fix(security): move secret env var reads from build time to runtime#478
Open
hendrikheil wants to merge 13 commits into
Open
fix(security): move secret env var reads from build time to runtime#478hendrikheil wants to merge 13 commits into
hendrikheil wants to merge 13 commits into
Conversation
Contributor
|
@hendrikheil is attempting to deploy a commit to the Nuxt Team on Vercel. A member of the Team first needs to authorize it. |
commit: |
hendrikheil
force-pushed
the
fix/runtime-config-secrets
branch
from
cccd400 to
13f34f7
Compare
…udio-env plugin Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace direct process.env reads with values from useRuntimeConfig(event).studio. The studio-env Nitro plugin populates runtimeConfig.studio.auth.github.* from legacy STUDIO_GITHUB_* env vars at server startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace direct `process.env.*` reads with values from `useRuntimeConfig(event).studio`. This ensures env vars are properly managed through the studio-env Nitro plugin at server startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Migrate SSO and git token configuration from direct environment variable reads to runtime config, which is populated by the studio-env Nitro plugin at server startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace direct process.env reads with values from useRuntimeConfig(event).studio for Google OAuth configuration, Git provider tokens, and moderators list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add explicit typed objects to runtimeConfig.studio auth blocks so auth routes can access redirectUrl and moderators without ts-expect-error. Tighten studio-env.ts casts from Record<string,any> to typed variants. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… rename vars - auth.github.instanceUrl defaults to 'https://github.com', auth.gitlab.instanceUrl defaults to 'https://gitlab.com' — these are not secrets - AI server routes now only registered when options.ai.apiKey is set at build time; users relying on env vars use NUXT_STUDIO_AI_API_KEY (Nuxt-native convention) or set apiKey explicitly in nuxt.config.ts - ai.enabled public flag restored to Boolean(options.ai?.apiKey) at build time; studio-env plugin no longer touches AI config - Rename single-letter variables in studio-env.ts for readability Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
hendrikheil
force-pushed
the
fix/runtime-config-secrets
branch
from
13f34f7 to
693bd6d
Compare
…through entries - studio-env.ts: replace custom fill() helper with defu for env var defaults - auth routes: remove credential passthroughs from mergeConfig that echoed values already present in the first argument (clientId, clientSecret, applicationId, etc.) - sso.get.ts: drop mergeConfig entirely, inline the redirectUrl→redirectURL rename - module.ts: remove redundant instanceUrl fallbacks now covered by module defaults Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- auth.ts: restore upstream version (logger tag, git token check, Google moderator validation) - studio-env.ts: replace Object.assign+defu with direct assignment Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ssertions - only set publicUrl to public/ dir when not using external media storage - fix non-null assertions on instanceUrl to avoid unsafe optional chain pattern Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
|
@larbish can you rerun the module / build job? Seems to have been a transient Cloudflare error |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What and why
Previously, all secret env vars (
STUDIO_GITHUB_CLIENT_SECRET,AI_GATEWAY_API_KEY, git tokens, etc.) were read fromprocess.envduringnuxt buildand baked into the server bundle. This causes two problems:.output/server/artifact. Build artifacts are often cached, stored, or shared in ways that runtime environments aren't.if (options.ai?.apiKey)), deploying a generic image withoutAI_GATEWAY_API_KEYset at build time permanently disables AI, even if the var is present at runtime. Same applies to auth providers.Approach
A Nitro server plugin (
studio-env.ts) now runs at server startup and merges theSTUDIO_*env vars intouseRuntimeConfig()for any values that aren't already set. All auth routes and session utils read exclusively fromuseRuntimeConfig(event).studio.*.The
runtimeConfig.studioschema inmodule.tsis initialised with empty string stubs so Nuxt knows the shape at build time. The plugin fills in real values at startup. Nuxt-nativeNUXT_STUDIO_*env vars still take precedence over the legacy names.Backward compatibility
All existing env var names continue to work unchanged. No changes to the
nuxt.config.tsconfiguration API.Test plan
pnpm typecheckpassespnpm testpassespnpm verifypassesprocess.env.*reads remain in auth routes or module setup