Skip to content

feat: refactor app-creation config reads to use SettingsService (2-phase init) #504

Closed
#518
Closed
feat: refactor app-creation config reads to use SettingsService (2-phase init)#504
#518
Labels
prio:highImportant, should be prioritizedprio:lowNice to have, can deferscope:large3+ days of workspec:architectureDESIGN_SPEC Section 15 - Technical Architecturetype:featureNew feature implementation
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Mar 16, 2026

Summary

Refactor API/auth/CORS/middleware config reads in api/app.py to use SettingsService instead of direct RootConfig access. This requires a 2-phase app initialization to resolve the chicken-and-egg problem: SettingsService needs persistence, but persistence is created during app setup.

Context

create_app() in api/app.py reads config for:

  • CORS configuration (api_config.cors.*)
  • Rate limiting (api_config.rate_limit.*)
  • Auth middleware (api_config.auth.*)
  • JWT secret resolution (app_state.config.api.auth.with_secret())
  • Server config (config.api.server.* in server.py)

These reads happen at app construction time, before SettingsService is available (it needs a connected persistence backend, which is started in the on_startup lifecycle hook).

Scope

  • Implement 2-phase app initialization:
    1. Phase 1: Create app with minimal config (just enough for Litestar to start)
    2. Phase 2: After persistence connects, resolve remaining config through SettingsService and reconfigure middleware/CORS/auth
  • Add settings definitions for API config values (host, port, CORS origins, rate limit, auth settings)
  • Handle the constraint that some Litestar config (CORS, compression) is set at construction and may not be hot-swappable
  • Alternative: pre-create SettingsService with a synchronous fallback that skips the DB layer during app construction, then enable the DB layer after persistence connects

Design Considerations

  • Litestar's CORSConfig and middleware stack are set at construction — may need lazy evaluation or deferred middleware
  • Server host/port are truly startup-only (can't change without restart) — mark as restart_required=True
  • Auth exclude paths and JWT config are security-sensitive — changes should require restart

Blocked By

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    prio:highImportant, should be prioritizedprio:lowNice to have, can deferscope:large3+ days of workspec:architectureDESIGN_SPEC Section 15 - Technical Architecturetype:featureNew feature implementation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions