base.py

"""
Django settings for dora project.

Generated by 'django-admin startproject' using Django 3.2.4.

For more information on this file, see
https://docs.djangoproject.com/en/3.2/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.2/ref/settings/
"""

import json
import os
from urllib.parse import urlparse

from botocore.config import Config
from corsheaders.defaults import default_headers
from django.utils.csp import CSP

from . import BASE_DIR

APPS_DIR = os.path.join(BASE_DIR, "dora")
# Paramètres Django
# Voir : https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/

SECRET_KEY = os.getenv("DJANGO_SECRET_KEY")

# Liste des applications Django :
# peut-être étendue ou complétée par les profils de dev ou test.
INSTALLED_APPS = [
    "django.contrib.gis",
    "django.contrib.auth",
    # OIDC / ProConnect : doit être chargé après `django.contrib.auth`
    "mozilla_django_oidc",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
    "django.contrib.staticfiles",
    "django.contrib.postgres",
    "django_filters",
    "rest_framework",
    "rest_framework.authtoken",
    "rest_framework_gis",
    "corsheaders",
    # local / DORA
    "config.apps.AdminConfig",
    "dora.core",
    "dora.rest_auth",
    "dora.users",
    "dora.structures",
    "dora.services",
    "dora.orientations",
    "dora.sirene",
    "dora.support",
    "dora.admin_express",
    "dora.stats",
    "dora.notifications",
    "dora.logs",
    "dora.oidc",
    "dora.auth_links",
    "dora.nexus",
    "dora.decoupage_administratif",
    "dora.emplois",
]

MIDDLEWARE = [
    "django_datadog_logger.middleware.request_id.RequestIdMiddleware",
    "django.middleware.security.SecurityMiddleware",
    "whitenoise.middleware.WhiteNoiseMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "corsheaders.middleware.CorsMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "django.middleware.csp.ContentSecurityPolicyMiddleware",
    # Rafraichissement du token ProConnect
    "mozilla_django_oidc.middleware.SessionRefresh",
    "django_datadog_logger.middleware.request_log.RequestLoggingMiddleware",
]

# OIDC / ProConnect / Sesame
AUTHENTICATION_BACKENDS = [
    # auth par défaut pour la partie admin :
    "django.contrib.auth.backends.ModelBackend",
    # OIDC / ProConnect
    "dora.oidc.OIDCAuthenticationBackend",
    # connexion par "lien magique"
    "sesame.backends.ModelBackend",
]

# Sessions :
# https://docs.djangoproject.com/fr/4.2/topics/http/sessions/
# La durée de vie de la session est de 12 heures par défaut
# (identique à ProConnect)
SESSION_COOKIE_AGE = 60 * 60 * 12  # 12 heures

# Permet de garder le comportement d'identification "standard" (e-mail/password)
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_AUTHENTICATION_METHOD = "email"

ROOT_URLCONF = "config.urls"

TEMPLATES = [
    {
        "BACKEND": "django.template.backends.django.DjangoTemplates",
        "DIRS": [os.path.join(BASE_DIR, "templates")],
        "APP_DIRS": True,
        "OPTIONS": {
            "context_processors": [
                "django.template.context_processors.csp",
                "django.template.context_processors.debug",
                "django.template.context_processors.request",
                "django.contrib.auth.context_processors.auth",
                "django.contrib.messages.context_processors.messages",
            ],
            "builtins": [
                "dora.core.templatetags.globals",
            ],
        },
    },
]

WSGI_APPLICATION = "config.wsgi.application"

AUTH_USER_MODEL = "users.User"

# Base de données :
# Si la connexion est déjà définie de cette manière, on la réutilise.
# Sinon, elle sera définie dans les différents fichiers de settings
# (via les variables d'environnement `PG_xxx` standards).
DATABASE_URL = os.getenv("DATABASE_URL")

