refactor: clean up scaffolding backend

2026-05-04 08:56:52 +00:00 · 2026-04-16 03:30:42 +05:30
parent e8dac65468
commit cc8e3e4e4e
16 changed files with 174 additions and 109 deletions
@@ -35,27 +35,25 @@ SECRET_KEY = env("SECRET_KEY")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = env("DEBUG")

-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = env.list("ALLOWED_HOSTS") or []


 # Application definition

 INSTALLED_APPS = [
-    "django.contrib.admin",
    "django.contrib.auth",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
-    "django.contrib.messages",
    "django.contrib.staticfiles",
-    "rest_framework",  # for API
-    "corsheaders",  # for API and Frontend connect
-    "users",  # custom user app
-    "letters",  # letters app
+    "rest_framework",
+    "corsheaders",
+    "users",
+    "letters",
 ]

 MIDDLEWARE = [
-    "corsheaders.middleware.CorsMiddleware",  # allow frontend to connect
    "django.middleware.security.SecurityMiddleware",
+    "corsheaders.middleware.CorsMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
@@ -66,21 +64,6 @@ MIDDLEWARE = [

 ROOT_URLCONF = "config.urls"

-TEMPLATES = [
-    {
-        "BACKEND": "django.template.backends.django.DjangoTemplates",
-        "DIRS": [],
-        "APP_DIRS": True,
-        "OPTIONS": {
-            "context_processors": [
-                "django.template.context_processors.request",
-                "django.contrib.auth.context_processors.auth",
-                "django.contrib.messages.context_processors.messages",
-            ],
-        },
-    },
-]
-
 WSGI_APPLICATION = "config.wsgi.application"


@@ -99,7 +82,7 @@ DATABASES = {
 }

 CORS_ALLOWED_ORIGINS = env.list("CORS_ALLOWED_ORIGINS")
-CORS_ALLOW_CREDENTIALS = True  # allow cookies with frontend
+CORS_ALLOW_CREDENTIALS = True

 AUTH_USER_MODEL = "users.User"

@@ -107,27 +90,32 @@ REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": ("rest_framework_simplejwt.authentication.JWTAuthentication",),
    "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
 }
+
 SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(minutes=30),
-    # "ACCESS_TOKEN_LIFETIME": timedelta(seconds=10),  # lazy testing
    "REFRESH_TOKEN_LIFETIME": timedelta(days=1),
    "ROTATE_REFRESH_TOKENS": True,
    "BLACKLIST_AFTER_ROTATION": True,
    "AUTH_HEADER_TYPES": ("Bearer",),
    "AUTH_TOKEN_CLASSES": ("rest_framework_simplejwt.tokens.AccessToken",),
-    "AUTH_COOKIE": "refresh_token",
-    "AUTH_COOKIE_DOMAIN": None,
-    "AUTH_COOKIE_SECURE": not DEBUG,
-    "AUTH_COOKIE_HTTPONLY": True,
-    "AUTH_COOKIE_SAMESITE": "Lax",  # Allow cross-site for links from email. Otherwise we'd use strict
+}
+
+"""
+NOTE: COOKIE_SAMESITE:  Lax is used to allow cross-site redirection, like links from email.
+"""
+AUTH_COOKIE = {
+    "NAME": "refresh_token",
+    "DOMAIN": None,
+    "SECURE": not DEBUG,
+    "HTTPONLY": True,
+    "SAMESITE": "Lax",
 }

 # Email config
 EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
 EMAIL_HOST = env("EMAIL_HOST")
 EMAIL_PORT = env("EMAIL_PORT")
-EMAIL_USE_TLS = not DEBUG  # false for local, true for production
-EMAIL_USE_SSL = False  # since we enforce TLS
+EMAIL_USE_TLS = not DEBUG
 EMAIL_HOST_USER = env("EMAIL_HOST_USER")
 EMAIL_HOST_PASSWORD = env("EMAIL_HOST_PASSWORD")
 FROM_EMAIL = env("FROM_EMAIL")