-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
181 lines (144 loc) · 5.49 KB
/
Copy path.env.example
File metadata and controls
181 lines (144 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Project Management System - Environment Configuration
# Copy this file to .env and configure for your environment
# NEVER commit .env to version control!
# Flask Configuration
FLASK_ENV=development
FLASK_DEBUG=0
SECRET_KEY=your-secure-secret-key-here-change-in-production
# Database Configuration
DATABASE_URL=sqlite:///app.db
# Admin Access
ADMIN_TOKEN=your-secure-admin-token-here
# File Upload
UPLOAD_FOLDER=uploads
MAX_CONTENT_LENGTH=16777216
# Session Configuration
SESSION_TIMEOUT=1800
PERMANENT_SESSION_LIFETIME=1800
# Facial Recognition Configuration
FACIAL_VERIFICATION_TOLERANCE=0.4
FACIAL_VERIFICATION_MIN_CONFIDENCE=0.5
# Security
PREFERRED_URL_SCHEME=https
SESSION_COOKIE_SECURE=True
SESSION_COOKIE_HTTPONLY=True
SESSION_COOKIE_SAMESITE=Lax
# Email Configuration (Optional)
MAIL_SERVER=smtp.gmail.com
MAIL_PORT=587
MAIL_USE_TLS=True
MAIL_USERNAME=your-email@example.com
MAIL_PASSWORD=your-app-password
# Logging
LOG_LEVEL=INFO
LOG_FILE=app.log
# NEO4J_PASSWORD=<neo4j-password>
# INFLUXDB (Optional - for time-series metrics)
# INFLUXDB_URL=http://localhost:8086
# INFLUXDB_DATABASE=metrics
# Security Settings
# -----------------
# Session timeout in minutes
SESSION_TIMEOUT=30
# Maximum failed login attempts before lockout
MAX_LOGIN_ATTEMPTS=5
# Account lockout duration in minutes
LOCKOUT_DURATION=15
# Password expiry in days (0 = never expire)
PASSWORD_EXPIRY_DAYS=90
# ADMIN PANEL SECURITY SETTINGS
# =============================
# Require 2FA for all admin accounts
ADMIN_2FA_REQUIRED=true
# Enable IP whitelist for admin access
ADMIN_IP_WHITELIST_ENABLED=true
# Admin session timeout (minutes)
ADMIN_SESSION_TIMEOUT=15
# Maximum failed admin login attempts
ADMIN_MAX_FAILED_ATTEMPTS=5
# Admin account lockout duration (minutes)
ADMIN_LOCKOUT_DURATION=30
# Allowed concurrent admin sessions per user
ADMIN_MAX_CONCURRENT_SESSIONS=1
# Rate Limiting
# -------------
RATELIMIT_DEFAULT=200 per day
RATELIMIT_STORAGE_URL=memory://
# For production with Redis:
# RATELIMIT_STORAGE_URL=redis://localhost:6379/1
# Email Configuration (for password reset)
# ----------------------------------------
MAIL_SERVER=smtp.gmail.com
MAIL_PORT=587
MAIL_USE_TLS=true
MAIL_USERNAME=<your-email@gmail.com>
MAIL_PASSWORD=<your-app-password>
MAIL_DEFAULT_SENDER=<noreply@yourapp.com>
# FACIAL ID BIOMETRIC AUTHENTICATION
# ===================================
# Enable facial recognition for admin access
FACIAL_ID_ENABLED=true
# Require facial ID verification (optional - requires 2FA + facial ID)
# Set to false to make facial ID optional (2FA is sufficient)
FACIAL_ID_REQUIRED_FOR_ADMIN=false
# Face matching tolerance (0.4 = strict, 0.6 = moderate, 0.8 = lenient)
# Recommended: 0.6 (balances security and usability)
FACIAL_ID_TOLERANCE=0.6
# Face detection model ('hog' = faster, 'cnn' = more accurate on GPU)
# For production: use 'hog' on CPU, 'cnn' only if GPU available
FACIAL_ID_MODEL=hog
# Encryption key for facial encodings (REQUIRED if FACIAL_ID_ENABLED=true)
# Generate new key: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# Store securely in production (AWS Secrets Manager, HashiCorp Vault, etc.)
FACIAL_ENCRYPTION_KEY=<generate-using-fernet>
# Facial ID storage and preview settings
FACIAL_ID_PREVIEW_QUALITY=85 # JPEG quality 0-100 (lower = smaller file, lower quality)
FACIAL_ID_MAX_ENROLLMENTS=5 # Max enrolled faces per admin
# Facial ID session timeout (minutes)
# How long facial verification remains valid
FACIAL_ID_SESSION_TIMEOUT=30
# Facial ID security
FACIAL_ID_FAILED_ATTEMPTS_LOCKOUT=5 # Lock after N failed attempts
FACIAL_ID_LOCKOUT_DURATION=30 # Lock duration in minutes
FACIAL_ID_CONFIDENCE_THRESHOLD=0.6 # Minimum confidence to accept match (0-1)
# Facial ID maintenance
FACIAL_ID_CLEANUP_DAYS=90 # Delete failed attempt records older than N days
FACIAL_ID_LOG_ALL_ATTEMPTS=true # Log every verification attempt
# Logging
# -------
LOG_LEVEL=INFO
LOG_TO_STDOUT=false
# Feature Flags
# -------------
ENABLE_2FA=true
ENABLE_FACIAL_ID=true
ENABLE_AUDIT_LOGGING=true
ENABLE_API_DOCS=true
# Database Initialization (Optional - for init scripts)
# ---------------------------------------------------
# Set custom passwords for database initialization
# ADMIN_PASSWORD=<change-this-in-production>
# EMPLOYEE_PASSWORD=<change-this-in-production>
# SAMPLE_USER_PASSWORD=<change-this-in-production>
# External Integrations (Optional)
# --------------------------------
# GITHUB_CLIENT_ID=<your-github-client-id>
# GITHUB_CLIENT_SECRET=<your-github-client-secret>
# SLACK_WEBHOOK_URL=<your-slack-webhook>
# SENTRY_DSN=<your-sentry-dsn>
# SSL/TLS Configuration (Production)
# ----------------------------------
# FORCE_HTTPS=true
# SSL_REDIRECT=true
# ⚠️ IMPORTANT SECURITY NOTES:
# ============================
# 1. NEVER commit .env file to version control
# 2. Use .env.example (this file) for documentation only
# 3. All passwords and secrets MUST be from environment variables in production
# 4. Generate SECRET_KEY using: python -c "import secrets; print(secrets.token_hex(32))"
# 5. Generate FACIAL_ENCRYPTION_KEY using: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# 6. Enable HTTPS in production with valid SSL certificates
# 7. Store all sensitive data in secure secret management (e.g., AWS Secrets Manager)
# 8. Rotate passwords and secrets regularly (especially encryption keys)
# 9. Use strong, unique passwords (min 12 chars, mix of upper/lower/numbers/special)
# 10. Keep facial encoding keys separate from application secrets