# Cache :
# https://docs.djangoproject.com/en/4.2/topics/cache/

CACHES = {
    "default": {
        "BACKEND": "django.core.cache.backends.redis.RedisCache",
        "LOCATION": os.getenv("REDIS_URL"),
        "TIMEOUT": int(os.getenv("DJANGO_CACHE_TIMEOUT", 300)),  # 5 minutes par défaut
        "KEY_PREFIX": "django",
    }
}

# Hôtes autorisés :
# https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/#allowed-hosts

ALLOWED_HOSTS = (
    os.getenv("DJANGO_ALLOWED_HOSTS").split(",")
    if os.getenv("DJANGO_ALLOWED_HOSTS")
    else None
)

# Validation des mot de passe :
# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
        "OPTIONS": {
            "user_attributes": ["first_name", "last_name", "email"],
        },
    },
    {
        "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
        "OPTIONS": {
            "min_length": 12,
        },
    },
    {
        "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
    },
    {
        "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator",
    },
]

# I18N :
# https://docs.djangoproject.com/en/4.2/topics/i18n/

LANGUAGE_CODE = "fr-fr"
TIME_ZONE = "Europe/Paris"
USE_TZ = True

# Fichier statiques (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/4.2/howto/static-files/

STATIC_URL = "/static/"
STATIC_ROOT = os.path.join(BASE_DIR, "staticfiles")
STATICFILES_DIRS = [
    os.path.join(BASE_DIR, "dora", "static"),
]

# Téléversement de fichiers
# https://django-storages.readthedocs.io/en/latest/backends/azure.html

STORAGES = {
    "default": {
        "BACKEND": "storages.backends.s3.S3Storage",
        "OPTIONS": {
            "client_config": Config(
                request_checksum_calculation="when_required",
                response_checksum_validation="when_required",
            ),
            "object_parameters": {"ContentDisposition": "attachment"},
        },
    },
    "staticfiles": {
        "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage",
    },
}

# Limitations de Django pour la taille des formulaires :
# Nombre de champs max. du formulaire (x2)
# augmentation de la valeur par défaut pour tous les environnements
DATA_UPLOAD_MAX_NUMBER_FIELDS = 2_000

# Stockage S3 CleverCloud :
AWS_S3_ENDPOINT_URL = os.getenv("AWS_S3_ENDPOINT_URL")
AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID")
AWS_SECRET_ACCESS_KEY = os.getenv("AWS_SECRET_ACCESS_KEY")
AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_STORAGE_BUCKET_NAME")
AWS_QUERYSTRING_EXPIRE = 24 * 3600  # secondes

MAX_UPLOAD_SIZE_MB = 6
MAX_FILENAME_LENGTH = 64
FILE_VALIDATION_BUFFER_LENGTH = int(os.getenv("FILE_VALIDATION_BUFFER_LENGTH", 2048))
ALLOWED_UPLOADED_FILES_EXTENSIONS = [
    "doc",
    "docx",
    "pdf",
    "png",
    "jpeg",
    "jpg",
    "ods",
    "odt",
    "xls",
    "xlsx",
]

ALLOWED_MIME_TYPES = {
    "application/pdf": ["pdf"],
    "application/msword": ["doc"],
    "application/vnd.openxmlformats-officedocument.wordprocessingml.document": ["docx"],
    "application/vnd.oasis.opendocument.text": ["odt"],
    "application/vnd.oasis.opendocument.spreadsheet": ["ods"],
    "application/vnd.ms-excel": ["xls"],
    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet": ["xlsx"],
    "image/png": ["png"],
    "image/jpeg": ["jpeg", "jpg"],
}

