# Security Configuration
import os
from datetime import timedelta

# Flask-Limiter Configuration
RATELIMIT_STORAGE_URI = os.environ.get('REDIS_URL', 'memory://')
RATELIMIT_DEFAULT = "200 per day"
RATELIMIT_ENABLED = True

# Signup specific rate limits
SIGNUP_RATE_LIMIT = "10 per hour"  # Reasonable limit to prevent spam but allow legitimate use
LOGIN_RATE_LIMIT = "10 per hour"  # Max 10 login attempts per hour per IP

# reCAPTCHA Configuration
RECAPTCHA_SITE_KEY = os.environ.get('RECAPTCHA_SITE_KEY', '')
RECAPTCHA_SECRET_KEY = os.environ.get('RECAPTCHA_SECRET_KEY', '')
RECAPTCHA_ENABLED = bool(RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET_KEY)

# Email Verification Configuration
EMAIL_VERIFICATION_REQUIRED = True
EMAIL_VERIFICATION_EXPIRY = timedelta(hours=24)  # Links expire after 24 hours

# CSRF Protection
WTF_CSRF_ENABLED = True
WTF_CSRF_TIME_LIMIT = None  # No time limit for CSRF tokens
WTF_CSRF_SSL_STRICT = False  # Set to True in production with HTTPS

# Honeypot field name (should look legitimate to bots)
HONEYPOT_FIELD_NAME = 'website'  # Bots often fill all fields

# IP Blocking
MAX_FAILED_ATTEMPTS = 5  # Block IP after 5 failed attempts
BLOCK_DURATION = timedelta(hours=1)  # Block for 1 hour

# Password Requirements
MIN_PASSWORD_LENGTH = 8
REQUIRE_UPPERCASE = True
REQUIRE_LOWERCASE = True
REQUIRE_NUMBERS = True
REQUIRE_SPECIAL_CHARS = False  # Optional for now