From 748cf8cb4c7cecca1aadc730f760559b4c008a89 Mon Sep 17 00:00:00 2001
From: The Howling Whispers <admin@thehowlingwhispers.com>
Date: Tue, 30 Jun 2026 17:39:21 +0200
Subject: [PATCH] Fix: defer env var reading to request time (ES module
 hoisting bug)

---
 index.js          | 13 ++++++++++++-
 routes/discord.js | 24 ++++++++++++++++--------
 2 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/index.js b/index.js
index 8e36867..46068ba 100644
--- a/index.js
+++ b/index.js
@@ -19,7 +19,18 @@ app.use(express.static(path.join(__dirname, 'public')));
 app.use('/auth', discordRoutes);
 
 app.get('/health', (req, res) => {
-  res.json({ status: 'ok', service: 'thw-auth', timestamp: new Date().toISOString() });
+  res.json({
+    status: 'ok',
+    service: 'thw-auth',
+    timestamp: new Date().toISOString(),
+    env: {
+      hasClientId: !!process.env.DISCORD_CLIENT_ID,
+      hasClientSecret: !!process.env.DISCORD_CLIENT_SECRET,
+      hasRedirectUri: !!process.env.DISCORD_REDIRECT_URI,
+      redirectUri: process.env.DISCORD_REDIRECT_URI,
+      nodeEnv: process.env.NODE_ENV,
+    }
+  });
 });
 
 app.listen(PORT, () => {
diff --git a/routes/discord.js b/routes/discord.js
index aee2a10..2e2c3fe 100644
--- a/routes/discord.js
+++ b/routes/discord.js
@@ -7,9 +7,17 @@ const router = Router();
 
 const DISCORD_API = 'https://discord.com/api';
 
-const DISCORD_CLIENT_ID = process.env.DISCORD_CLIENT_ID;
-const DISCORD_CLIENT_SECRET = process.env.DISCORD_CLIENT_SECRET;
-const DISCORD_REDIRECT_URI = process.env.DISCORD_REDIRECT_URI;
+function getDiscordClientId() {
+  return process.env.DISCORD_CLIENT_ID;
+}
+
+function getDiscordClientSecret() {
+  return process.env.DISCORD_CLIENT_SECRET;
+}
+
+function getDiscordRedirectUri() {
+  return process.env.DISCORD_REDIRECT_URI;
+}
 
 const WHITELIST = new Set([
   '1207017997173137481'
@@ -23,8 +31,8 @@ router.get('/discord', (req, res) => {
   const next = req.query.next || '/';
   const safeNext = next.startsWith('/') && !next.startsWith('//') ? next : '/';
   const params = new URLSearchParams({
-    client_id: DISCORD_CLIENT_ID,
-    redirect_uri: DISCORD_REDIRECT_URI,
+    client_id: getDiscordClientId(),
+    redirect_uri: getDiscordRedirectUri(),
     response_type: 'code',
     scope: 'identify',
     state: safeNext,
@@ -47,11 +55,11 @@ router.get('/discord/callback', async (req, res) => {
       method: 'POST',
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
       body: new URLSearchParams({
-        client_id: DISCORD_CLIENT_ID,
-        client_secret: DISCORD_CLIENT_SECRET,
+        client_id: getDiscordClientId(),
+        client_secret: getDiscordClientSecret(),
         grant_type: 'authorization_code',
         code,
-        redirect_uri: DISCORD_REDIRECT_URI,
+        redirect_uri: getDiscordRedirectUri(),
       }).toString(),
     });
     if (!tokenRes.ok) {