Fix: defer env var reading to request time (ES module hoisting bug)

2026-06-30 17:39:21 +02:00 · 2026-06-30 17:39:21 +02:00 · 748cf8cb4c
commit 748cf8cb4c
parent ba4f9f7377
2 changed files with 28 additions and 9 deletions
--- a/index.js
+++ b/index.js
@ -19,7 +19,18 @@ app.use(express.static(path.join(__dirname, 'public')));
 app.use('/auth', discordRoutes);

 app.get('/health', (req, res) => {
-  res.json({ status: 'ok', service: 'thw-auth', timestamp: new Date().toISOString() });
+  res.json({
+    status: 'ok',
+    service: 'thw-auth',
+    timestamp: new Date().toISOString(),
+    env: {
+      hasClientId: !!process.env.DISCORD_CLIENT_ID,
+      hasClientSecret: !!process.env.DISCORD_CLIENT_SECRET,
+      hasRedirectUri: !!process.env.DISCORD_REDIRECT_URI,
+      redirectUri: process.env.DISCORD_REDIRECT_URI,
+      nodeEnv: process.env.NODE_ENV,
+    }
+  });
 });

 app.listen(PORT, () => {
--- a/routes/discord.js
+++ b/routes/discord.js
@ -7,9 +7,17 @@ const router = Router();

 const DISCORD_API = 'https://discord.com/api';

-const DISCORD_CLIENT_ID = process.env.DISCORD_CLIENT_ID;
-const DISCORD_CLIENT_SECRET = process.env.DISCORD_CLIENT_SECRET;
-const DISCORD_REDIRECT_URI = process.env.DISCORD_REDIRECT_URI;
+function getDiscordClientId() {
+  return process.env.DISCORD_CLIENT_ID;
+}
+
+function getDiscordClientSecret() {
+  return process.env.DISCORD_CLIENT_SECRET;
+}
+
+function getDiscordRedirectUri() {
+  return process.env.DISCORD_REDIRECT_URI;
+}

 const WHITELIST = new Set([
  '1207017997173137481'
@ -23,8 +31,8 @@ router.get('/discord', (req, res) => {
  const next = req.query.next || '/';
  const safeNext = next.startsWith('/') && !next.startsWith('//') ? next : '/';
  const params = new URLSearchParams({
-    client_id: DISCORD_CLIENT_ID,
-    redirect_uri: DISCORD_REDIRECT_URI,
+    client_id: getDiscordClientId(),
+    redirect_uri: getDiscordRedirectUri(),
    response_type: 'code',
    scope: 'identify',
    state: safeNext,
@ -47,11 +55,11 @@ router.get('/discord/callback', async (req, res) => {
      method: 'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body: new URLSearchParams({
-        client_id: DISCORD_CLIENT_ID,
-        client_secret: DISCORD_CLIENT_SECRET,
+        client_id: getDiscordClientId(),
+        client_secret: getDiscordClientSecret(),
        grant_type: 'authorization_code',
        code,
-        redirect_uri: DISCORD_REDIRECT_URI,
+        redirect_uri: getDiscordRedirectUri(),
      }).toString(),
    });
    if (!tokenRes.ok) {