# === Environment ===
ENVIRONMENT=development
# Options: development, staging, production

# === JWT & Authentication ===
# IMPORTANT: Generer des secrets uniques et forts en production
# python -c "import secrets; print(secrets.token_urlsafe(64))"
JWT_SECRET=CHANGE_ME_IN_PRODUCTION_USE_STRONG_SECRET_64_CHARS_MIN
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=15
REFRESH_TOKEN_EXPIRE_DAYS=7
CSRF_TOKEN_EXPIRE_MINUTES=60

# === Cookie Settings ===
COOKIE_DOMAIN=
# Laisser vide pour localhost, sinon ".example.com" pour sous-domaines
COOKIE_SECURE=false
# Mettre true en production avec HTTPS
COOKIE_SAMESITE=strict
# Options: strict, lax, none
COOKIE_HTTPONLY=true
COOKIE_ACCESS_TOKEN_NAME=access_token
COOKIE_REFRESH_TOKEN_NAME=refresh_token
COOKIE_CSRF_TOKEN_NAME=csrf_token

# === Redis (Token Blacklist & Rate Limiting) ===
REDIS_URL=redis://localhost:6379/0
REDIS_PASSWORD=
REDIS_SSL=false
TOKEN_BLACKLIST_PREFIX=blacklist:
RATE_LIMIT_PREFIX=ratelimit:

# === Rate Limiting ===
RATE_LIMIT_LOGIN_ATTEMPTS=5
RATE_LIMIT_LOGIN_WINDOW_MINUTES=15
RATE_LIMIT_API_REQUESTS=100
RATE_LIMIT_API_WINDOW_SECONDS=60

# === Password Security ===
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_DIGIT=true
PASSWORD_REQUIRE_SPECIAL=true
ACCOUNT_LOCKOUT_THRESHOLD=5
ACCOUNT_LOCKOUT_DURATION_MINUTES=30

# === Device Fingerprint ===
FINGERPRINT_SECRET=
# Si vide, utilise JWT_SECRET
FINGERPRINT_COMPONENTS=user_agent,accept_language,accept_encoding

# === Refresh Token Rotation ===
REFRESH_TOKEN_ROTATION_ENABLED=true
REFRESH_TOKEN_REUSE_WINDOW_SECONDS=10

# === Database ===
DATABASE_URL=sqlite+aiosqlite:///./data/sage_dataven.db
# PostgreSQL: postgresql+asyncpg://user:password@localhost:5432/dbname

# === Sage Gateway (Windows) ===
SAGE_GATEWAY_URL=http://windows-server:5000
SAGE_GATEWAY_TOKEN=your_gateway_token

# === Frontend ===
FRONTEND_URL=http://localhost:3000

# === SMTP (Email) ===
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=noreply@example.com
SMTP_PASSWORD=your_smtp_password
SMTP_FROM=noreply@example.com
SMTP_USE_TLS=true

# === Universign (Signature electronique) ===
UNIVERSIGN_API_KEY=your_universign_api_key
UNIVERSIGN_API_URL=https://api.universign.com/v1

# === API Server ===
API_HOST=0.0.0.0
API_PORT=8000
API_RELOAD=true
# Mettre false en production

# === CORS ===
# Liste separee par virgules des origines autorisees
CORS_ORIGINS=["*"]

# === Sage Document Types ===
SAGE_TYPE_DEVIS=0
SAGE_TYPE_BON_COMMANDE=10
SAGE_TYPE_PREPARATION=20
SAGE_TYPE_BON_LIVRAISON=30
SAGE_TYPE_BON_RETOUR=40
SAGE_TYPE_BON_AVOIR=50
SAGE_TYPE_FACTURE=60