furt/furt-lua/config/server.lua

-- furt-lua/config/server.lua
-- Server configuration for Furt Lua HTTP-Server

return {
    -- HTTP Server settings
    host = "127.0.0.1",
    port = 8080,
    
    -- Timeouts (seconds)
    client_timeout = 10,
    
    -- CORS Configuration
    cors = {
        -- Default allowed origins for development
        -- Override in production with CORS_ALLOWED_ORIGINS environment variable
        allowed_origins = (function()
            local env_origins = os.getenv("CORS_ALLOWED_ORIGINS")
            if env_origins then
                -- Parse comma-separated list from environment
                local origins = {}
                for origin in env_origins:gmatch("([^,]+)") do
                    table.insert(origins, origin:match("^%s*(.-)%s*$")) -- trim whitespace
                end
                return origins
            else
                -- Default development origins
                return {
                    "http://localhost:1313",      -- Hugo dev server
                    "http://127.0.0.1:1313",     -- Hugo dev server alternative
                    "http://localhost:3000",     -- Common dev port
                    "http://127.0.0.1:3000"      -- Common dev port alternative
                }
            end
        end)()
    },
    
    -- Logging
    log_level = "info",
    log_requests = true,
    
    -- API-Key-Authentifizierung (PRODUCTION READY)
    api_keys = {
        -- Hugo Frontend API-Key (für Website-Formulare)
        [os.getenv("HUGO_API_KEY") or "hugo-dev-key-change-in-production"] = {
            name = "Hugo Frontend",
            permissions = {"mail:send"},
            allowed_ips = {
                "127.0.0.1",           -- Localhost
                "10.0.0.0/8",          -- Private network
                "192.168.0.0/16",      -- Private network  
                "172.16.0.0/12"        -- Private network
            }
        },
        
        -- Admin API-Key (für Testing und Management)
        [os.getenv("ADMIN_API_KEY") or "admin-dev-key-change-in-production"] = {
            name = "Admin Access",
            permissions = {"*"},  -- All permissions
            allowed_ips = {
                "127.0.0.1",           -- Local only for admin
                "10.0.0.0/8"           -- Internal network
            }
        },
        
        -- Optional: Monitoring API-Key (nur Health-Checks)
        [os.getenv("MONITORING_API_KEY") or "monitoring-dev-key"] = {
            name = "Monitoring Service",
            permissions = {"monitoring:health"},
            allowed_ips = {
                "127.0.0.1",
                "10.0.0.0/8",
                "172.16.0.0/12"
            }
        }
    },
    
    -- Mail configuration (for SMTP integration)
    mail = {
        smtp_server = os.getenv("SMTP_HOST") or "mail.dragons-at-work.de",
        smtp_port = tonumber(os.getenv("SMTP_PORT")) or 465,
        use_ssl = true,
        username = os.getenv("SMTP_USERNAME"),
        password = os.getenv("SMTP_PASSWORD"),
        from_address = os.getenv("SMTP_FROM") or "noreply@dragons-at-work.de",
        to_address = os.getenv("SMTP_TO") or "michael@dragons-at-work.de"
    }
}