fix: get env variable dynamically to avoid secret leakage

2026-01-28 02:17:06 +01:00
parent 4abf69844a
commit 4e33401387
10 changed files with 238 additions and 58 deletions
--- a/src/routes/login.ts
+++ b/src/routes/login.ts
@@ -1,5 +1,5 @@
 import type { APIContext } from "astro";
-import { options } from "../runtime.js";
+import { getOptions } from "../runtime.js";
 import {
  generateCodeVerifier,
  codeChallengeS256,
@@ -18,13 +18,17 @@ async function discover(issuer: string) {
  };
 }

-function inferRedirectUri(reqUrl: URL): string {
+function inferRedirectUri(
+  options: ReturnType<typeof getOptions>,
+  reqUrl: URL,
+): string {
  if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
  const u = new URL(options.routes.callback, reqUrl);
  return u.toString();
 }

 export async function GET(ctx: APIContext) {
+  const options = getOptions();
  const { url } = ctx;
  const verifier = generateCodeVerifier();
  const challenge = await codeChallengeS256(verifier);
@@ -37,7 +41,7 @@ export async function GET(ctx: APIContext) {
    state,
    nonce,
    verifier,
-    return_to: returnTo,
+    returnTo,
  });
  const initCookieName = `${options.cookie.name}_init`;
  const cookie = serializeCookie(initCookieName, initPayload, {
@@ -50,7 +54,7 @@ export async function GET(ctx: APIContext) {
  });

  const disco = await discover(options.issuer);
-  const redirectUri = inferRedirectUri(url);
+  const redirectUri = inferRedirectUri(options, url);
  const authorize = new URL(disco.authorization_endpoint);
  authorize.searchParams.set("client_id", options.clientId);
  authorize.searchParams.set("redirect_uri", redirectUri);