member-backend/app/core/config.py

from functools import lru_cache
from typing import Annotated

from pydantic import field_validator
from pydantic_settings import BaseSettings, NoDecode, SettingsConfigDict


class Settings(BaseSettings):
    model_config = SettingsConfigDict(env_file=".env", extra="ignore")

    app_env: str = "development"
    port: int = 8000

    db_host: str = "127.0.0.1"
    db_port: int = 54321
    db_name: str = "member_center"
    db_user: str = "member_ose"
    db_password: str = ""

    # Keycloak only
    keycloak_base_url: str = ""
    keycloak_realm: str = ""
    keycloak_verify_tls: bool = True
    keycloak_issuer: str = ""
    keycloak_jwks_url: str = ""
    keycloak_audience: str = ""
    keycloak_client_id: str = ""
    keycloak_client_secret: str = ""
    keycloak_token_endpoint: str = ""
    keycloak_userinfo_endpoint: str = ""
    keycloak_admin_client_id: str = ""
    keycloak_admin_client_secret: str = ""
    keycloak_admin_realm: str = ""

    public_frontend_origins: Annotated[list[str], NoDecode] = ["https://member.ose.tw"]
    internal_shared_secret: str = ""
    admin_required_groups: Annotated[list[str], NoDecode] = []
    cache_backend: str = "memory"
    cache_redis_url: str = "redis://127.0.0.1:6379/0"
    cache_prefix: str = "memberapi"
    cache_default_ttl_seconds: int = 30

    @field_validator("public_frontend_origins", mode="before")
    @classmethod
    def parse_origins(cls, value: str | list[str]) -> list[str]:
        if isinstance(value, list):
            return value
        if not value:
            return []
        return [origin.strip() for origin in value.split(",") if origin.strip()]

    @field_validator("admin_required_groups", mode="before")
    @classmethod
    def parse_csv(cls, value: str | list[str]) -> list[str]:
        if isinstance(value, list):
            return [str(v).strip() for v in value if str(v).strip()]
        if not value:
            return []
        return [part.strip() for part in value.split(",") if part.strip()]

    @property
    def database_url(self) -> str:
        return (
            "postgresql+psycopg://"
            f"{self.db_user}:{self.db_password}@{self.db_host}:{self.db_port}/{self.db_name}"
        )

    @property
    def idp_base_url(self) -> str:
        return self.keycloak_base_url.rstrip("/")

    @property
    def idp_verify_tls(self) -> bool:
        return self.keycloak_verify_tls

    @property
    def idp_issuer(self) -> str:
        if self.keycloak_issuer:
            return self.keycloak_issuer.rstrip("/")
        return f"{self.idp_base_url}/realms/{self.keycloak_realm}"

    @property
    def idp_jwks_url(self) -> str:
        if self.keycloak_jwks_url:
            return self.keycloak_jwks_url
        return f"{self.idp_issuer}/protocol/openid-connect/certs"

    @property
    def idp_audience(self) -> str:
        return self.keycloak_audience

    @property
    def idp_client_id(self) -> str:
        return self.keycloak_client_id

    @property
    def idp_client_secret(self) -> str:
        return self.keycloak_client_secret

    @property
    def idp_token_endpoint(self) -> str:
        if self.keycloak_token_endpoint:
            return self.keycloak_token_endpoint
        return f"{self.idp_issuer}/protocol/openid-connect/token"

    @property
    def idp_userinfo_endpoint(self) -> str:
        if self.keycloak_userinfo_endpoint:
            return self.keycloak_userinfo_endpoint
        return f"{self.idp_issuer}/protocol/openid-connect/userinfo"

    @property
    def idp_authorize_endpoint(self) -> str:
        return f"{self.idp_issuer}/protocol/openid-connect/auth"


@lru_cache
def get_settings() -> Settings:
    return Settings()