Separate environment configs (outline#6597)

* Separate environment configs

* wip

* wip

* test

* plugins

* test

* test

* .sequelizerc, unfortunately can't go through /utils/environment due to not supporting TS

* docker-compose -> docker compose

* fix: .local wipes .development

* Add custom validation message for invalid SECRET_KEY (often confused)

Author: tommoor

.circleci/config.yml

@@ -13,13 +13,8 @@ defaults: &defaults
   resource_class: large
   environment:
     NODE_ENV: test
-    SECRET_KEY: F0E5AD933D7F6FD8F4DBB3E038C501C052DC0593C686D21ACB30AE205D2F634B
-    DATABASE_URL_TEST: postgres://postgres:password@localhost:5432/circle_test
     DATABASE_URL: postgres://postgres:password@localhost:5432/circle_test
     URL: http://localhost:3000
-    SMTP_FROM_EMAIL: hello@example.com
-    AWS_S3_UPLOAD_BUCKET_URL: https://s3.amazonaws.com
-    AWS_S3_UPLOAD_BUCKET_NAME: outline-circle
     NODE_OPTIONS: --max-old-space-size=8000
 
 executors:
@@ -89,7 +84,7 @@ jobs:
           key: dependency-cache-v1-{{ checksum "package.json" }}
       - run:
           name: migrate
-          command: ./node_modules/.bin/sequelize db:migrate --url $DATABASE_URL_TEST
+          command: ./node_modules/.bin/sequelize db:migrate
       - run:
           name: test
           command: |

.env.development

@@ -0,0 +1,10 @@
+URL=https://local.outline.dev:3000
+
+SMTP_FROM_EMAIL=hello@example.com
+
+# Enable unsafe-inline in script-src CSP directive
+# Setting it to true allows React dev tools add-on in Firefox to successfully detect the project
+DEVELOPMENT_UNSAFE_INLINE_CSP=true
+
+# Increase the log level to debug for development
+LOG_LEVEL=debug

.env.sample

@@ -13,7 +13,6 @@ UTILS_SECRET=generate_a_new_key
 # For production point these at your databases, in development the default
 # should work out of the box.
 DATABASE_URL=postgres://user:pass@localhost:5432/outline
-DATABASE_URL_TEST=postgres://user:pass@localhost:5432/outline-test
 DATABASE_CONNECTION_POOL_MIN=
 DATABASE_CONNECTION_POOL_MAX=
 # Uncomment this to disable SSL for connecting to Postgres
@@ -30,7 +29,7 @@ REDIS_URL=redis://localhost:6379
 
 # URL should point to the fully qualified, publicly accessible URL. If using a
 # proxy the port in URL and PORT may be different.
-URL=https://app.outline.dev:3000
+URL=
 PORT=3000
 
 # See [documentation](docs/SERVICES.md) on running a separate collaboration
@@ -166,9 +165,6 @@ SLACK_VERIFICATION_TOKEN=your_token
 SLACK_APP_ID=A0XXXXXXX
 SLACK_MESSAGE_ACTIONS=true
 
-# Optionally enable google analytics to track pageviews in the knowledge base
-GOOGLE_ANALYTICS_ID=
-
 # Optionally enable Sentry (sentry.io) to track errors and performance,
 # and optionally add a Sentry proxy tunnel for bypassing ad blockers in the UI:
 # https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option)
@@ -181,8 +177,8 @@ SMTP_HOST=
 SMTP_PORT=
 SMTP_USERNAME=
 SMTP_PASSWORD=
-SMTP_FROM_EMAIL=hello@example.com
-SMTP_REPLY_EMAIL=hello@example.com
+SMTP_FROM_EMAIL=
+SMTP_REPLY_EMAIL=
 SMTP_TLS_CIPHERS=
 SMTP_SECURE=true
 
@@ -198,10 +194,5 @@ RATE_LIMITER_REQUESTS=1000
 RATE_LIMITER_DURATION_WINDOW=60
 
 # Iframely API config
-# IFRAMELY_URL=
-# IFRAMELY_API_KEY=
-
-# Enable unsafe-inline in script-src CSP directive
-# Setting it to true allows React dev tools add-on in
-# Firefox to successfully detect the project
-DEVELOPMENT_UNSAFE_INLINE_CSP=false
+IFRAMELY_URL=
+IFRAMELY_API_KEY=

