# Backend Environment Configuration ## Production Deployment Requirements For production deployment at `https://ai-sandbox.oliver.solutions/brief-extractor-back`, your backend `.env` file **must** have: ### Required Settings ```bash # CRITICAL: Set to false for production! DEV_MODE=false # MSAL Authentication (Azure AD) - PKCE Flow (Public Client) MSAL_CLIENT_ID=your-azure-ad-client-id MSAL_CLIENT_SECRET=placeholder-client-secret # Not used for PKCE flow MSAL_TENANT_ID=your-azure-ad-tenant-id MSAL_REDIRECT_URI=https://ai-sandbox.oliver.solutions/brief-extractor/ MSAL_AUTHORITY=https://login.microsoftonline.com/your-azure-ad-tenant-id # Server Configuration SERVER_HOST=0.0.0.0 SERVER_PORT=8000 SERVER_WORKERS=2 # CORS - Allow frontend domain ALLOWED_ORIGINS=https://ai-sandbox.oliver.solutions # Security SESSION_SECRET=your-random-session-secret-here SECURE_COOKIES=true HTTPS_ONLY=true # Job Processing MAX_CONCURRENT_JOBS=2 FILE_RETENTION_HOURS=24 # Upload Limits MAX_UPLOAD_SIZE_MB=200 ``` ## Current Issue Your backend is returning `devMode: true` because: 1. **Line 23 in `server/config_runtime.py`** defaults `DEV_MODE` to `'true'` 2. Your backend `.env` file either: - Doesn't have `DEV_MODE=false` - Or has `DEV_MODE=true` ## Fix Steps 1. **Locate backend `.env` file** (should be in `/server/.env` or project root) 2. **Add or update this line:** ```bash DEV_MODE=false ``` 3. **Verify MSAL settings are configured:** - Get these from Azure Portal → Azure AD → App Registrations - `MSAL_CLIENT_ID`: Application (client) ID - `MSAL_TENANT_ID`: Directory (tenant) ID - `MSAL_CLIENT_SECRET`: Create in "Certificates & secrets" 4. **Update redirect URI:** ```bash MSAL_REDIRECT_URI=https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback ``` Also add this redirect URI in Azure Portal: - Go to your App Registration - Authentication → Platform configurations → Add a platform - Select "Single-page application" - Add URL: `https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback` 5. **Restart backend server** for changes to take effect ## Verification After restarting, visit: ``` https://ai-sandbox.oliver.solutions/brief-extractor-back/api/auth/config ``` Should return: ```json { "config": { "clientId": "your-actual-client-id", "authority": "https://login.microsoftonline.com/your-tenant-id", "redirectUri": "https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback", "devMode": false }, "devMode": false } ``` If `devMode: true`, the backend `.env` file needs `DEV_MODE=false`. ## Azure AD App Registration Configuration ### Required API Permissions - Microsoft Graph → User.Read (delegated) ### Supported Account Types - Accounts in this organizational directory only (Single tenant) - Or: Accounts in any organizational directory (Multi-tenant) ### Authentication Platform - Platform: Single-page application - Redirect URI: `https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback` - Enable implicit flow: ID tokens ✓ ### Certificates & Secrets - Create new client secret - Copy value immediately (can't view again) - Use as `MSAL_CLIENT_SECRET` in `.env` ## Troubleshooting ### Login redirects but fails - Check redirect URI matches exactly in both: - Backend `.env` → `MSAL_REDIRECT_URI` - Azure Portal → App Registration → Authentication ### "Invalid client" error - Verify `MSAL_CLIENT_ID` matches Azure Portal App Registration ID - Check `MSAL_CLIENT_SECRET` is correct and not expired ### CSP errors in console - These are from Microsoft's auth pages (Report-Only mode) - They won't block authentication, just warnings ### Still shows "Development Mode" - Backend `.env` has `DEV_MODE=true` or missing `DEV_MODE=false` - Backend server not restarted after `.env` change - Wrong `.env` file being loaded (check file location)