Generate AUTH_SECRET if not provided (#189)

brendan-kellam · web-flow · commit e6ee45c76d2c · 2025-02-13T13:23:30.000-08:00
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -27,7 +27,7 @@ if [ ! -d "$DB_DATA_DIR" ]; then
 fi
 
 if [ -z "$SOURCEBOT_ENCRYPTION_KEY" ]; then
-    echo -e "\e[31m[Error] SOURCEBOT_ENCRYPTION_KEY is not set.\e[0m"
+    echo -e "\e[33m[Warning] SOURCEBOT_ENCRYPTION_KEY is not set.\e[0m"
 
     if [ -f "$DATA_CACHE_DIR/.secret" ]; then
         echo -e "\e[34m[Info] Loading environment variables from $DATA_CACHE_DIR/.secret\e[0m"
@@ -42,6 +42,23 @@ if [ -z "$SOURCEBOT_ENCRYPTION_KEY" ]; then
     set +a
 fi
 
+# @see : https://authjs.dev/getting-started/deployment#auth_secret
+if [ -z "$AUTH_SECRET" ]; then
+    echo -e "\e[33m[Warning] AUTH_SECRET is not set.\e[0m"
+
+    if [ -f "$DATA_CACHE_DIR/.authjs-secret" ]; then
+        echo -e "\e[34m[Info] Loading environment variables from $DATA_CACHE_DIR/.authjs-secret\e[0m"
+    else
+        echo -e "\e[34m[Info] Generating a new encryption key...\e[0m"
+        AUTH_SECRET=$(openssl rand -base64 33)
+        echo "AUTH_SECRET=\"$AUTH_SECRET\"" >> "$DATA_CACHE_DIR/.authjs-secret"
+    fi
+
+    set -a
+    . "$DATA_CACHE_DIR/.authjs-secret"
+    set +a
+fi
+
 # In order to detect if this is the first run, we create a `.installed` file in
 # the cache directory.
 FIRST_RUN_FILE="$DATA_CACHE_DIR/.installedv2"
diff --git a/packages/web/src/auth.ts b/packages/web/src/auth.ts
@@ -24,14 +24,18 @@ declare module 'next-auth/jwt' {
 }
 
 const providers: Provider[] = [
-    GitHub({
-        clientId: AUTH_GITHUB_CLIENT_ID,
-        clientSecret: AUTH_GITHUB_CLIENT_SECRET,
-    }),
-    Google({
-        clientId: AUTH_GOOGLE_CLIENT_ID!,
-        clientSecret: AUTH_GOOGLE_CLIENT_SECRET!,
-    })
+    ...(AUTH_GITHUB_CLIENT_ID && AUTH_GITHUB_CLIENT_SECRET ? [
+        GitHub({
+            clientId: AUTH_GITHUB_CLIENT_ID,
+            clientSecret: AUTH_GITHUB_CLIENT_SECRET,
+        }),
+    ] : []),
+    ...(AUTH_GOOGLE_CLIENT_ID && AUTH_GOOGLE_CLIENT_SECRET ? [
+        Google({
+            clientId: AUTH_GOOGLE_CLIENT_ID,
+            clientSecret: AUTH_GOOGLE_CLIENT_SECRET,
+        }),
+    ] : []),
 ];
 
 // @see: https://authjs.dev/guides/pages/signin
@@ -56,6 +60,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
     session: {
         strategy: "jwt",
     },
+    trustHost: true,
     callbacks: {
         async jwt({ token, user: _user }) {
             const user = _user as User | undefined;