.env.test

@@ -0,0 +1,26 @@
+NODE_ENV=test
+DATABASE_URL=postgres://user:pass@127.0.0.1:5432/outline-test
+SECRET_KEY=F0E5AD933D7F6FD8F4DBB3E038C501C052DC0593C686D21ACB30AE205D2F634B
+
+SMTP_HOST=smtp.example.com
+SMTP_FROM_EMAIL=hello@example.com
+SMTP_REPLY_EMAIL=hello@example.com
+
+GOOGLE_CLIENT_ID=123
+GOOGLE_CLIENT_SECRET=123
+
+SLACK_CLIENT_ID=123
+SLACK_CLIENT_SECRET=123
+
+OIDC_CLIENT_ID=client-id
+OIDC_CLIENT_SECRET=client-secret
+OIDC_AUTH_URI=http://localhost/authorize
+OIDC_TOKEN_URI=http://localhost/token
+OIDC_USERINFO_URI=http://localhost/userinfo
+
+IFRAMELY_API_KEY=123
+
+RATE_LIMITER_ENABLED=false
+
+FILE_STORAGE=local
+FILE_STORAGE_LOCAL_ROOT_DIR=/tmp

.gitignore

@@ -2,6 +2,8 @@ dist
 build
 node_modules/*
 .env
+.env.local
+.env.production
 .log
 .vscode/*
 npm-debug.log

.jestconfig.json

@@ -9,7 +9,7 @@
         "^@server/(.*)$": "<rootDir>/server/$1",
         "^@shared/(.*)$": "<rootDir>/shared/$1"
       },
-      "setupFiles": ["<rootDir>/__mocks__/console.js", "<rootDir>/server/test/env.ts"],
+      "setupFiles": ["<rootDir>/__mocks__/console.js"],
       "setupFilesAfterEnv": ["<rootDir>/server/test/setup.ts"],
       "globalSetup": "<rootDir>/server/test/globalSetup.js",
       "globalTeardown": "<rootDir>/server/test/globalTeardown.js",

.sequelizerc

@@ -1,10 +1,11 @@
-require('dotenv').config({ silent: true });
+require("dotenv").config({
+  path: process.env.NODE_ENV === "test" ? ".env.test" : ".env",
+});
 
 var path = require('path');
 
 module.exports = {
   'config': path.resolve('server/config', 'database.json'),
   'migrations-path': path.resolve('server', 'migrations'),
   'models-path': path.resolve('server', 'models'),
-  'seeders-path': path.resolve('server/models', 'fixtures'),
 }

Makefile

@@ -1,28 +1,28 @@
 up:
-	docker-compose up -d redis postgres
+	docker compose up -d redis postgres
 	yarn install-local-ssl
 	yarn install --pure-lockfile
 	yarn dev:watch
 
 build:
-	docker-compose build --pull outline
+	docker compose build --pull outline
 
 test:
-	docker-compose up -d redis postgres
-	yarn sequelize db:drop --env=test
-	yarn sequelize db:create --env=test
-	NODE_ENV=test yarn sequelize db:migrate --env=test
+	docker compose up -d redis postgres
+	NODE_ENV=test yarn sequelize db:drop
+	NODE_ENV=test yarn sequelize db:create
+	NODE_ENV=test yarn sequelize db:migrate
 	yarn test
 
 watch:
-	docker-compose up -d redis postgres
-	yarn sequelize db:drop --env=test
-	yarn sequelize db:create --env=test
-	NODE_ENV=test yarn sequelize db:migrate --env=test
+	docker compose up -d redis postgres
+	NODE_ENV=test yarn sequelize db:drop
+	NODE_ENV=test yarn sequelize db:create
+	NODE_ENV=test yarn sequelize db:migrate
 	yarn test:watch
 
 destroy:
-	docker-compose stop
-	docker-compose rm -f
+	docker compose stop
+	docker compose rm -f
 
