security-environment-standards
Security & Environment Standards
Authentication Model
The app uses passwordless magic-link authentication — no passwords, no flask-login, no WTForms. A time-limited token is emailed; clicking it creates an authenticated session.
# app.py globals
magic_links = {} # {token: {'email': str, 'expires': datetime}}
active_sessions = {} # {email: session_id} — one session per user enforced
MAGIC_LINK_EXPIRY_MINUTES = 15
def send_magic_link_email(email, magic_token, base_url) -> bool:
# Send link via SMTP; falls back to stdout in dev (no SMTP config).
...
The @login_required decorator (defined in app.py) checks session['authenticated'] and active_sessions.
Environment Variables
# .env (never commit — listed in .gitignore)
# Flask
FLASK_SECRET_KEY=<64-hex-chars> # Required in production
FLASK_ENV=production # Enables secure cookies
# Database
COSMOS_DB_CONNECTION_STRING=mongodb://... # Full Cosmos DB connection string
# Email (SMTP)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your@gmail.com
SMTP_PASSWORD=app-specific-password
SMTP_FROM=your@gmail.com
# OCR (optional)
GOOGLE_VISION_API_KEY=...
# App limits
MAX_CONTENT_LENGTH=16777216 # 16 MB
UPLOAD_FOLDER=uploads
Session Security (actual app.py config)
app.config['SESSION_COOKIE_SECURE'] = os.getenv('FLASK_ENV') == 'production'
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
app.config['PERMANENT_SESSION_LIFETIME'] = 86400 * 7 # 7 days
File Upload Security
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif', 'pdf', 'docx', 'txt', 'csv', 'epub'}
def allowed_file(filename):
return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
# Always use werkzeug's secure_filename
filename = secure_filename(file.filename)
Regex Safety
User input used in MongoDB $regex must be escaped:
import re
pattern = re.escape(user_input) # prevents ReDoS
collection.find({'field': {'$regex': f'^{pattern}$'}})
Secrets Management
- Never hardcode secrets in source files
- Use Azure Key Vault references for production environment variables
FLASK_SECRET_KEYmust be set explicitly in production; app raisesValueErrorotherwiseusers.json(authorised email list) is gitignored in production deployments
Production Checklist
-
FLASK_ENV=production(enables secure cookies) -
FLASK_SECRET_KEYset to 64+ hex chars - SMTP credentials configured (magic-link delivery)
- Cosmos DB connection string from Key Vault
-
users.jsonauthorised users list deployed - HTTPS enforced at load balancer / Azure Container App ingress
Source Files
app.py— auth routes,login_requireddecorator,send_magic_link_email()config/users.json— authorised user email listdeploy-chuuk.sh— production Azure deployment script
More from findinfinitelabs/chuuk
large-document-processing
Process large documents (200+ pages) with structure preservation, intelligent parsing, and memory-efficient handling. Also covers intelligent text chunking for AI training and RAG systems. Use when working with complex formatted documents, multi-level hierarchies, or when splitting large content for AI pipelines.
28python-venv-management
Automatically manage Python virtual environments (.venv) in terminal commands. Always activate .venv before running Python/pip commands. Supports macOS, Linux, and Windows with shell-aware activation. Use when executing Python scripts, installing packages, or running development servers. Critical for consistent environment management.
14bible-epub-processing
Parse and extract structured content from Bible EPUBs (NWT) for parallel text alignment between Chuukese and English. Use when working with Bible data, verse extraction, parallel corpus building, or generating training data from Scripture.
14intelligent-text-chunking
Split large texts into meaningful, AI-optimized chunks while preserving semantic coherence and document structure. Covered by the large-document-processing skill — see that skill for full details.
13react-typescript-frontend
Build React TypeScript frontends with Mantine UI v8, Vite, and type-safe API integrations. Use when creating or modifying the Chuuk Dictionary frontend, building React components, or working with TypeScript in the frontend.
11database-management-operations
Specialized database operations for Chuukese language data including dictionary management, phrase collections, translation pairs, and linguistic metadata. Supports Azure Cosmos DB with MongoDB API and local MongoDB. Use when working with Chuukese language databases, managing translation data, or performing database operations on linguistic datasets.
11