Summary
Refactor API/auth/CORS/middleware config reads in api/app.py to use SettingsService instead of direct RootConfig access. This requires a 2-phase app initialization to resolve the chicken-and-egg problem: SettingsService needs persistence, but persistence is created during app setup.
Context
create_app() in api/app.py reads config for:
- CORS configuration (
api_config.cors.*)
- Rate limiting (
api_config.rate_limit.*)
- Auth middleware (
api_config.auth.*)
- JWT secret resolution (
app_state.config.api.auth.with_secret())
- Server config (
config.api.server.* in server.py)
These reads happen at app construction time, before SettingsService is available (it needs a connected persistence backend, which is started in the on_startup lifecycle hook).
Scope
- Implement 2-phase app initialization:
- Phase 1: Create app with minimal config (just enough for Litestar to start)
- Phase 2: After persistence connects, resolve remaining config through SettingsService and reconfigure middleware/CORS/auth
- Add settings definitions for API config values (host, port, CORS origins, rate limit, auth settings)
- Handle the constraint that some Litestar config (CORS, compression) is set at construction and may not be hot-swappable
- Alternative: pre-create SettingsService with a synchronous fallback that skips the DB layer during app construction, then enable the DB layer after persistence connects
Design Considerations
- Litestar's
CORSConfig and middleware stack are set at construction — may need lazy evaluation or deferred middleware
- Server host/port are truly startup-only (can't change without restart) — mark as
restart_required=True
- Auth exclude paths and JWT config are security-sensitive — changes should require restart
Blocked By
Related
Summary
Refactor API/auth/CORS/middleware config reads in
api/app.pyto useSettingsServiceinstead of directRootConfigaccess. This requires a 2-phase app initialization to resolve the chicken-and-egg problem: SettingsService needs persistence, but persistence is created during app setup.Context
create_app()inapi/app.pyreads config for:api_config.cors.*)api_config.rate_limit.*)api_config.auth.*)app_state.config.api.auth.with_secret())config.api.server.*inserver.py)These reads happen at app construction time, before
SettingsServiceis available (it needs a connected persistence backend, which is started in theon_startuplifecycle hook).Scope
Design Considerations
CORSConfigand middleware stack are set at construction — may need lazy evaluation or deferred middlewarerestart_required=TrueBlocked By
Related