# Backend settings
DATABASE_URL=sqlite:///./data/librislog.db
GOOGLE_BOOKS_API_KEY=        # optional — see https://codebude.github.io/librislog/guide/api-keys
CORS_ORIGINS=["http://localhost", "http://localhost:5173"]
LOG_LEVEL=INFO               # DEBUG | INFO | WARNING | ERROR | CRITICAL
COVERS_DIR=./data/covers     # Directory where downloaded cover images are stored locally.
# Generate a real secret:  openssl rand -base64 32
API_KEY_ENCRYPTION_KEY=CHANGE_ME_TO_32PLUS_CHARS  # <-- YOU MUST CHANGE THIS
AUTH_COOKIE_NAME=librislog_session
AUTH_COOKIE_SECURE=false        # set true in production (HTTPS)
AUTH_COOKIE_SAMESITE=lax        # lax | strict | none
AUTH_COOKIE_DOMAIN=             # optional, e.g. app.example.com

# Optional OIDC settings (leave OIDC_ENABLED=false to disable)
OIDC_ENABLED=false
OIDC_PROVIDER_ID=oidc
OIDC_PROVIDER_NAME=Single Sign-On
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_WELL_KNOWN_URL=
OIDC_SCOPE="openid email profile"

# Dashboard quote settings
DASHBOARD_QUOTE_ENABLED=true
DASHBOARD_QUOTE_URL="https://motivational-spark-api.vercel.app/api/quotes/random"
DASHBOARD_QUOTE_CACHE_TTL=86400  # in seconds; default 24h

# Frontend settings (build-time)
PUBLIC_DEFAULT_LOCALE=en     # UI default locale: en | de

# Cover scraper settings
THALIA_COVER_SEARCH_ENABLED=false  # For research only. Do not use in production without understanding the legal implications of scraping.

# TLS / reverse proxy settings
# Forwarded headers are trusted only from matching IPs. "*" trusts all proxies.
FORWARDED_ALLOW_IPS=*