test

.env.example

@@ -0,0 +1,141 @@
+# =============================================================================
+# API Gateway Environment Configuration
+# =============================================================================
+# Copy this file to .env and fill in your actual values
+# Never commit the .env file to version control!
+
+# -----------------------------------------------------------------------------
+# Environment
+# -----------------------------------------------------------------------------
+# Options: "production" or "development"
+# Affects cookie security settings and database naming
+ENVIRONMENT=development
+
+# -----------------------------------------------------------------------------
+# Database
+# -----------------------------------------------------------------------------
+# Database name (filename will be {DB_NAME}_{ENVIRONMENT}.db)
+DB_NAME=apigateway
+
+# Reset database on startup (CAUTION: deletes all data)
+# RESET_DB=true
+
+# -----------------------------------------------------------------------------
+# CORS Configuration
+# -----------------------------------------------------------------------------
+# Comma-separated list of allowed origins for CORS (NO SPACES!)
+# IMPORTANT: Required for cookies to work with credentials
+# Production example: CORS_ORIGINS=https://app.yourdomain.com,https://www.yourdomain.com
+# Development example: CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+
+# -----------------------------------------------------------------------------
+# JWT Authentication
+# -----------------------------------------------------------------------------
+# Secret key for signing JWT tokens (REQUIRED)
+# Generate with: python -c "import secrets; print(secrets.token_urlsafe(64))"
+JWT_SECRET=your-secret-key-here-change-me
+
+# JWT algorithm for token signing
+JWT_ALGORITHM=HS256
+
+# Access token expiry in minutes (short-lived, for API requests)
+# Production: 5-15 minutes | Development: 30-60 minutes
+JWT_ACCESS_EXPIRY_MINUTES=15
+
+# Refresh token expiry in days (long-lived, for getting new access tokens)
+# Production: 7-14 days | Development: 30-90 days
+JWT_REFRESH_EXPIRY_DAYS=7
+
+# -----------------------------------------------------------------------------
+# Google OAuth
+# -----------------------------------------------------------------------------
+# Google OAuth Client ID for Google Sign-In
+# Get from: https://console.cloud.google.com/apis/credentials
+AUTH_SIGN_IN_GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
+
+# -----------------------------------------------------------------------------
+# Admin Configuration
+# -----------------------------------------------------------------------------
+# Comma-separated list of admin email addresses
+# Example: ADMIN_EMAILS=admin@example.com,boss@example.com
+ADMIN_EMAILS=
+
+# -----------------------------------------------------------------------------
+# Payment Integration (Razorpay)
+# -----------------------------------------------------------------------------
+# Razorpay API credentials
+# Get from: https://dashboard.razorpay.com/app/keys
+RAZORPAY_KEY_ID=your_razorpay_key_id
+RAZORPAY_KEY_SECRET=your_razorpay_key_secret
+
+# Razorpay webhook secret for verifying webhook signatures
+# Get from: https://dashboard.razorpay.com/app/webhooks
+RAZORPAY_WEBHOOK_SECRET=your_webhook_secret
+
+# -----------------------------------------------------------------------------
+# Google Drive Backup (Optional)
+# -----------------------------------------------------------------------------
+# Path to Google Drive service account credentials JSON file
+# Used for automatic database backups to Google Drive
+# GOOGLE_DRIVE_CREDENTIALS_PATH=/path/to/credentials.json
+
+# Google Drive folder ID where backups should be stored
+# GOOGLE_DRIVE_FOLDER_ID=your_folder_id
+
+# -----------------------------------------------------------------------------
+# Gemini AI API Keys
+# -----------------------------------------------------------------------------
+# Comma-separated list of Gemini API keys for video generation
+# Get from: https://makersuite.google.com/app/apikey
+# Example: GEMINI_API_KEYS=key1,key2,key3
+GEMINI_API_KEYS=your-gemini-api-key
+
+# Number of concurrent jobs per API key (rate limiting)
+JOB_PER_API_KEY=2
+
+# Enable mock mode for testing without consuming API credits
+# GEMINI_MOCK_MODE=true
+
+# -----------------------------------------------------------------------------
+# Email Configuration (Optional)
+# -----------------------------------------------------------------------------
+# SMTP settings for sending emails (contact form, notifications, etc.)
+# SMTP_HOST=smtp.gmail.com
+# SMTP_PORT=587
+# SMTP_USER=your-email@gmail.com
+# SMTP_PASSWORD=your-app-password
+# SMTP_FROM=noreply@yourdomain.com
+
+# -----------------------------------------------------------------------------
+# Logging
+# -----------------------------------------------------------------------------
+# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
+LOG_LEVEL=INFO
+
+# -----------------------------------------------------------------------------
+# Server Configuration
+# -----------------------------------------------------------------------------
+# Server host and port (for uvicorn)
+# HOST=0.0.0.0
+# PORT=8000
+
+# Number of worker processes
+# WORKERS=4
+
+# -----------------------------------------------------------------------------
+# Feature Flags (Optional)
+# -----------------------------------------------------------------------------
+# Enable/disable specific features
+# ENABLE_RATE_LIMITING=true
+# ENABLE_AUDIT_LOGGING=true
+# ENABLE_AUTO_BACKUP=true
+
+# =============================================================================
+# Notes
+# =============================================================================
+# 1. JWT_SECRET is REQUIRED - generate a secure one before deploying!
+# 2. In production, set ENVIRONMENT=production for proper cookie security
+# 3. CORS_ORIGINS must match your frontend domain exactly (including https://)
+# 4. Never commit your .env file - it contains sensitive credentials
+# 5. Keep your .env.example file updated as you add new variables