# Type de clé primaire par défaut :
# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field

DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

# Logging :
# permet un niveau de log 'INFO' pour le logger `dora.logs.core`,
# qui est également réglable via variable d'environnement, si besoin
# (le reste de la configuration de logging par défaut n'est pas modifié).
# Concernant Django, avoir des logs visibles à certains point critiques
# de la configuration peut être une bonne idée.
LOGGING = {
    "version": 1,
    "disable_existing_loggers": False,
    "formatters": {
        "json": {"()": "itoutils.django.logging.DataDogJSONFormatter"},
    },
    "handlers": {
        "console": {"class": "logging.StreamHandler", "formatter": "json"},
    },
    "loggers": {
        "": {
            "handlers": ["console"],
            "level": os.getenv("DJANGO_LOG_LEVEL", "INFO"),
        },
        "django": {
            "level": os.getenv("DJANGO_LOG_LEVEL", "INFO"),
        },
        "dora.logs.core": {
            "level": os.getenv("DORA_LOGS_CORE_LEVEL", "INFO"),
        },
    },
}


# Rest Framework :
# https://www.django-rest-framework.org/api-guide/settings/

ANON_THROTTLE_RATE_PER_MINUTE = os.getenv("ANON_THROTTLE_RATE_PER_MINUTE", "24")
USER_THROTTLE_RATE_PER_MINUTE = os.getenv("USER_THROTTLE_RATE_PER_MINUTE", "120")
USER_UPLOAD_THROTTLE_RATE_PER_MINUTE = os.getenv(
    "USER_UPLOAD_THROTTLE_RATE_PER_MINUTE", "5"
)
STRUCTURE_UPLOAD_THROTTLE_RATE_PER_HOUR = os.getenv(
    "STRUCTURE_UPLOAD_THROTTLE_RATE_PER_HOUR", "20"
)

REST_FRAMEWORK = {
    # Let's lock down access by default
    "DEFAULT_PERMISSION_CLASSES": [
        "rest_framework.permissions.IsAdminUser",
    ],
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "rest_framework.authentication.TokenAuthentication",
    ],
    "DEFAULT_FILTER_BACKENDS": ["django_filters.rest_framework.DjangoFilterBackend"],
    # Camel Case
    # https://github.com/vbabiy/djangorestframework-camel-case
    "DEFAULT_RENDERER_CLASSES": (
        "djangorestframework_camel_case.render.CamelCaseJSONRenderer",
    ),
    "DEFAULT_PARSER_CLASSES": (
        "djangorestframework_camel_case.parser.CamelCaseFormParser",
        "djangorestframework_camel_case.parser.CamelCaseMultiPartParser",
        "djangorestframework_camel_case.parser.CamelCaseJSONParser",
    ),
    "JSON_UNDERSCOREIZE": {
        "no_underscore_before_number": True,
    },
    "EXCEPTION_HANDLER": "dora.core.exceptions_handler.custom_exception_handler",
    "TEST_REQUEST_DEFAULT_FORMAT": "json",
    "DEFAULT_THROTTLE_CLASSES": [
        "rest_framework.throttling.AnonRateThrottle",
        "rest_framework.throttling.UserRateThrottle",
    ],
    "DEFAULT_THROTTLE_RATES": {
        "anon": f"{ANON_THROTTLE_RATE_PER_MINUTE}/minute",
        "user": f"{USER_THROTTLE_RATE_PER_MINUTE}/minute",
        "upload": f"{USER_UPLOAD_THROTTLE_RATE_PER_MINUTE}/minute",
        "structure_upload": f"{STRUCTURE_UPLOAD_THROTTLE_RATE_PER_HOUR}/hour",
    },
}

# CORS :
# https://github.com/adamchainz/django-cors-headers/blob/main/README.rst
CORS_ALLOWED_ORIGIN_REGEXES = [os.getenv("DJANGO_CORS_ALLOWED_ORIGIN_REGEXES")]
CORS_ALLOW_HEADERS = list(default_headers) + ["sentry-trace", "anonymous-user-hash"]


# Configuration spécifique de l'application DORA :

# Services :
DEFAULT_SEARCH_RADIUS = 15  # in km
RECENT_SERVICES_CUTOFF_DAYS = 30

# Bot user :
DORA_BOT_USER = "dora-bot@dora.beta.gouv.fr"

# Authentifications tierces parties :
FT_CLIENT_ID = os.getenv("FT_CLIENT_ID")
FT_CLIENT_SECRET = os.getenv("FT_CLIENT_SECRET")

