dariemcarlosdev
diff --git a/‎README.md‎
Lines changed: 1070 additions & 0 deletions b/‎README.md‎
Lines changed: 1070 additions & 0 deletions
diff --git a/‎appsettings.Development.json‎
Lines changed: 240 additions & 2 deletions b/‎appsettings.Development.json‎
Lines changed: 240 additions & 2 deletions
@@ -1,8 +1,246 @@
 {
+  // ===========================================================================================
+  // DEVELOPMENT ENVIRONMENT CONFIGURATION
+  // ===========================================================================================
+  // This file overrides settings in appsettings.json for local development
+  // Settings here are ONLY used when running in Development environment
+  // 
+  // How environment detection works:
+  // - Determined by ASPNETCORE_ENVIRONMENT variable
+  // - Visual Studio automatically sets this to "Development"
+  // - In production, set to "Production"
+  // 
+  // Configuration loading order (later files override earlier):
+  // 1. appsettings.json (base configuration)
+  // 2. appsettings.{Environment}.json (environment-specific)
+  // 3. User Secrets (development only)
+  // 4. Environment Variables
+  // 5. Command-line arguments
+  // ===========================================================================================
+
+  // ===== Development Logging Configuration =====
+  // More verbose logging for debugging and troubleshooting
+  // Production uses less verbose settings for performance
   "Logging": {
     "LogLevel": {
-      "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
+      // Default: Debug level shows detailed information for debugging
+      // Includes: method entry/exit, variable values, execution flow
+      // Performance impact: Higher than Information (acceptable in dev)
+      "Default": "Debug",
+      
+      // ASP.NET Core: Information level for request/response details
+      // Shows: HTTP requests, route matching, middleware execution
+      // Useful for debugging routing and middleware issues
+      "Microsoft.AspNetCore": "Information",
+      
+      // Entity Framework Core: Information level for database queries
+      // Shows: Generated SQL queries, parameter values, query execution time
+      // Essential for debugging database operations
+      "Microsoft.EntityFrameworkCore": "Information",
+      
+      // Application logs: Debug level for maximum visibility
+      // Shows all application-specific logging
+      "SecureCleanApiWaf": "Debug"
     }
+  },
+  
+  // ===========================================================================================
+  // DEVELOPMENT JWT SETTINGS (DO NOT USE IN PRODUCTION)
+  // ===========================================================================================
+  // Development-friendly JWT configuration
+  // - Longer expiration times for easier testing
+  // - Clear labeling (Dev suffix) to prevent production confusion
+  // - Simpler secret key (still meets minimum length requirement)
+  // 
+  // 🚨 WARNING: These settings are intentionally insecure for development convenience
+  // NEVER deploy to production with these settings!
+  "JwtSettings": {
+    // Development secret key (32+ characters required)
+    // Different from production to prevent accidental token interchange
+    // Clearly labeled as "Development" to avoid confusion
+    "SecretKey": "Development_Secret_Key_32Characters_Minimum!",
+    
+    // Issuer: Labeled as "Dev" to differentiate from production tokens
+    // Tokens generated in dev won't be accepted by production API
+    "Issuer": "SecureCleanApiWaf.Dev",
+    
+    // Audience: Labeled as "Dev" environment
+    "Audience": "SecureCleanApiWaf.Api.Dev",
+    
+    // Longer expiration for development convenience
+    // 120 minutes (2 hours) reduces need to repeatedly generate tokens
+    // Allows longer debugging sessions without token expiration
+    // Production: Use 15-30 minutes for security
+    "ExpirationMinutes": 120,
+    
+    // Longer refresh token expiration for development
+    // 30 days: Very permissive for local testing
+    // Production: Use 7-14 days maximum
+    "RefreshTokenExpirationDays": 30
+  },
+
+  // ===========================================================================================
+  // DEVELOPMENT EXTERNAL API CONFIGURATION
+  // ===========================================================================================
+  // Configuration for testing external API integrations locally
+  "ThirdPartyApi": {
+    // JSONPlaceholder: Free fake REST API for testing
+    // Provides realistic data without requiring real API credentials
+    // Features: users, posts, comments, albums, photos, todos
+    // No authentication required (perfect for development)
+    // 
+    // Documentation: https://jsonplaceholder.typicode.com/
+    "BaseUrl": "https://jsonplaceholder.typicode.com/",
+    
+    // Development API key placeholder
+    // For APIs that require authentication:
+    // 1. Sign up for a developer account
+    // 2. Get API key from provider
+    // 3. Store in User Secrets (not in source control)
+    // 4. Replace this placeholder
+    // 
+    // To use User Secrets:
+    // 1. Right-click project → Manage User Secrets
+    // 2. Add: "ThirdPartyApi": { "ApiKey": "your-actual-key" }
+    // 3. User Secrets override this setting locally
+    "ApiKey": "dev-api-key-placeholder-replace-with-real-key",
+    
+    // Longer timeout for development (60 seconds)
+    // Allows:
+    // - Debugging external API calls with breakpoints
+    // - Testing with slow development APIs
