The Crypto E-Voting API reads all runtime configuration from environment variables, loaded by Pydantic’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Crypto-Project-ENSTA/back-end/llms.txt
Use this file to discover all available pages before exploring further.
BaseSettings from a file named .env.local in the project root. Every variable listed below is required at startup unless marked optional — the application will raise a validation error and refuse to start if any required value is missing.
Environment variables
| Variable | Type | Required | Description |
|---|---|---|---|
ENV | string | Yes | Runtime environment label. Accepted values: development, testing, production. Used to toggle environment-specific behaviour. |
ALLOWED_ORIGINS | string | Yes | Comma-separated list of frontend origins permitted by the CORS middleware. Example: http://localhost:5173,https://app.example.com. |
DATABASE_URL | string | Yes | SQLAlchemy-compatible PostgreSQL connection string. Example: postgresql://user:password@localhost:5432/evoting. |
SECRET_KEY | string | Yes | Secret used by Starlette’s SessionMiddleware to sign and encrypt server-side session cookies. Must be a long, random string. |
EMAIL_FROM | string | Yes | The sender address that appears in credential emails delivered to voters. |
GMAIL_TOKEN | string | Yes | Short-lived Gmail OAuth 2.0 access token used to authenticate outbound email requests. |
GMAIL_REFRESH_TOKEN | string | Yes | Long-lived refresh token used to obtain a new GMAIL_TOKEN when the access token expires. |
GMAIL_CLIENT_ID | string | Yes | OAuth 2.0 client ID from the Google Cloud Console for the service account sending voter emails. |
GMAIL_CLIENT_SECRET | string | Yes | OAuth 2.0 client secret paired with GMAIL_CLIENT_ID. |
CORS configuration
TheALLOWED_ORIGINS variable controls which browser origins can make cross-origin requests to the API. The middleware is configured with allow_credentials=True, which means session cookies are included in cross-origin requests — only explicitly listed origins are permitted.
CORSMiddleware. Wildcards (e.g. *) are not supported when allow_credentials=True.
The session cookie is set with
SameSite=None and Secure=True, which requires the API to be served over HTTPS in production. Browsers will reject the cookie over plain HTTP with these settings.Session configuration
Server-side sessions are used to carry the voter’s verified N1 nonce between thePOST /voters/check_n1 and POST /voters/submit_vote calls. Sessions are signed and encrypted using SECRET_KEY via Starlette’s SessionMiddleware.
Key session parameters set in app/main.py:
| Parameter | Value | Description |
|---|---|---|
max_age | 600 seconds | Sessions expire after 10 minutes of inactivity. A voter must complete N1 verification and vote submission within this window. |
same_site | none | Required for cross-origin cookie delivery when the front-end and API are on different domains. |
https_only | true | Instructs the browser to only send the session cookie over HTTPS connections. |
Gmail OAuth setup
The API uses the Google Gmail API to send N1 and N2 credential emails to registered voters whenPOST /voting/start-vote is called. You need an OAuth 2.0 client configured in Google Cloud Console.
To obtain the required credentials:
- Go to the Google Cloud Console and create a project.
- Enable the Gmail API for the project.
- Under APIs & Services > Credentials, create an OAuth 2.0 Client ID with application type Web application or Desktop app.
- Download the client credentials to get
GMAIL_CLIENT_IDandGMAIL_CLIENT_SECRET. - Complete the OAuth consent flow for your sender account to obtain
GMAIL_TOKENandGMAIL_REFRESH_TOKEN.
The access token in
GMAIL_TOKEN expires after one hour. The application uses GMAIL_REFRESH_TOKEN to automatically obtain a new token. Make sure the refresh token is from a session authorized with the https://mail.google.com/ scope so that the API can send email on behalf of EMAIL_FROM.