check_token_config.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# Quick Token Configuration Diagnostic
+
+echo "=========================================="
+echo " JWT Token Configuration Diagnostic"
+echo "=========================================="
+
+echo -e "\n1️⃣ Environment Variables:"
+echo "   JWT_ACCESS_EXPIRY_MINUTES: $(grep JWT_ACCESS_EXPIRY_MINUTES .env 2>/dev/null | cut -d'=' -f2 || echo 'NOT SET')"
+echo "   JWT_REFRESH_EXPIRY_DAYS: $(grep JWT_REFRESH_EXPIRY_DAYS .env 2>/dev/null | cut -d'=' -f2 || echo 'NOT SET')"
+
+echo -e "\n2️⃣ Server Status:"
+if pgrep -f "python app.py" > /dev/null; then
+    echo "   ✅ Server is running"
+    echo "   PID: $(pgrep -f 'python app.py')"
+    echo "   Started: $(ps -p $(pgrep -f 'python app.py') -o lstart= 2>/dev/null)"
+else
+    echo "   ❌ Server is NOT running"
+fi
+
+echo -e "\n3️⃣ File Modification Times:"
+echo "   .env modified: $(stat -c '%y' .env 2>/dev/null | cut -d'.' -f1 || echo 'Unknown')"
+
+echo -e "\n4️⃣ Recommendation:"
+if pgrep -f "python app.py" > /dev/null; then
+    SERVER_START=$(ps -p $(pgrep -f "python app.py") -o etimes= | tr -d ' ')
+    if [ -f .env ]; then
+        ENV_MOD=$(stat -c '%Y' .env)
+        SERVER_START_TIME=$(($(date +%s) - SERVER_START))
+        
+        if [ $ENV_MOD -gt $SERVER_START_TIME ]; then
+            echo "   ⚠️  .env was modified AFTER server started!"
+            echo "   ⚠️  Server is using OLD configuration!"
+            echo "   "
+            echo "   👉 ACTION REQUIRED: Restart the server"
+            echo "   "
+            echo "   Run these commands:"
+            echo "   pkill -f 'python app.py'"
+            echo "   python app.py"
+        else
+            echo "   ✅ Server has latest .env configuration"
+            echo "   "
+            echo "   💡 Token expiry IS working, but you may not see it because:"
+            echo "   - Frontend automatically refreshes tokens"
+            echo "   - Refresh happens silently every ~1 minute"
+            echo "   "
+            echo "   To verify, check browser DevTools → Network tab for /auth/refresh calls"
+        fi
+    fi
+else
+    echo "   👉 Start the server first: python app.py"
+fi
+
+echo -e "\n=========================================="