# Compte utilisateur Data·Inclusion
DATA_INCLUSION_EMAIL = "data.inclusion@beta.gouv.fr"
DATA_INCLUSION_URL = os.getenv("DATA_INCLUSION_URL")
DATA_INCLUSION_IMPORT_API_KEY = os.getenv("DATA_INCLUSION_IMPORT_API_KEY")
DATA_INCLUSION_STREAM_API_KEY = os.getenv("DATA_INCLUSION_STREAM_API_KEY")
DATA_INCLUSION_STREAM_SOURCES = (lambda s: s.split(",") if s else None)(
    os.getenv("DATA_INCLUSION_STREAM_SOURCES")
)

DATA_INCLUSION_TIMEOUT_SECONDS = int(os.getenv("DATA_INCLUSION_TIMEOUT_SECONDS", 10))

DATA_INCLUSION_SCORE_QUALITE_MINIMUM = float(
    os.getenv("DATA_INCLUSION_SCORE_QUALITE_MINIMUM", 0.8)
)

DATA_INCLUSION_EXCLUDE_DUPLICATES = (
    os.getenv("DATA_INCLUSION_EXCLUDE_DUPLICATES") == "true"
)

EMPLOIS_EMAIL = os.getenv("EMPLOIS_EMAIL")

SKIP_DI_INTEGRATION_TESTS = True

# BREVO :
BREVO_ACTIVE = os.getenv("BREVO_ACTIVE", "").lower() == "true"
BREVO_API_KEY = os.getenv("BREVO_API_KEY")
BREVO_ONBOARDING_PUTATIVE_MEMBER_LIST = int(
    os.getenv("BREVO_ONBOARDING_PUTATIVE_MEMBER_LIST", 0)
)
BREVO_ONBOARDING_MEMBER_LIST = int(os.getenv("BREVO_ONBOARDING_MEMBER_LIST", 0))

# OIDC / PROCONNECT
PC_CLIENT_ID = os.getenv("PC_CLIENT_ID")
PC_CLIENT_SECRET = os.getenv("PC_CLIENT_SECRET")
PC_DOMAIN = os.getenv("PC_DOMAIN", "fca.integ01.dev-agentconnect.fr")
PC_ISSUER = os.getenv("PC_ISSUER", f"{PC_DOMAIN}/api/v2")
PC_AUTHORIZE_PATH = os.getenv("PC_AUTHORIZE_PATH", "authorize")
PC_TOKEN_PATH = os.getenv("PC_TOKEN_PATH", "token")
PC_USERINFO_PATH = os.getenv("PC_USERINFO_PATH", "userinfo")

# ProConnect à besoin de ce setting pour le logout
FRONTEND_URL = os.getenv("FRONTEND_URL")

# mozilla_django_oidc:
OIDC_RP_CLIENT_ID = os.getenv("PC_CLIENT_ID")
OIDC_RP_CLIENT_SECRET = os.getenv("PC_CLIENT_SECRET")
OIDC_RP_SCOPES = "openid given_name usual_name email siret custom uid"

# `mozilla_django_oidc` n'utilise pas de discovery / .well-known
# on définit donc chaque endpoint
OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256")
OIDC_OP_JWKS_ENDPOINT = f"https://{PC_ISSUER}/jwks"
OIDC_OP_AUTHORIZATION_ENDPOINT = f"https://{PC_ISSUER}/authorize"
OIDC_OP_TOKEN_ENDPOINT = f"https://{PC_ISSUER}/token"
OIDC_OP_USER_ENDPOINT = f"https://{PC_ISSUER}/userinfo"
OIDC_OP_LOGOUT_ENDPOINT = f"https://{PC_ISSUER}/session/end"

# Les paramètres suivants servent à adapter la configuration OIDC
# de `mozilla-django_oidc` pour pouvoir fonctionner dans le contexte
# spécifique à DORA et ProConnect.