+    // - Network throttling for testing timeout handling
+    // Production: Use 30 seconds or less
+    "Timeout": 60
+  },
+
+  // ===========================================================================================
+  // DEVELOPMENT CORS CONFIGURATION (MORE PERMISSIVE)
+  // ===========================================================================================
+  // Allow more origins for local development convenience
+  // Supports various local development scenarios
+  "Cors": {
+    "AllowedOrigins": [
+      // HTTPS development server (default Blazor port)
+      "https://localhost:7000",
+      
+      // Alternative HTTPS port (Kestrel default)
+      "https://localhost:5001",
+      
+      // HTTP development server (for testing non-HTTPS scenarios)
+      // 🚨 NOTE: HTTPS should be used even in development
+      // This is here for legacy/compatibility testing only
+      "http://localhost:5000"
+    ]
+  },
+
+  // ===========================================================================================
+  // DEVELOPMENT RATE LIMITING (MORE PERMISSIVE)
+  // ===========================================================================================
+  // Relaxed rate limits for development and testing
+  // Allows rapid API testing without hitting limits
+  // 
+  // Development vs Production:
+  // - Dev: 200 req/min, 5000 req/hour (very permissive)
+  // - Prod: 60 req/min, 1000 req/hour (more restrictive)
+  "IpRateLimiting": {
+    // Enable rate limiting even in development
+    // Ensures code doesn't break when deployed to production
+    // Helps catch issues with rate limit handling early
+    "EnableEndpointRateLimiting": true,
+    
+    // Don't stack blocked requests in development
+    // Makes testing rate limiting easier
+    "StackBlockedRequests": false,
+    
+    // Development rate limit rules (more permissive)
+    "GeneralRules": [
+      {
+        // Per-minute limit: 200 requests
+        // Allows rapid testing: ~3 requests per second
+        // Enough for automated tests and rapid manual testing
+        "Endpoint": "*",
+        "Period": "1m",
+        "Limit": 200
+      },
+      {
+        // Hourly limit: 5000 requests
+        // Allows intensive development sessions
+        // High enough that legitimate development never hits it
+        // Low enough to catch runaway loops in code
+        "Endpoint": "*",
+        "Period": "1h",
+        "Limit": 5000
+      }
+    ]
+  },
+
+  // ===========================================================================================
+  // DEVELOPMENT DATABASE CONFIGURATION
+  // ===========================================================================================
+  // More verbose logging and error details for debugging database issues
+  "DatabaseSettings": {
+    // LocalDB connection (built into Visual Studio)
+    // No installation required, perfect for development
+    // Database file stored in user's AppData folder
+    "ConnectionString": "Server=(localdb)\\mssqllocaldb;Database=SecureCleanApiWaf;Trusted_Connection=True;TrustServerCertificate=True;MultipleActiveResultSets=True",
+    
+    // Enable sensitive data logging in development
+    // Shows parameter values in SQL queries for debugging
+    // Example: "SELECT * FROM Users WHERE Email = @p0" with @p0 = "user@example.com"
+    "EnableSensitiveDataLogging": true,
+    
+    // Enable detailed errors in development
+    // Shows full exception details including SQL query text
+    // Helps debug query issues and schema problems
+    "EnableDetailedErrors": true,
+    
+    // Command timeout: 60 seconds (generous for development)
+    // Allows debugging queries with breakpoints
+    "CommandTimeout": 60,
+    
+    // Retry configuration (same as production)
+    // Tests retry logic during development
+    "MaxRetryCount": 3,
+    "MaxRetryDelay": 30,
+    
+    // Query splitting: false (default behavior)
+    // Can set to true to test splitting behavior
+    "EnableQuerySplitting": false
   }
+
+  // ===========================================================================================
+  // DEVELOPMENT TIPS & BEST PRACTICES
+  // ===========================================================================================
+  // 
+  // 1. USER SECRETS FOR SENSITIVE DATA:
+  //    Don't hardcode API keys or passwords even in development
+  //    Use User Secrets feature:
+  //    - Right-click project → Manage User Secrets
+  //    - Store sensitive values there (never committed to source control)
+  // 
+  // 2. HTTPS EVEN IN DEVELOPMENT:
+  //    Use HTTPS certificates even locally (Visual Studio generates them)
+  //    Prevents certificate issues when deploying to production
+  //    Matches production behavior more closely
+  // 
+  // 3. TEST WITH PRODUCTION-LIKE SETTINGS:
+  //    Occasionally test with stricter settings (short JWT expiration, etc.)
+  //    Ensures code handles token refresh, rate limiting, etc.
+  // 
+  // 4. ENVIRONMENT VARIABLE TESTING:
+  //    Test overriding settings via environment variables
+  //    Ensures deployment configuration works correctly
+  // 
+  // 5. LOG LEVEL MANAGEMENT:
+  //    Use Debug for active development
+  //    Switch to Information when sharing logs (less noise)
+  //    Use Warning/Error for performance testing
+  // 
+  // 6. DATABASE CONFIGURATION:
+  //    Use local database for development (LocalDB, SQLite)
+  //    Don't connect to production databases from development
+  //    Use realistic test data
+  // 
+  // ===========================================================================================
 }