend. """ from datetime import timedelta from pathlib import Path from decouple import Csv, config BASE_DIR = Path(__file__).resolve().parent.parent SECRET_KEY = config("SECRET_KEY", default="insecure-change-me-in-production") DEBUG = config("DEBUG", default=False, cast=bool) ALLOWED_HOSTS = config("ALLOWED_HOSTS", default="localhost,127.0.0.1", cast=Csv()) INSTALLED_APPS = [ "django.contrib.admin", "django.contrib.auth", "django.contrib.contenttypes", "django.contrib.sessions", "django.contrib.messages", "django.contrib.staticfiles", # Third-party "rest_framework", "rest_framework_simplejwt", "rest_framework_simplejwt.token_blacklist", "django_filters", "corsheaders", "phonenumber_field", # Local apps "apps.core", "apps.users", "apps.stores", "apps.products", "apps.events", "apps.engagement", "apps.referrals", "apps.content", ] AUTH_USER_MODEL = "users.User" MIDDLEWARE = [ "django.middleware.security.SecurityMiddleware", "whitenoise.middleware.WhiteNoiseMiddleware", "corsheaders.middleware.CorsMiddleware", "django.contrib.sessions.middleware.SessionMiddleware", "apps.core.middleware.LanguageMiddleware", "django.middleware.common.CommonMiddleware", "django.middleware.csrf.CsrfViewMiddleware", "django.contrib.auth.middleware.AuthenticationMiddleware", "django.contrib.messages.middleware.MessageMiddleware", "django.middleware.clickjacking.XFrameOptionsMiddleware", ] ROOT_URLCONF = "config.urls" TEMPLATES = [ { "BACKEND": "django.template.backends.django.DjangoTemplates", "DIRS": [], "APP_DIRS": True, "OPTIONS": { "context_processors": [ "django.template.context_processors.debug", "django.template.context_processors.request", "django.contrib.auth.context_processors.auth", "django.contrib.messages.context_processors.messages", ], }, }, ] WSGI_APPLICATION = "config.wsgi.application" DATABASES = { "default": { "ENGINE": "django.db.backends.mysql", "NAME": config("DB_NAME", default="rfoof"), "USER": config("DB_USER", default="root"), "PASSWORD": config("DB_PASSWORD", default=""), "HOST": config("DB_HOST", default="localhost"), "PORT": config("DB_PORT", default="3306"), "OPTIONS": { "charset": "utf8mb4", "init_command": "SET sql_mode='STRICT_TRANS_TABLES'", }, } } AUTH_PASSWORD_VALIDATORS = [ {"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"}, {"NAME": "django.contrib.auth.password_validation.MinimumLengthValidator"}, {"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator"}, {"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator"}, ] LANGUAGE_CODE = "en-us" TIME_ZONE = "UTC" USE_I18N = True USE_TZ = True STATIC_URL = "static/" STATIC_ROOT = BASE_DIR / "staticfiles" MEDIA_URL = "media/" MEDIA_ROOT = BASE_DIR / "media" DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField" # --- Security (production) --- if not DEBUG: SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") # Default off because cPanel/Apache typically handles HTTPS redirects. # Enable explicitly via env var when Django should do the redirect. SECURE_SSL_REDIRECT = config("SECURE_SSL_REDIRECT", default=False, cast=bool) SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SECURE_HSTS_SECONDS = 31536000 SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_HSTS_PRELOAD = True SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_REFERRER_POLICY = "same-origin" X_FRAME_OPTIONS = "DENY" # WhiteNoise serves collected static files directly from the WSGI app, which # is the simplest path on cPanel/Passenger where you don't control Apache. STORAGES = { "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"}, "staticfiles": {"BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage"}, } # --- REST Framework --- REST_FRAMEWORK = { "DEFAULT_AUTHENTICATION_CLASSES": [ "rest_framework_simplejwt.authentication.JWTAuthentication", ], "DEFAULT_PERMISSION_CLASSES": [ "rest_framework.permissions.AllowAny", ], "DEFAULT_PAGINATION_CLASS": "apps.core.pagination.StandardPagination", "PAGE_SIZE": 20, "DEFAULT_FILTER_BACKENDS": [ "django_filters.rest_framework.DjangoFilterBackend", "rest_framework.filters.SearchFilter", "rest_framework.filters.OrderingFilter", ], "EXCEPTION_HANDLER": "apps.core.exceptions.custom_exception_handler", } # --- SimpleJWT --- SIMPLE_JWT = { "ACCESS_TOKEN_LIFETIME": timedelta(days=7), "REFRESH_TOKEN_LIFETIME": timedelta(days=30), "ROTATE_REFRESH_TOKENS": True, "BLACKLIST_AFTER_ROTATION": True, "AUTH_HEADER_TYPES": ("Bearer",), } # --- CORS --- CORS_ALLOWED_ORIGINS = config( "CORS_ALLOWED_ORIGINS", default="http://localhost:3000", cast=Csv() ) CORS_ALLOW_ALL_ORIGINS = config("CORS_ALLOW_ALL_ORIGINS", default=False, cast=bool) # --- Firebase --- FIREBASE_CREDENTIALS_PATH = config("FIREBASE_CREDENTIALS_PATH", default="./firebase-adminsdk.json") # --- Referrals --- DEFAULT_REFERRAL_POINTS = config("DEFAULT_REFERRAL_POINTS", default=20, cast=int) # --- Phone number --- PHONENUMBER_DEFAULT_REGION = "AE" # --- Logging --- LOGGING = { "version": 1, "disable_existing_loggers": False, "formatters": { "verbose": { "format": "[{asctime}] {levelname} {name}: {message}", "style": "{", }, }, "handlers": { "console": { "class": "logging.StreamHandler", "formatter": "verbose", }, }, "root": { "handlers": ["console"], "level": "INFO", }, "loggers": { "django": { "handlers": ["console"], "level": config("DJANGO_LOG_LEVEL", default="INFO"), "propagate": False, }, }, }