# OIDC : intervalle de rafraichissement du token (4h)
OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS = 4 * 60 * 60

# OIDC : nécessaire pour la gestion de la fin de session coté ProConnect
OIDC_STORE_ID_TOKEN = True
ALLOW_LOGOUT_GET_METHOD = True

# obligatoire pour ProConnect: à passer en paramètre de requête supplémentaire
# lors de la première phase du flow OIDC
OIDC_AUTH_REQUEST_EXTRA_PARAMS = {"acr_values": "eidas1"}

# OIDC : redirection vers le front DORA en cas de succès de l'identification
# necessaire pour la gestion de "l'URL suivant" (`next_url`)
LOGIN_REDIRECT_URL = "/oidc/logged_in/"

# OIDC : redirection vers l'accueil du front DORA pour la déconnexion
LOGOUT_REDIRECT_URL = FRONTEND_URL

# OIDC: également en cas d'erreur d'identification (loggée)
LOGIN_REDIRECT_URL_FAILURE = FRONTEND_URL

# OIDC : permet de préciser quelle est la class/vue en charge du callback dans le flow OIDC
# (essentiellement pour la gestion du `next_url`).
OIDC_CALLBACK_CLASS = "dora.oidc.views.CustomAuthorizationCallbackView"

# OIDC : permet de préciser quelle est la class/vue en charge de l'initiation de l'authentification
# (pour l'ajout du paramètre `login_hint`).
OIDC_AUTHENTICATE_CLASS = "dora.oidc.views.CustomAuthenticationRequestView"

# OIDC : autorise la redirection vers le frontend après authentification
# (nécessaire car le frontend est sur un host différent du backend)
OIDC_REDIRECT_ALLOWED_HOSTS = [urlparse(FRONTEND_URL).netloc] if FRONTEND_URL else []

# Notifications :
# voir management command `process_notification_tasks`

# activation des notifications
NOTIFICATIONS_ENABLED = os.getenv("NOTIFICATIONS_ENABLED", "") == "true"

# si défini, seules ces tâches de notification seront lancées par le CRON
# même principe que pour la management command, les tâches sélectionnées sont séparées par des ","
NOTIFICATIONS_TASK_TYPES = os.getenv("NOTIFICATIONS_TASK_TYPES", "")

# nombre de Notifications à envoyer pour chaque tâche
try:
    NOTIFICATIONS_LIMIT = int(os.getenv("NOTIFICATIONS_LIMIT", 0))
except Exception:
    NOTIFICATIONS_LIMIT = 0

# ces paramètres ne sont pas liés au système de notification
NUM_DAYS_BEFORE_DRAFT_SERVICE_NOTIFICATION = 7
NUM_DAYS_BEFORE_ORIENTATIONS_NOTIFICATION = 10

# GDAL :
if "GDAL_LIBRARY_PATH" in os.environ:
    GDAL_LIBRARY_PATH = os.getenv("GDAL_LIBRARY_PATH")
if "GEOS_LIBRARY_PATH" in os.environ:
    GEOS_LIBRARY_PATH = os.getenv("GEOS_LIBRARY_PATH")

# DJANGO_ADMINS=Name1:email1,Name2:email2
ADMINS = (
    [u.split(":") for u in os.getenv("DJANGO_ADMINS").split(",")]
    if os.getenv("DJANGO_ADMINS")
    else None
)

# CSP :
SECURE_CSP = {
    "default-src": [CSP.SELF],
    # Le widget cartographique de l'admin Django GIS charge OpenLayers (jsDelivr) et les tuiles OSM.
    "script-src": [
        CSP.SELF,
        CSP.NONCE,
        "https://cdn.jsdelivr.net",
        "'sha256-wT8A7+MN/p4Bz/w+R+COOHf9HZ+xYskWOIu/JDwIvkg='",
    ],
    "style-src": [CSP.SELF, CSP.NONCE, "https://cdn.jsdelivr.net"],
    "img-src": [
        CSP.SELF,
        "https://tile.openstreetmap.org",
    ],
}

