Add validation logic based on environment and validate hosts protocols and SSL in production

rragundez · rragundez · commit db1e17296afb · 2025-11-21T14:22:32.000+07:00
diff --git a/scripts/local_with_uvicorn/.env.example b/scripts/local_with_uvicorn/.env.example
@@ -16,6 +16,8 @@
 APP_NAME="My Project"
 APP_DESCRIPTION="My Project Description"
 APP_VERSION="0.1"
+APP_BACKEND_HOST="http://localhost:8000"
+APP_FRONTEND_HOST="http://localhost:3000"
 CONTACT_NAME="Me"
 CONTACT_EMAIL="my.email@example.com"
 LICENSE_NAME="MIT"
diff --git a/src/app/core/config.py b/src/app/core/config.py
@@ -1,7 +1,9 @@
 import os
+import warnings
 from enum import Enum
+from typing import Self
 
-from pydantic import SecretStr, computed_field, field_validator
+from pydantic import SecretStr, computed_field, field_validator, model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -20,7 +22,7 @@ class AppSettings(BaseSettings):
     def validate_hosts(cls, host: str) -> str:
         if host is not None and not (host.startswith("http://") or host.startswith("https://")):
             raise ValueError(
-                f"HOSTS must define their protocol and start with http:// or https://. Received the host {host}."
+                f"HOSTS must define their protocol and start with http:// or https://. Received the host '{host}'."
             )
         return host
 
@@ -183,14 +185,28 @@ class Settings(
         extra="ignore",
     )
 
-    @field_validator("APP_FRONTEND_HOST")
-    @classmethod
-    def validate_app_frontend_host_protocol(cls, host: str) -> str:
-        if EnvironmentSettings.ENVIRONMENT == EnvironmentOption.PRODUCTION and not host.startswith("https://"):
-            raise ValueError(
-                f"In production, APP_FRONTEND_HOST must start with the https:// protocol. Received the host {host}."
-            )
-        return host
+    @model_validator(mode="after")
+    def validate_environment_settings(self) -> Self:
+        if self.ENVIRONMENT == EnvironmentOption.LOCAL:
+            pass
+        elif self.ENVIRONMENT == EnvironmentOption.STAGING:
+            if "*" in self.CORS_ORIGINS:
+                warnings.warn(
+                    "For security, in a staging environment CORS_ORIGINS should not include '*'. "
+                    "It's recommended to specify explicit origins (e.g., ['https://staging.example.com'])."
+                )
+        elif self.ENVIRONMENT == EnvironmentOption.PRODUCTION:
+            if "*" in self.CORS_ORIGINS:
+                raise ValueError(
+                    "For security, in a production environment CORS_ORIGINS cannot include '*'. "
+                    "You must specify explicit allowed origins (e.g., ['https://example.com', 'https://www.example.com'])."
+                )
+            if self.APP_FRONTEND_HOST and not self.APP_FRONTEND_HOST.startswith("https://"):
+                raise ValueError(
+                    "In production, APP_FRONTEND_HOST must start with the https:// protocol. "
+                    f"Received the host '{self.APP_FRONTEND_HOST}'."
+                )
+        return self
 
 
 settings = Settings()
