finance: harden actual openid bootstrap

services/finance/scripts/actual_openid_bootstrap.mjs

@@ -36,7 +36,37 @@ const loadConfigUrl = pathToFileURL(path.join(root, 'src', 'load-config.js')).hr
 const accountDb = await import(accountDbUrl);
 const { default: finalConfig } = await import(loadConfigUrl);
 
-const openId = finalConfig?.openId;
+const openIdEnv = (() => {
+  if (
+    !process.env.ACTUAL_OPENID_DISCOVERY_URL &&
+    !process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT
+  ) {
+    return null;
+  }
+
+  if (process.env.ACTUAL_OPENID_DISCOVERY_URL) {
+    return {
+      issuer: process.env.ACTUAL_OPENID_DISCOVERY_URL,
+      client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+      client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+      server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+    };
+  }
+
+  return {
+    issuer: {
+      name: process.env.ACTUAL_OPENID_PROVIDER_NAME,
+      authorization_endpoint: process.env.ACTUAL_OPENID_AUTHORIZATION_ENDPOINT,
+      token_endpoint: process.env.ACTUAL_OPENID_TOKEN_ENDPOINT,
+      userinfo_endpoint: process.env.ACTUAL_OPENID_USERINFO_ENDPOINT,
+    },
+    client_id: process.env.ACTUAL_OPENID_CLIENT_ID,
+    client_secret: process.env.ACTUAL_OPENID_CLIENT_SECRET,
+    server_hostname: process.env.ACTUAL_OPENID_SERVER_HOSTNAME,
+  };
+})();
+
+const openId = finalConfig?.openId ?? openIdEnv;
 if (!openId) {
   console.error('missing openid configuration');
   process.exit(1);