feat(account): GET /me user endpoint only, disable cache and extra routers

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 20:44:35 +03:00
commit d94dd31439
107 changed files with 5083 additions and 0 deletions
--- a/src/infrastructure/config/settings.py
+++ b/src/infrastructure/config/settings.py
@@ -0,0 +1,155 @@
+from __future__ import annotations
+
+from functools import lru_cache
+from typing import List, Literal
+import os
+from dotenv import load_dotenv, find_dotenv
+from pydantic import Field, model_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+from src.infrastructure.vault import create_hvac_client, read_kv2_secret
+
+env_file = find_dotenv(".env")
+if env_file:
+    load_dotenv(env_file)
+
+
+class Settings(BaseSettings):
+    VAULT_ADDR: str = Field(default="http://localhost:8200")
+    VAULT_TOKEN: str = Field(..., description="Vault token is required")
+    VAULT_MOUNT_POINT: str = Field(default="secrets")
+
+    VAULT_JWT_KID_PATH: str = "jwt/kid"
+    VAULT_JWT_KIDS_PREFIX: str = "jwt/kids"
+    JWT_KEYS_REFRESH_SECONDS: int = 3600
+
+    DATABASE_HOST: str
+    DATABASE_PORT: int = Field(default=5432, ge=1, le=65535)
+    DATABASE_NAME: str
+    DATABASE_USER: str
+    DATABASE_PASSWORD: str
+
+    DATABASE_POOL_SIZE: int = 10
+    DATABASE_MAX_OVERFLOW: int = 20
+    DATABASE_POOL_TIMEOUT: int = 30
+    DATABASE_POOL_RECYCLE: int = 3600
+    DATABASE_ECHO: bool = False
+
+    CSRF_SECRET_KEY: str = Field(
+        default="change-me-change-me-change-me-change-me",
+        min_length=32,
+    )
+
+    CSRF_COOKIE_SECURE: bool = False
+    CSRF_COOKIE_HTTPONLY: bool = True
+    CSRF_COOKIE_SAMESITE: Literal["Lax", "Strict", "None"] = "Lax"
+    CSRF_COOKIE_PATH: str = "/"
+    CSRF_COOKIE_DOMAIN: str | None = None
+
+    DOCS_USERNAME: str = "admin"
+    DOCS_PASSWORD: str = "admin"
+
+    JWT_ACCESS_TTL_SECONDS: int = 15 * 60
+    JWT_REFRESH_TTL_SECONDS: int = 30 * 24 * 60 * 60
+    JWT_ISSUER: str | None = None
+    JWT_AUDIENCE: str | None = None
+    JWT_ALGORITHM: str = "RS256"
+
+    REDIS_HOST: str = "localhost"
+    REDIS_PORT: int = 6379
+    REDIS_PASSWORD: str | None = None
+    REDIS_DB: int = 0
+
+    RABBIT_HOST: str = "localhost"
+    RABBIT_PORT: int = 5672
+    RABBIT_USER: str = "guest"
+    RABBIT_PASSWORD: str = "guest"
+    RABBIT_VHOST: str = "/"
+
+    RABBIT_PUBLISH_PERSIST: bool = True
+    RABBIT_CONNECT_TIMEOUT: int = 5
+    RABBIT_EMAIL_CODE_QUEUE: str = "email.verification_code"
+
+    LOG_LEVEL: Literal["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"] = "INFO"
+    LOG_FORMAT: Literal["JSON", "TEXT"] = "TEXT"
+
+    model_config = SettingsConfigDict(
+        env_file=".env",
+        env_file_encoding="utf-8",
+        case_sensitive=True,
+        extra="ignore",
+    )
+
+    @model_validator(mode="before")
+    @classmethod
+    def load_from_vault(cls, data: dict):
+        addr = data.get("VAULT_ADDR") or os.getenv("VAULT_ADDR") or "http://localhost:8200"
+        token = data.get("VAULT_TOKEN") or os.getenv("VAULT_TOKEN")
+        mount = data.get("VAULT_MOUNT_POINT") or os.getenv("VAULT_MOUNT_POINT") or "secrets"
+
+        if not token:
+            raise RuntimeError("VAULT_TOKEN is required")
+
+        client = create_hvac_client(url=addr, token=token, timeout=5)
+
+        def safe_read(path: str) -> dict:
+            try:
+                return read_kv2_secret(client=client, mount_point=mount, path=path)
+            except Exception:
+                return {}
+
+        database = safe_read("database")
+        rabbitmq = safe_read("rabbitmq")
+        csrf = safe_read("csrf")
+
+        if database:
+            required = ["HOST", "NAME", "USER", "PASSWORD", "PORT"]
+            missing = [k for k in required if k not in database]
+            if missing:
+                raise RuntimeError(f"Vault database secret missing keys {missing}")
+
+            data["DATABASE_HOST"] = database["HOST"]
+            data["DATABASE_PORT"] = database["PORT"]
+            data["DATABASE_NAME"] = database["NAME"]
+            data["DATABASE_USER"] = database["USER"]
+            data["DATABASE_PASSWORD"] = database["PASSWORD"]
+
+        if rabbitmq:
+            data["RABBIT_HOST"] = rabbitmq.get("HOST", data.get("RABBIT_HOST"))
+            data["RABBIT_PORT"] = rabbitmq.get("PORT", data.get("RABBIT_PORT"))
+            data["RABBIT_USER"] = rabbitmq.get("USER", data.get("RABBIT_USER"))
+            data["RABBIT_PASSWORD"] = rabbitmq.get("PASSWORD", data.get("RABBIT_PASSWORD"))
+            data["RABBIT_VHOST"] = rabbitmq.get("VHOST", data.get("RABBIT_VHOST"))
+
+        if csrf:
+            data["CSRF_SECRET_KEY"] = csrf.get("KEY", data.get("CSRF_SECRET_KEY"))
+
+        return data
+
+    @property
+    def DATABASE_URL(self) -> str:
+        return (
+            f"postgresql+asyncpg://{self.DATABASE_USER}:{self.DATABASE_PASSWORD}"
+            f"@{self.DATABASE_HOST}:{self.DATABASE_PORT}/{self.DATABASE_NAME}"
+        )
+
+    @property
+    def REDIS_URL(self) -> str:
+        auth = f":{self.REDIS_PASSWORD}@" if self.REDIS_PASSWORD else ""
+        return f"redis://{auth}{self.REDIS_HOST}:{self.REDIS_PORT}/{self.REDIS_DB}"
+
+    @property
+    def RABBIT_URL(self) -> str:
+        vhost = "%2F" if self.RABBIT_VHOST == "/" else self.RABBIT_VHOST.lstrip("/")
+        return f"amqp://{self.RABBIT_USER}:{self.RABBIT_PASSWORD}@{self.RABBIT_HOST}:{self.RABBIT_PORT}/{vhost}"
+
+    @property
+    def EXCLUDED_PATHS(self) -> List[str]:
+        return ["/docs", "/redoc", "/openapi.json", "/ping", "/health"]
+
+
+@lru_cache(maxsize=1)
+def get_settings() -> Settings:
+    return Settings()
+
+
+settings = get_settings()