 .PHONY: up build destroy test watch # let's go to reserve rules names

app/actions/definitions/navigation.tsx

@@ -26,7 +26,6 @@ import SearchQuery from "~/models/SearchQuery";
 import KeyboardShortcuts from "~/scenes/KeyboardShortcuts";
 import { createAction } from "~/actions";
 import { NavigationSection, RecentSearchesSection } from "~/actions/sections";
-import env from "~/env";
 import Desktop from "~/utils/Desktop";
 import history from "~/utils/history";
 import isCloudHosted from "~/utils/isCloudHosted";
@@ -212,9 +211,6 @@ export const logout = createAction({
   icon: <LogoutIcon />,
   perform: () => {
     void stores.auth.logout();
-    if (env.OIDC_LOGOUT_URI) {
-      window.location.replace(env.OIDC_LOGOUT_URI);
-    }
   },
 });
 

app/scenes/Logout.tsx

@@ -1,15 +1,10 @@
 import * as React from "react";
 import { Redirect } from "react-router-dom";
-import env from "~/env";
 import useStores from "~/hooks/useStores";
 
 const Logout = () => {
   const { auth } = useStores();
   void auth.logout();
-  if (env.OIDC_LOGOUT_URI) {
-    window.location.replace(env.OIDC_LOGOUT_URI);
-    return null;
-  }
   return <Redirect to="/" />;
 };
 

app/stores/AuthStore.ts

@@ -14,6 +14,7 @@ import { PartialWithId } from "~/types";
 import { client } from "~/utils/ApiClient";
 import Desktop from "~/utils/Desktop";
 import Logger from "~/utils/Logger";
+import history from "~/utils/history";
 import isCloudHosted from "~/utils/isCloudHosted";
 import Store from "./base/Store";
 
@@ -304,16 +305,15 @@ export default class AuthStore extends Store<Team> {
     }
   };
 
+  /**
+   * Logs the user out and optionally revokes the authentication token.
+   *
+   * @param savePath Whether the current path should be saved and returned to after login.
+   * @param tryRevokingToken Whether the auth token should attempt to be revoked, this should be
+   * disabled with requests from ApiClient to prevent infinite loops.
+   */
   @action
-  logout = async (
-    /** Whether the current path should be saved and returned to after login */
-    savePath = false,
-    /**
-     * Whether the auth token should attempt to be revoked, this should be disabled
-     * with requests from ApiClient to prevent infinite loops.
-     */
-    tryRevokingToken = true
-  ) => {
+  logout = async (savePath = false, tryRevokingToken = true) => {
     // if this logout was forced from an authenticated route then
     // save the current path so we can go back there once signed in
     if (savePath) {
@@ -348,9 +348,16 @@ export default class AuthStore extends Store<Team> {
     this.currentUserId = null;
     this.currentTeamId = null;
     this.collaborationToken = null;
+    this.rootStore.clear();
 
     // Tell the host application we logged out, if any – allows window cleanup.
-    void Desktop.bridge?.onLogout?.();
-    this.rootStore.clear();
+    if (Desktop.isElectron()) {
+      void Desktop.bridge?.onLogout?.();
+    } else if (env.OIDC_LOGOUT_URI) {
+      window.location.replace(env.OIDC_LOGOUT_URI);
+      return;
+    }
+
+    history.replace("/");
   };
 }

package.json

@@ -99,7 +99,7 @@
     "date-fns": "^2.30.0",
     "dd-trace": "^3.33.0",
     "diff": "^5.1.0",
-    "dotenv": "^4.0.0",
+    "dotenv": "^16.4.5",
     "email-providers": "^1.14.0",
     "emoji-mart": "^5.5.2",
     "emoji-regex": "^10.3.0",
@@ -247,6 +247,7 @@
     "@types/body-scroll-lock": "^3.1.0",
     "@types/crypto-js": "^4.2.1",
     "@types/diff": "^5.0.4",
+    "@types/dotenv": "^8.2.0",
     "@types/emoji-regex": "^9.2.0",
     "@types/express-useragent": "^1.0.2",
     "@types/formidable": "^2.0.6",

