fix: allow quoted urls in env variables (#676)

This commit is contained in:
Nico 2026-03-17 22:09:22 +01:00 committed by GitHub
parent ee73f89863
commit e39220c024
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 49 additions and 38 deletions

View file

@ -1,8 +1,10 @@
import { readFileSync } from "node:fs";
import os from "node:os";
import { z } from "zod";
import { prettifyError, z } from "zod";
import "dotenv/config";
import { buildAllowedHosts } from "../lib/auth/base-url";
const unquote = (str: string) => str.trim().replace(/^(['"])(.*)\1$/, "$2");
const getResticHostname = () => {
try {
const mountinfo = readFileSync("/proc/self/mountinfo", "utf-8");
@ -41,31 +43,49 @@ const envSchema = z
ENABLE_DEV_PANEL: z.string().default("false"),
PROVISIONING_PATH: z.string().optional(),
})
.transform((s) => ({
__prod__: s.NODE_ENV === "production",
environment: s.NODE_ENV,
serverIp: s.SERVER_IP,
serverIdleTimeout: s.SERVER_IDLE_TIMEOUT,
resticHostname: s.RESTIC_HOSTNAME || getResticHostname(),
port: s.PORT,
migrationsPath: s.MIGRATIONS_PATH,
appVersion: s.APP_VERSION,
trustedOrigins: s.TRUSTED_ORIGINS?.split(",")
.map((origin) => origin.trim())
.filter(Boolean)
.concat(s.BASE_URL) ?? [s.BASE_URL],
trustProxy: s.TRUST_PROXY === "true",
disableRateLimiting: s.DISABLE_RATE_LIMITING === "true" || s.NODE_ENV === "test",
appSecret: s.APP_SECRET,
baseUrl: s.BASE_URL,
isSecure: s.BASE_URL?.startsWith("https://") ?? false,
enableDevPanel: s.ENABLE_DEV_PANEL === "true",
provisioningPath: s.PROVISIONING_PATH,
}));
.transform((s) => {
const baseUrl = unquote(s.BASE_URL);
const trustedOrigins = s.TRUSTED_ORIGINS?.split(",").map(unquote).filter(Boolean).concat(baseUrl) ?? [baseUrl];
const authOrigins = [baseUrl, ...trustedOrigins];
const { allowedHosts, invalidOrigins } = buildAllowedHosts(authOrigins);
const parseConfig = (env: unknown) => {
for (const origin of invalidOrigins) {
console.warn(
`Ignoring invalid origin in configuration: ${origin}. Make sure it is a valid URL with a protocol (e.g. https://example.com)`,
);
}
return {
__prod__: s.NODE_ENV === "production",
environment: s.NODE_ENV,
serverIp: s.SERVER_IP,
serverIdleTimeout: s.SERVER_IDLE_TIMEOUT,
resticHostname: s.RESTIC_HOSTNAME || getResticHostname(),
port: s.PORT,
migrationsPath: s.MIGRATIONS_PATH,
appVersion: s.APP_VERSION,
trustedOrigins: trustedOrigins,
trustProxy: s.TRUST_PROXY === "true",
disableRateLimiting: s.DISABLE_RATE_LIMITING === "true" || s.NODE_ENV === "test",
appSecret: s.APP_SECRET,
baseUrl,
isSecure: baseUrl.startsWith("https://"),
enableDevPanel: s.ENABLE_DEV_PANEL === "true",
provisioningPath: s.PROVISIONING_PATH,
allowedHosts,
};
});
export const parseConfig = (env: unknown) => {
const result = envSchema.safeParse(env);
if (result.success && result.data.allowedHosts.length === 0) {
console.error(
`Configuration error: No valid trusted origins provided. Please check the BASE_URL and TRUSTED_ORIGINS environment variables.`,
);
process.exit(1);
}
if (!result.success) {
if (!process.env.APP_SECRET) {
const errorMessage = [
@ -89,8 +109,8 @@ const parseConfig = (env: unknown) => {
console.error(errorMessage);
}
console.error(`Environment variable validation failed: ${result.error.message}`);
throw new Error("Invalid environment variables");
console.error(`Environment variable validation failed: ${prettifyError(result.error)}`);
process.exit(1);
}
return result.data;

View file

@ -1,4 +1,4 @@
import CronExpressionParser from "cron-parser";
import { CronExpressionParser } from "cron-parser";
import { logger } from "@zerobyte/core/node";
export abstract class Job {

View file

@ -12,29 +12,20 @@ import { createAuthMiddleware } from "better-auth/api";
import { config } from "../core/config";
import { db } from "../db/db";
import { cryptoUtils } from "../utils/crypto";
import { logger } from "@zerobyte/core/node";
import { authService } from "../modules/auth/auth.service";
import { tanstackStartCookies } from "better-auth/tanstack-start";
import { isValidUsername, normalizeUsername } from "~/lib/username";
import { ensureOnlyOneUser } from "./auth/middlewares/only-one-user";
import { convertLegacyUserOnFirstLogin } from "./auth/middlewares/convert-legacy-user";
import { ensureDefaultOrg } from "./auth/helpers/create-default-org";
import { buildAllowedHosts } from "./auth/base-url";
import { ssoIntegration } from "../modules/sso/sso.integration";
export type AuthMiddlewareContext = MiddlewareContext<MiddlewareOptions, AuthContext<BetterAuthOptions>>;
const authOrigins = [config.baseUrl, ...config.trustedOrigins];
const { allowedHosts, invalidOrigins } = buildAllowedHosts(authOrigins);
for (const origin of invalidOrigins) {
logger.warn(`Ignoring invalid auth origin in configuration: ${origin}`);
}
export const auth = betterAuth({
secret: await cryptoUtils.deriveSecret("better-auth"),
baseURL: {
allowedHosts,
allowedHosts: config.allowedHosts,
protocol: "auto",
},
trustedOrigins: config.trustedOrigins,

View file

@ -1,4 +1,4 @@
import CronExpressionParser from "cron-parser";
import { CronExpressionParser } from "cron-parser";
import path from "node:path";
import type { BackupSchedule } from "~/server/db/schema";
import { toMessage } from "~/server/utils/errors";

View file

@ -1,5 +1,5 @@
import { and, eq, inArray } from "drizzle-orm";
import CronExpressionParser from "cron-parser";
import { CronExpressionParser } from "cron-parser";
import { NotFoundError, BadRequestError, ConflictError } from "http-errors-enhanced";
const isValidCron = (expression: string): boolean => {