# Envoi d'e-mails transactionnels :
# https://app.tipimail.com/#/app/settings/smtp_and_apis
DEFAULT_FROM_EMAIL = os.getenv("DEFAULT_FROM_EMAIL")
NO_REPLY_EMAIL = os.getenv("NO_REPLY_EMAIL", DEFAULT_FROM_EMAIL)
EMAIL_HOST = os.getenv("EMAIL_HOST")
EMAIL_HOST_USER = os.getenv("EMAIL_HOST_USER")
EMAIL_HOST_PASSWORD = os.getenv("EMAIL_HOST_PASSWORD")
EMAIL_SUBJECT_PREFIX = os.getenv("EMAIL_SUBJECT_PREFIX")
EMAIL_PORT = os.getenv("EMAIL_PORT")
EMAIL_USE_TLS = True
EMAIL_DOMAIN = os.getenv("EMAIL_DOMAIN")
SUPPORT_EMAIL = os.getenv("SUPPORT_EMAIL")

SUPPORT_LINK = "https://aide.dora.inclusion.beta.gouv.fr"

# Orientations :
ORIENTATION_SUPPORT_LINK = os.getenv("ORIENTATION_SUPPORT_LINK")
ORIENTATION_EMAILS_DEBUG = os.getenv("ORIENTATION_EMAILS_DEBUG") == "true"
ORIENTATION_EXPIRATION_PERIOD_DAYS = int(
    os.getenv("ORIENTATION_EXPIRATION_PERIOD_DAYS", 30)
)
ORIENTATION_ANONYMIZATION_PERIOD_DAYS = int(
    os.getenv("ORIENTATION_ANONYMIZATION_PERIOD_DAYS", 730)
)
ORIENTATION_ATTACHMENTS_EXPIRATION_PERIOD_MONTHS = int(
    os.getenv("ORIENTATION_ATTACHMENTS_EXPIRATION_PERIOD_MONTHS", 6)
)
ORIENTATION_SIRENE_BLACKLIST = [
    # France Travail
    "130005481",
    # CAF
    "779311224",
    "534155403",
    "775548555",
    "775549371",
    "782437586",
    "782620520",
    "534224282",
    "780254702",
    "776656209",
    "780349759",
    "775555642",
    "776744005",
    "775558364",
    "775561343",
    "775562531",
    "781172366",
    "775564669",
    "775021801",
    "777927138",
    "778213348",
    "777461336",
    "777998881",
    "303336192",
    "778274613",
    "778297242",
    "534738778",
    "775573397",
    "780808010",
    "775103955",
    "535326656",
    "775915085",
    "776950446",
    "776986671",
    "781847488",
    "534089529",
    "777749375",
    "775189038",
    "775347875",
    "535363071",
    "778422832",
    "782099121",
    "775369598",
    "534216080",
    "779145598",
    "786019554",
    "775513708",
    "777053125",
    "782152888",
    "776115255",
    "534172481",
    "780860292",
    "780428975",
    "775613227",
    "775613995",
    "775615529",
    "783382344",
    "777907700",
    "780004032",
    "778477737",
    "775622335",
    "775624588",
    "775627383",
    "783806110",
    "534175179",
    "534224613",
    "775629256",
    "783911951",
    "534214051",
    "775634264",
    "831358262",
    "777169046",
    "775640238",
    "778868497",
    "778953844",
    "534037254",
    "778542837",
    "778600130",
    "786338871",
    "775653330",
    "776531576",
    "380992255",
    "534092499",
    "784971343",
    "381067784",
    "781459599",
    "775710791",
    "777187691",
    "777306184",
    "783169196",
    "775714124",
    "786448050",
    "775716202",
    "778073189",
    "775717333",
    "778649525",
    "778714964",
    "381016534",
    "381050996",
    "380980300",
    "381202282",
    "381002534",
    "782993133",
    "327398152",
    "314560822",
    "314307828",
    "315190751",
    "314635368",
]