plugins/azure/server/auth/azure.ts

@@ -6,7 +6,6 @@ import Router from "koa-router";
 import { Profile } from "passport";
 import { slugifyDomain } from "@shared/utils/domains";
 import accountProvisioner from "@server/commands/accountProvisioner";
-import env from "@server/env";
 import { MicrosoftGraphError } from "@server/errors";
 import passportMiddleware from "@server/middlewares/passport";
 import { User } from "@server/models";
@@ -17,6 +16,7 @@ import {
   getTeamFromContext,
   getClientFromContext,
 } from "@server/utils/passport";
+import env from "../env";
 
 const router = new Router();
 const providerName = "azure";

server/utils/azure.ts plugins/azure/server/azure.ts

@@ -1,6 +1,7 @@
+import invariant from "invariant";
 import JWT from "jsonwebtoken";
-import env from "@server/env";
-import OAuthClient from "./oauth";
+import OAuthClient from "@server/utils/oauth";
+import env from "./env";
 
 type AzurePayload = {
   /** A GUID that represents the Azure AD tenant that the user is from */
@@ -14,6 +15,13 @@ export default class AzureClient extends OAuthClient {
     userinfo: "https://graph.microsoft.com/v1.0/me",
   };
 
+  constructor() {
+    invariant(env.AZURE_CLIENT_ID, "AZURE_CLIENT_ID is required");
+    invariant(env.AZURE_CLIENT_SECRET, "AZURE_CLIENT_SECRET is required");
+
+    super(env.AZURE_CLIENT_ID, env.AZURE_CLIENT_SECRET);
+  }
+
   async rotateToken(
     accessToken: string,
     refreshToken: string

plugins/azure/server/env.ts

@@ -0,0 +1,27 @@
+import { IsOptional } from "class-validator";
+import { Environment } from "@server/env";
+import environment from "@server/utils/environment";
+import { CannotUseWithout } from "@server/utils/validators";
+
+class AzurePluginEnvironment extends Environment {
+  /**
+   * Azure OAuth2 client credentials. To enable authentication with Azure.
+   */
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_SECRET")
+  public AZURE_CLIENT_ID = this.toOptionalString(environment.AZURE_CLIENT_ID);
+
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_ID")
+  public AZURE_CLIENT_SECRET = this.toOptionalString(
+    environment.AZURE_CLIENT_SECRET
+  );
+
+  @IsOptional()
+  @CannotUseWithout("AZURE_CLIENT_ID")
+  public AZURE_RESOURCE_APP_ID = this.toOptionalString(
+    environment.AZURE_RESOURCE_APP_ID
+  );
+}
+
+export default new AzurePluginEnvironment();

plugins/google/server/auth/google.ts

@@ -6,7 +6,6 @@ import { Profile } from "passport";
 import { Strategy as GoogleStrategy } from "passport-google-oauth2";
 import { slugifyDomain } from "@shared/utils/domains";
 import accountProvisioner from "@server/commands/accountProvisioner";
-import env from "@server/env";
 import {
   GmailAccountCreationError,
   TeamDomainRequiredError,
@@ -19,6 +18,7 @@ import {
   getTeamFromContext,
   getClientFromContext,
 } from "@server/utils/passport";
+import env from "../env";
 
 const router = new Router();
 const providerName = "google";

plugins/google/server/env.ts

@@ -0,0 +1,21 @@
+import { IsOptional } from "class-validator";
+import { Environment } from "@server/env";
+import environment from "@server/utils/environment";
+import { CannotUseWithout } from "@server/utils/validators";
+
+class GooglePluginEnvironment extends Environment {
+  /**
+   * Google OAuth2 client credentials. To enable authentication with Google.
+   */
+  @IsOptional()
+  @CannotUseWithout("GOOGLE_CLIENT_SECRET")
+  public GOOGLE_CLIENT_ID = this.toOptionalString(environment.GOOGLE_CLIENT_ID);
+
+  @IsOptional()
+  @CannotUseWithout("GOOGLE_CLIENT_ID")
+  public GOOGLE_CLIENT_SECRET = this.toOptionalString(
+    environment.GOOGLE_CLIENT_SECRET
+  );
+}
+
+export default new GooglePluginEnvironment();