feat: complete Step 12 hardening - CORS, environment config

backend/app/config.py

@@ -1,13 +1,32 @@
 from pydantic_settings import BaseSettings
+from functools import lru_cache
 
 class Settings(BaseSettings):
-    DB_HOST: str
+    # Database (matching what database.py expects)
+    DB_USER: str = "cardgame"
+    DB_PASSWORD: str = "cardgame"
+    DB_HOST: str = "postgres"
     DB_PORT: str = "5432"
-    DB_USER: str
-    DB_PASSWORD: str
-    DB_NAME: str
+    DB_NAME: str = "cardgame"
+    
+    # JWT
+    secret_key: str = "your-secret-key-change-in-production"
+    algorithm: str = "HS256"
+    access_token_expire_minutes: int = 30
+    
+    # CORS
+    cors_origins: list[str] = ["*"]
+    
+    # Game Config
+    register_bonus_gold: int = 500
+    duplicate_card_gold: int = 20
     
     class Config:
         env_file = ".env"
 
-settings = Settings()
+@lru_cache()
+def get_settings():
+    return Settings()
+
+# Export settings instance for backwards compatibility
+settings = get_settings()

backend/app/main.py

@@ -1,17 +1,30 @@
 from fastapi import FastAPI, Depends, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
 from sqlalchemy.orm import Session
 from sqlalchemy import text
 from app.database import get_db, engine
 from app import models, seed
 from app.routers import auth, users, chests, profiles
+from app.config import get_settings
 
 from app.middleware import IdempotencyMiddleware
 
+settings = get_settings()
+
 # Create all tables
 models.Base.metadata.create_all(bind=engine)
 
 app = FastAPI(title="Card Game Backend")
 
+# CORS Middleware (before other middleware)
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=settings.cors_origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
 app.add_middleware(IdempotencyMiddleware)
 
 app.include_router(auth.router)