# Environnement :
# production | staging | review | local
# Utilisé our l'affichage de l'environnement sur l'admin,
# et pour activer le SSL sur la connexion à la base de données.
ENVIRONMENT = os.getenv("ENVIRONMENT", "local")

# Nom du cookie d'authentification : différencié par environnement pour éviter
# les collisions de cookies entre prod et staging (même domaine parent).
AUTH_COOKIE_NAME = "token" if ENVIRONMENT == "production" else f"token_{ENVIRONMENT}"

# Profiling (Silk) :
# Doit être explicitement activé (via env var)
PROFILE = False

# Sesame (liens magiques) :
# Nom du token
SESAME_TOKEN_NAME = "dora_link"
# Durée de validité des tokens (secondes)
SESAME_MAX_AGE = 5 * 60
# Les liens ne sont valides qu'une fois
SESAME_ONE_TIME = True
# Nom de la variable de session indiquant une connexion via sesame
SESAME_SESSION_NAME = "sesame_magic_link"

# Recherche unifiée activée par défaut
DI_DORA_UNIFIED_SEARCH_ENABLED = os.getenv("DI_DORA_UNIFIED_SEARCH_ENABLED") != "false"

# Sécurité (espace admin) :
# L'espace d'admin est protégé par un système à 2FA
# Et pontiellement désactivable par configuration
DJANGO_ADMIN_2FA_ENABLED = os.getenv("DJANGO_ADMIN_2FA_ENABLED") == "true"

if DJANGO_ADMIN_2FA_ENABLED:
    INSTALLED_APPS += [  # noqa
        "django_otp",
        "django_otp.plugins.otp_static",
        "django_otp.plugins.otp_totp",
    ]
    MIDDLEWARE += ["django_otp.middleware.OTPMiddleware"]  # noqa


# Nexus
# ---------------------------------------
NEXUS_METABASE_DB_HOST = os.getenv("NEXUS_METABASE_DB_HOST")
NEXUS_METABASE_DB_PORT = os.getenv("NEXUS_METABASE_DB_PORT")
NEXUS_METABASE_DB_DATABASE = os.getenv("NEXUS_METABASE_DB_DATABASE")
NEXUS_METABASE_DB_USER = os.getenv("NEXUS_METABASE_DB_USER")
NEXUS_METABASE_DB_PASSWORD = os.getenv("NEXUS_METABASE_DB_PASSWORD")
NEXUS_ALLOWED_REDIRECT_HOSTS = os.getenv("NEXUS_ALLOWED_REDIRECT_HOSTS", "").split(",")
NEXUS_SYNC_CHUNK_SIZE = int(os.getenv("NEXUS_SYNC_CHUNK_SIZE", 5000))

NEXUS_API_BASE_URL = os.getenv("NEXUS_API_BASE_URL")
NEXUS_API_TOKEN = os.getenv("NEXUS_API_TOKEN")

NEXUS_MENU_ENABLED = os.getenv("NEXUS_MENU_ENABLED") == "true"

pdi_jwt_key = os.getenv("PDI_JWT_KEY")
PDI_JWT_KEY = json.loads(pdi_jwt_key) if pdi_jwt_key else None


# API de découpage administratif
# ---------------------------------------
GEO_API_GOUV_BASE_URL = os.getenv("GEO_API_GOUV_BASE_URL", "https://geo.api.gouv.fr")
try:
    GEO_API_GOUV_TIMEOUT_SECONDS = int(os.getenv("GEO_API_GOUV_TIMEOUT_SECONDS"), 10)
except (TypeError, ValueError):
    GEO_API_GOUV_TIMEOUT_SECONDS = None