brief-extractor/backend/server/ENV_EXAMPLE.md

# Backend Environment Configuration

## Production Deployment Requirements

For production deployment at `https://ai-sandbox.oliver.solutions/brief-extractor-back`, your backend `.env` file **must** have:

### Required Settings

```bash
# CRITICAL: Set to false for production!
DEV_MODE=false

# MSAL Authentication (Azure AD) - PKCE Flow (Public Client)
MSAL_CLIENT_ID=your-azure-ad-client-id
MSAL_CLIENT_SECRET=placeholder-client-secret  # Not used for PKCE flow
MSAL_TENANT_ID=your-azure-ad-tenant-id
MSAL_REDIRECT_URI=https://ai-sandbox.oliver.solutions/brief-extractor/
MSAL_AUTHORITY=https://login.microsoftonline.com/your-azure-ad-tenant-id

# Server Configuration
SERVER_HOST=0.0.0.0
SERVER_PORT=8000
SERVER_WORKERS=2

# CORS - Allow frontend domain
ALLOWED_ORIGINS=https://ai-sandbox.oliver.solutions

# Security
SESSION_SECRET=your-random-session-secret-here
SECURE_COOKIES=true
HTTPS_ONLY=true

# Job Processing
MAX_CONCURRENT_JOBS=2
FILE_RETENTION_HOURS=24

# Upload Limits
MAX_UPLOAD_SIZE_MB=200
```

## Current Issue

Your backend is returning `devMode: true` because:

1. **Line 23 in `server/config_runtime.py`** defaults `DEV_MODE` to `'true'`
2. Your backend `.env` file either:
   - Doesn't have `DEV_MODE=false`
   - Or has `DEV_MODE=true`

## Fix Steps

1. **Locate backend `.env` file** (should be in `/server/.env` or project root)

2. **Add or update this line:**
   ```bash
   DEV_MODE=false
   ```

3. **Verify MSAL settings are configured:**
   - Get these from Azure Portal → Azure AD → App Registrations
   - `MSAL_CLIENT_ID`: Application (client) ID
   - `MSAL_TENANT_ID`: Directory (tenant) ID
   - `MSAL_CLIENT_SECRET`: Create in "Certificates & secrets"

4. **Update redirect URI:**
   ```bash
   MSAL_REDIRECT_URI=https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback
   ```

   Also add this redirect URI in Azure Portal:
   - Go to your App Registration
   - Authentication → Platform configurations → Add a platform
   - Select "Single-page application"
   - Add URL: `https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback`

5. **Restart backend server** for changes to take effect

## Verification

After restarting, visit:
```
https://ai-sandbox.oliver.solutions/brief-extractor-back/api/auth/config
```

Should return:
```json
{
  "config": {
    "clientId": "your-actual-client-id",
    "authority": "https://login.microsoftonline.com/your-tenant-id",
    "redirectUri": "https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback",
    "devMode": false
  },
  "devMode": false
}
```

If `devMode: true`, the backend `.env` file needs `DEV_MODE=false`.

## Azure AD App Registration Configuration

### Required API Permissions
- Microsoft Graph → User.Read (delegated)

### Supported Account Types
- Accounts in this organizational directory only (Single tenant)
- Or: Accounts in any organizational directory (Multi-tenant)

### Authentication Platform
- Platform: Single-page application
- Redirect URI: `https://ai-sandbox.oliver.solutions/brief-extractor/auth/callback`
- Enable implicit flow: ID tokens ✓

### Certificates & Secrets
- Create new client secret
- Copy value immediately (can't view again)
- Use as `MSAL_CLIENT_SECRET` in `.env`

## Troubleshooting

### Login redirects but fails
- Check redirect URI matches exactly in both:
  - Backend `.env` → `MSAL_REDIRECT_URI`
  - Azure Portal → App Registration → Authentication

### "Invalid client" error
- Verify `MSAL_CLIENT_ID` matches Azure Portal App Registration ID
- Check `MSAL_CLIENT_SECRET` is correct and not expired

### CSP errors in console
- These are from Microsoft's auth pages (Report-Only mode)
- They won't block authentication, just warnings

### Still shows "Development Mode"
- Backend `.env` has `DEV_MODE=true` or missing `DEV_MODE=false`
- Backend server not restarted after `.env` change
- Wrong `.env` file being loaded (check file location)