From 341ce29aa9945b62b72216760f11de2667d9ca19 Mon Sep 17 00:00:00 2001
From: Maciej Pienczyn <maciej.pienczyn@inpi.pl>
Date: Wed, 14 Jan 2026 22:13:49 +0100
Subject: [PATCH] fix: Use lazy loading for GeoIP config to respect load_dotenv
 timing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 security_service.py | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/security_service.py b/security_service.py
index c106e51..991806c 100644
--- a/security_service.py
+++ b/security_service.py
@@ -178,12 +178,18 @@ def _send_alert_email(alert):
 # GEOIP BLOCKING
 # ============================================================
 
-# GeoIP configuration
-GEOIP_ENABLED = os.getenv('GEOIP_ENABLED', 'false').lower() == 'true'
-GEOIP_DB_PATH = os.getenv('GEOIP_DB_PATH', '/var/www/nordabiznes/geoip/GeoLite2-Country.mmdb')
+# GeoIP configuration (lazy loaded to respect load_dotenv timing)
+def _get_geoip_enabled():
+    return os.getenv('GEOIP_ENABLED', 'false').lower() == 'true'
+
+def _get_geoip_db_path():
+    return os.getenv('GEOIP_DB_PATH', '/var/www/nordabiznes/geoip/GeoLite2-Country.mmdb')
+
+def _get_geoip_whitelist():
+    return set(os.getenv('GEOIP_WHITELIST', '').split(',')) - {''}
+
 # Block high-risk countries (Russia, China, North Korea, Iran, etc.)
 BLOCKED_COUNTRIES = {'RU', 'CN', 'KP', 'IR', 'BY', 'SY', 'VE', 'CU'}
-GEOIP_WHITELIST = set(os.getenv('GEOIP_WHITELIST', '').split(',')) - {''}  # Whitelisted IPs
 
 # GeoIP reader (lazy loaded)
 _geoip_reader = None
@@ -196,16 +202,17 @@ def get_geoip_reader():
     if _geoip_reader is not None:
         return _geoip_reader
 
-    if not GEOIP_ENABLED:
+    if not _get_geoip_enabled():
         return None
 
     try:
         import geoip2.database
-        if os.path.exists(GEOIP_DB_PATH):
-            _geoip_reader = geoip2.database.Reader(GEOIP_DB_PATH)
-            logger.info(f"GeoIP database loaded from {GEOIP_DB_PATH}")
+        db_path = _get_geoip_db_path()
+        if os.path.exists(db_path):
+            _geoip_reader = geoip2.database.Reader(db_path)
+            logger.info(f"GeoIP database loaded from {db_path}")
         else:
-            logger.warning(f"GeoIP database not found at {GEOIP_DB_PATH}")
+            logger.warning(f"GeoIP database not found at {db_path}")
     except ImportError:
         logger.warning("geoip2 package not installed, GeoIP blocking disabled")
     except Exception as e:
@@ -242,7 +249,7 @@ def is_ip_allowed(ip_address: str = None) -> bool:
     Returns:
         True if allowed, False if blocked
     """
-    if not GEOIP_ENABLED:
+    if not _get_geoip_enabled():
         return True
 
     if ip_address is None:
@@ -252,7 +259,7 @@ def is_ip_allowed(ip_address: str = None) -> bool:
         return True
 
     # Check whitelist first
-    if ip_address in GEOIP_WHITELIST:
+    if ip_address in _get_geoip_whitelist():
         return True
 
     # Local/private IPs are always allowed
@@ -452,6 +459,8 @@ def requires_2fa(f):
 
 def init_security_service():
     """Initialize security service (load GeoIP database, etc.)."""
-    if GEOIP_ENABLED:
+    if _get_geoip_enabled():
         get_geoip_reader()
-    logger.info("Security service initialized")
+        logger.info(f"Security service initialized with GeoIP enabled, blocking: {BLOCKED_COUNTRIES}")
+    else:
+        logger.info("Security service initialized (GeoIP disabled)")