irdb/ui/config/settings.php

<?php

declare(strict_types=1);

use Monolog\Level;

$appEnv = getenv('APP_ENV') ?: 'production';

if ($appEnv === 'development' && file_exists(__DIR__ . '/../.env')) {
    $dotenv = Dotenv\Dotenv::createImmutable(__DIR__ . '/..');
    $dotenv->safeLoad();
}

$logLevelName = strtoupper((string) (getenv('LOG_LEVEL') ?: 'info'));
$logLevel = match ($logLevelName) {
    'DEBUG' => Level::Debug,
    'NOTICE' => Level::Notice,
    'WARNING' => Level::Warning,
    'ERROR' => Level::Error,
    'CRITICAL' => Level::Critical,
    'ALERT' => Level::Alert,
    'EMERGENCY' => Level::Emergency,
    default => Level::Info,
};

$truthy = static fn (string $env, bool $default = false): bool => match (strtolower((string) (getenv($env) ?: ''))) {
    'true', '1', 'yes', 'on' => true,
    'false', '0', 'no', 'off' => false,
    '' => $default,
    default => $default,
};

return [
    'app_env' => $appEnv,
    'log_level' => $logLevel,
    'public_url' => getenv('PUBLIC_URL') ?: 'http://localhost:8080',
    'ui_secret' => getenv('UI_SECRET') ?: '',

    // BFF — talking to the api
    'api_base_url' => getenv('API_BASE_URL') ?: '',
    'ui_service_token' => getenv('UI_SERVICE_TOKEN') ?: '',
    'api_timeout_seconds' => (float) (getenv('API_TIMEOUT_SECONDS') ?: 5),

    // OIDC — Microsoft Entra ID by default
    'oidc_enabled' => $truthy('OIDC_ENABLED', true),
    'oidc_issuer' => getenv('OIDC_ISSUER') ?: '',
    'oidc_client_id' => getenv('OIDC_CLIENT_ID') ?: '',
    'oidc_client_secret' => getenv('OIDC_CLIENT_SECRET') ?: '',
    'oidc_redirect_uri' => getenv('OIDC_REDIRECT_URI') ?: '',

    // Local admin (UI-side credentials only)
    'local_admin_enabled' => $truthy('LOCAL_ADMIN_ENABLED', true),
    'local_admin_username' => getenv('LOCAL_ADMIN_USERNAME') ?: 'admin',
    'local_admin_password_hash' => getenv('LOCAL_ADMIN_PASSWORD_HASH') ?: '',

    // Session: 8h inactivity, 24h absolute
    'session_idle_seconds' => (int) (getenv('SESSION_IDLE_SECONDS') ?: 28800),
    'session_absolute_seconds' => (int) (getenv('SESSION_ABSOLUTE_SECONDS') ?: 86400),

    // SEC_REVIEW F36: how often the AuthRequired middleware re-checks the
    // current user's role / disabled state against `GET /api/v1/admin/me`.
    // Lower = faster propagation of group/role changes from Entra and
    // explicit disable actions in the api; higher = fewer api calls per
    // active user. Default 5 minutes.
    'session_revalidate_seconds' => (int) (getenv('UI_SESSION_REVALIDATE_SECONDS') ?: 300),

    // Local-admin login throttle: file-backed JSON store on the container's
    // writable layer. Persists across FrankenPHP worker recycles and is
    // shared between workers; cleared by container restart (operator unlock
    // path). Override only if /tmp is unsuitable for the deployment.
    'login_throttle_path' => getenv('LOGIN_THROTTLE_PATH') ?: (sys_get_temp_dir() . '/irdb_login_throttle.json'),

    // GeoIP — only the provider name. The UI uses it to pick the right
    // attribution string for the IP-detail enrichment panel. The api
    // owns the actual provider config; this is a display-only mirror.
    'geoip_provider' => strtolower((string) (getenv('GEOIP_PROVIDER') ?: 'dbip')),

    // Optional BCP 47 locale hint (e.g. "de-CH", "en-GB"). Browser locale
    // wins; this is appended as a fallback when the browser's locale is
    // unavailable or unsupported. Empty = browser-only.
    'ui_locale' => trim((string) (getenv('UI_LOCALE') ?: '')),
];