test_token_expiry.py

@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+"""
+Simple JWT Token Expiry Test - Direct approach
+"""
+import os
+import jwt
+import time
+from datetime import datetime, timedelta
+from dotenv import load_dotenv
+
+# Load environment variables
+load_dotenv()
+
+def test_token_expiry():
+    """Test JWT token creation and expiry"""
+    
+    print("=" * 70)
+    print("JWT Token Expiry Test")
+    print("=" * 70)
+    
+    # Get environment variables
+    access_expiry_minutes = int(os.getenv("JWT_ACCESS_EXPIRY_MINUTES", "15"))
+    jwt_secret = os.getenv("JWT_SECRET")
+    jwt_algorithm = os.getenv("JWT_ALGORITHM", "HS256")
+    
+    print(f"\n📋 Current Configuration:")
+    print(f"   JWT_ACCESS_EXPIRY_MINUTES: {access_expiry_minutes} minute(s)")
+    print(f"   JWT_ALGORITHM: {jwt_algorithm}")
+    print(f"   JWT_SECRET: {'✅ Set' if jwt_secret else '❌ NOT SET'}")
+    
+    if not jwt_secret:
+        print("\n❌ ERROR: JWT_SECRET not set!")
+        return
+    
+    # Create token manually
+    print(f"\n🔐 Creating test token...")
+    now = datetime.utcnow()
+    expires_at = now + timedelta(minutes=access_expiry_minutes)
+    
+    payload = {
+        "sub": "test_user_123",
+        "email": "test@example.com",
+        "type": "access",
+        "tv": 1,
+        "iat": now,
+        "exp": expires_at
+    }
+    
+    token = jwt.encode(payload, jwt_secret, algorithm=jwt_algorithm)
+    print(f"   ✅ Token created")
+    print(f"   Issued at:  {now}")
+    print(f"   Expires at: {expires_at}")
+    print(f"   Token lifetime: {access_expiry_minutes} minute(s)")
+    
+    # Verify token is valid now
+    print(f"\n✅ Verifying token immediately...")
+    try:
+        decoded = jwt.decode(token, jwt_secret, algorithms=[jwt_algorithm])
+        print(f"   ✅ Token is valid")
+        print(f"   User: {decoded['sub']}")
+        print(f"   Email: {decoded['email']}")
+    except jwt.ExpiredSignatureError:
+        print(f"   ❌ Token already expired (shouldn't happen!)")
+        return
+    except Exception as e:
+        print(f"   ❌ Error: {e}")
+        return
+    
+    # If very short expiry, wait and test
+    if access_expiry_minutes <= 5:
+        wait_seconds = (access_expiry_minutes * 60) + 5
+        print(f"\n⏳ Waiting {wait_seconds} seconds for token to expire...")
+        print(f"   Token should expire at: {expires_at}")
+        
+        for i in range(wait_seconds):
+            remaining = wait_seconds - i
+            if remaining % 10 == 0 or remaining <= 10:
+                print(f"   ⏱️  {remaining} seconds remaining...")
+            time.sleep(1)
+        
+        print(f"\n🔍 Testing token after {wait_seconds} seconds...")
+        print(f"   Current time: {datetime.utcnow()}")
+        
+        try:
+            decoded = jwt.decode(token, jwt_secret, algorithms=[jwt_algorithm])
+            print(f"   ❌ Token STILL VALID (This is a problem!)")
+            print(f"   This means the token didn't expire as expected")
+        except jwt.ExpiredSignatureError:
+            print(f"   ✅ Token EXPIRED (This is correct!)")
+            print(f"   Token expiry is working properly")
+        except Exception as e:
+            print(f"   ⚠️  Error: {e}")
+    else:
+        print(f"\n💡 Token expiry is set to {access_expiry_minutes} minutes")
+        print(f"   This is too long to wait in this test")
+        print(f"   To test expiry quickly:")
+        print(f"   1. Set JWT_ACCESS_EXPIRY_MINUTES=1 in .env")
+        print(f"   2. Restart the server")
+        print(f"   3. Run this test again")
+    
+    print("\n" + "=" * 70)
+    print("Test Complete!")
+    print("=" * 70)
+
+if __name__ == "__main__":
+    test_token_expiry()