From cee565892be2bebe7b5c813e95c6a3649f9f83f1 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 17 Jan 2026 02:43:25 -0300
Subject: [PATCH] finance: harden actual openid bootstrap

---
 .../scripts/actual_openid_bootstrap.mjs       | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/services/finance/scripts/actual_openid_bootstrap.mjs b/services/finance/scripts/actual_openid_bootstrap.mjs
index af14524..3b66fc2 100644
--- a/services/finance/scripts/actual_openid_bootstrap.mjs
+++ b/services/finance/scripts/actual_openid_bootstrap.mjs
@@ -36,7 +36,37 @@ const loadConfigUrl = pathToFileURL(path.join(root, 'src', 'load-config.js')).hr
 const accountDb = await import(accountDbUrl);
 const { default: finalConfig } = await import(loadConfigUrl);
 
-const openId = finalConfig?.openId;
+const openIdEnv = (() => {
+  if (
+    !process.env.ACTUAL_OPENID_DISCOVERY_URL &&
+    !process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT
+  ) {
+    return null;
+  }
+
+  if (process.env.ACTUAL_OPENID_DISCOVERY_URL) {
+    return {
+      issuer: process.env.ACTUAL_OPENID_DISCOVERY_URL,
+      client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+      client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+      server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+    };
+  }
+
+  return {
+    issuer: {
+      name: process.env.ACTUAL_OPENID_PROVIDER_NAME,
+      authorization_endpoint: process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT,
+      token_endpoint: process.env.ACTUAL_OPENID_TOKEN_ENDPOINT,
+      userinfo_endpoint: process.env.ACTUAL_OPENID_USERINFO_ENDPOINT,
+    },
+    client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+    client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+    server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+  };
+})();
+
+const openId = finalConfig?.openId ?? openIdEnv;
 if (!openId) {
   console.error('missing openid configuration');
   process.exit(1);