finance: harden actual openid bootstrap

2026-01-17 02:43:25 -03:00 · 2026-01-17 02:43:25 -03:00 · cee565892b
commit cee565892b
parent b0ac30e719
1 changed files with 31 additions and 1 deletions
--- a/services/finance/scripts/actual_openid_bootstrap.mjs
+++ b/services/finance/scripts/actual_openid_bootstrap.mjs
@ -36,7 +36,37 @@ const loadConfigUrl = pathToFileURL(path.join(root, 'src', 'load-config.js')).hr
 const accountDb = await import(accountDbUrl);
 const { default: finalConfig } = await import(loadConfigUrl);

-const openId = finalConfig?.openId;
+const openIdEnv = (() => {
+  if (
+    !process.env.ACTUAL_OPENID_DISCOVERY_URL &&
+    !process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT
+  ) {
+    return null;
+  }
+
+  if (process.env.ACTUAL_OPENID_DISCOVERY_URL) {
+    return {
+      issuer: process.env.ACTUAL_OPENID_DISCOVERY_URL,
+      client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+      client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+      server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+    };
+  }
+
+  return {
+    issuer: {
+      name: process.env.ACTUAL_OPENID_PROVIDER_NAME,
+      authorization_endpoint: process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT,
+      token_endpoint: process.env.ACTUAL_OPENID_TOKEN_ENDPOINT,
+      userinfo_endpoint: process.env.ACTUAL_OPENID_USERINFO_ENDPOINT,
+    },
+    client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+    client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+    server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+  };
+})();
+
+const openId = finalConfig?.openId ?? openIdEnv;
 if (!openId) {
  console.error('missing openid configuration');
  process.exit(1);