# Production Environment Configuration for elderly_care_system
# 
# SECURITY WARNING: This file contains sensitive configuration values.
# - Never commit this file to version control
# - Ensure proper file permissions (chmod 600)
# - Keep backups in a secure location
# - Rotate secrets regularly

# =============================================================================
# APPLICATION SETTINGS
# =============================================================================

APP_NAME=ระบบดูแลผู้สูงอายุ
APP_TZ=Asia/Bangkok
APP_DEBUG=false
APP_ENV=production

# URLs - MUST BE UPDATED FOR YOUR PRODUCTION ENVIRONMENT
# Replace example.com with your actual domain
BASE_URL=https://claoffice.shop/user-permission-system/elderly_care_system/public
CENTRAL_SYSTEM_URL=https://claoffice.shop/user-permission-system

# =============================================================================
# DATABASE CONFIGURATION
# =============================================================================

# Database server hostname or IP address
DB_HOST=118.27.130.233

# Database server port
DB_PORT=3306

# Database username - CHANGE THIS
DB_USER=zkwdpszw_outsource

# Database password - CHANGE THIS TO A STRONG PASSWORD
# Generate with: openssl rand -base64 32
DB_PASS=@Claroot2025

# Database name
DB_NAME=zkwdpszw_elderly_care_system

# Database character set
DB_CHARSET=utf8mb4

# =============================================================================
# SSO CONFIGURATION (CRITICAL SECURITY SETTINGS)
# =============================================================================

# SSO_SECRET: Shared secret key for JWT signature verification
# This MUST match the SSO_SECRET in the Central System
# 
# SECURITY REQUIREMENTS:
# - Minimum 64 characters (recommended)
# - Use cryptographically secure random string
# - Never reuse secrets across environments
# - Rotate regularly (every 90 days recommended)
#
# Generate a strong secret with one of these commands:
#   openssl rand -base64 64
#   php -r "echo bin2hex(random_bytes(32));"
#   node -e "console.log(require('crypto').randomBytes(64).toString('base64'))"
#
# CHANGE THIS IMMEDIATELY:
SSO_SECRET=Th!sIsMy$up3r_S3cr3t_K3y_f0r_SSO_2025!

# CENTRAL_LOGIN: URL to the Central System login page
# Users will be redirected here when they need to authenticate
# MUST use HTTPS in production
CENTRAL_LOGIN=https://claoffice.shop/user-permission-system/login.php

# SUBSYSTEM_HOME_URL: The home URL of this subsystem after successful SSO login
# This is used as the return URL and for JWT audience validation
# MUST use HTTPS in production
# MUST match the URL registered in the Central System
SUBSYSTEM_HOME_URL=https://claoffice.shop/user-permission-system/elderly_care_system

# =============================================================================
# SSO PERMISSION FILTERING
# =============================================================================

# SSO_PERM_ALLOW: Comma-separated list of permission prefixes to allow
# Only permissions starting with these prefixes will be synced from Central System
# This whitelist ensures only relevant permissions are granted to users
SSO_PERM_ALLOW=dashboard.,elderly.,patients.,reports.,calendar.,geriatric.,vaccinations.,medications.,caregivers.,appointments.,care-plans.,care_plans.,chronic.,problems.,referrals.,health_records.,vital-signs.,vital_signs.

# SSO_PERM_DENY: Comma-separated list of permission prefixes to deny
# Permissions starting with these prefixes will NOT be synced
# Use this to block sensitive permissions even if they match SSO_PERM_ALLOW
# Example: admin.,system.,config.,users.,roles.
SSO_PERM_DENY=admin.,system.,config.,users.,roles.,permissions.

# =============================================================================
# SECURITY SETTINGS
# =============================================================================

# API Rate Limiting (requests per minute per IP)
API_RATE_LIMIT_PER_MINUTE=60

# Activity Log Retention (days)
ACTIVITY_LOG_RETENTION_DAYS=90

# Session Configuration
SESSION_LIFETIME=86400
SESSION_SECURE=true
SESSION_HTTPONLY=true
SESSION_SAMESITE=Strict

# Remember Token Lifetime (30 days in seconds)
REMEMBER_TOKEN_LIFETIME=2592000

# =============================================================================
# HTTPS ENFORCEMENT
# =============================================================================

# Force HTTPS redirects (set to true in production)
FORCE_HTTPS=true

# HSTS (HTTP Strict Transport Security) max age in seconds (1 year)
HSTS_MAX_AGE=31536000

# =============================================================================
# LOGGING AND MONITORING
# =============================================================================

# Log Level: debug, info, warning, error, critical
LOG_LEVEL=warning

# Log File Path (relative to application root)
LOG_PATH=logs/app.log

# Error Log Path
ERROR_LOG_PATH=logs/error.log

# SSO Log Path (optional, for SSO-specific events)
SSO_LOG_PATH=logs/sso.log

# Activity Log Path
ACTIVITY_LOG_PATH=logs/activity.log

# Enable detailed error logging (false in production for security)
DETAILED_ERRORS=false

# =============================================================================
# PERFORMANCE OPTIMIZATION
# =============================================================================

# Enable OPcache (recommended for production)
OPCACHE_ENABLED=true

# Session Storage Driver: file, redis, memcached
SESSION_DRIVER=file

# Cache Driver: file, redis, memcached
CACHE_DRIVER=file

# Redis Configuration (if using Redis for sessions/cache)
# REDIS_HOST=127.0.0.1
# REDIS_PORT=6379
# REDIS_PASSWORD=
# REDIS_DATABASE=0

# =============================================================================
# DEPLOYMENT NOTES
# =============================================================================
#
# BEFORE DEPLOYING TO PRODUCTION:
#
# 1. Update all URLs to use your production domain with HTTPS
# 2. Generate a strong SSO_SECRET (minimum 64 characters)
# 3. Ensure SSO_SECRET matches the Central System exactly
# 4. Set a strong database password
# 5. Create a dedicated database user with minimal privileges
# 6. Set file permissions: chmod 600 .env.production
# 7. Verify HTTPS is properly configured with valid SSL certificate
# 8. Test SSO login flow end-to-end
# 9. Verify permission sync works correctly
# 10. Check all logs are being written properly
# 11. Set up log rotation (logrotate)
# 12. Configure monitoring and alerting
# 13. Create database backups
# 14. Document the deployment in your runbook
#
# SECURITY CHECKLIST:
#
# [ ] SSO_SECRET is strong and unique (64+ characters)
# [ ] SSO_SECRET matches Central System
# [ ] All URLs use HTTPS
# [ ] Database password is strong
# [ ] File permissions are restrictive (600)
# [ ] APP_DEBUG is set to false
# [ ] DETAILED_ERRORS is set to false
# [ ] FORCE_HTTPS is set to true
# [ ] Session cookies are secure (SESSION_SECURE=true)
# [ ] Log files are not publicly accessible
# [ ] Database user has minimal required privileges
# [ ] SSL certificate is valid and not expired
# [ ] Firewall rules are properly configured
# [ ] Regular security updates are scheduled
#
# =============================================================================
