old4ever/local-cal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): validate required env vars at startup

Browse Source 
Add explicit validation for BETTER_AUTH_SECRET, BETTER_AUTH_URL, and
Authentik config variables. Set secret explicitly in better-auth config
to prevent silent session loss on restart.
This commit is contained in:
Dmytro Stanchiev
2026-04-06 23:17:51 -04:00
parent 2a808f8ca1
commit ece03a9124
1 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/auth.ts
View File

@@ -4,7 +4,25 @@ import { genericOAuth } from "better-auth/plugins";
import { db } from "@/db/index";
import * as schema from "@/db/schema";
// Validate required environment variables
if (!process.env.BETTER_AUTH_SECRET) {
throw new Error("BETTER_AUTH_SECRET is required");
}
if (!process.env.BETTER_AUTH_URL) {
throw new Error("BETTER_AUTH_URL is required");
}
if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
}
if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
}
if (!process.env.AUTH_AUTHENTIK_ISSUER) {
throw new Error("AUTH_AUTHENTIK_ISSUER is required");
}
export const auth = betterAuth({
secret: process.env.BETTER_AUTH_SECRET,
baseURL: process.env.BETTER_AUTH_URL,
database: drizzleAdapter(db, {
provider: "pg",
@@ -15,8 +33,8 @@ export const auth = betterAuth({
config: [
{
providerId: "authentik",
clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID!,
clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET!,
clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
scopes: ["openid", "email", "profile"],
},