Skip to content

Migrate functions.config() reads to process.env#766

Merged
rzueger merged 1 commit into
developfrom
chore/migrate-functions-config-to-env
May 15, 2026
Merged

Migrate functions.config() reads to process.env#766
rzueger merged 1 commit into
developfrom
chore/migrate-functions-config-to-env

Conversation

@rzueger
Copy link
Copy Markdown
Member

@rzueger rzueger commented May 15, 2026

Summary

Replaces the five remaining Gen 1 functions.config() reads with direct process.env access, completing the prep work needed for the upcoming firebase-functions v6 → v7 bump (v7 removes functions.config() entirely; calling it throws).

Production code (5 files):

File Env var(s) Notes
functions/api/basicAuth.js API_SERVICEUSER_USERNAME, API_SERVICEUSER_PASSWORD Module-load read; dropped firebase-functions/v1 import.
functions/auth/createTestEmailToken.js TESTING_ENABLED (compared === 'true') Runtime read. Kept firebase-functions/v1 import (still needed for .region().https.onRequest).
functions/auth/webauthnHelpers.js WEBAUTHN_RPID, WEBAUTHN_RPNAME (default 'Flightbox'), WEBAUTHN_ORIGINS (CSV → trimmed array) Runtime read. Dropped legacy alias-handling (rp_id/expected_origins/expectedorigins) and the Array.isArray(originsRaw) branch — env vars are always strings.
functions/auth/modes/flightnet/index.js AUTH_STATIC_CREDENTIALS (CSV user:pass) Module-load read.
functions/auth/modes/ip/index.js AUTH_IPS (CSV) Module-load read.

Also drops the process.env.K_CONFIGURATION ? {} : functions.config() guard in the three files that had it — the guard existed only because functions.config() throws in Gen 2 runtimes; process.env behaves identically in both, so the guard is dead code now.

Specs (5 files): mechanical swap — jest.mock('firebase-functions/v1', { config: ... }) replaced with process.env.X = ... in beforeEach and delete process.env.X in afterEach. Same coverage. One stale test removed in webauthnHelpers.spec.js (accepts origins as array — no longer applicable) and two added (trims whitespace around CSV origins, defaults rpName to "Flightbox").

CI workflows (firebase-hosting-{dev,prod}.yml): heredoc extended to write the new keys from per-env GH vars and secrets. API_SERVICEUSER_PASSWORD and AUTH_STATIC_CREDENTIALS are secrets; the rest are vars. Unset values render as empty strings, which the code's guards treat as disabled.

Tests: 36 suites / 314 tests passing. grep functions.config functions/ returns zero hits.

Un-draft checklist (track 2 — must complete before merging)

This PR is intentionally a draft. Merging without track 2 will cause every Gen 1 function that read functions.config() to start receiving empty values on the next deploy — auth will break.

  • WebAuthn alias audit: run firebase functions:config:get webauthn --project <projectId> for each of the 6 dev + 5 prod projects and verify origins/rpid use the canonical keys. If any env uses rp_id / expected_origins / expectedorigins, canonicalize on copy into GH vars (or revert the alias-drop in webauthnHelpers.js via follow-up commit).
  • CSV-stringify array origins: if any env stores webauthn.origins as a JSON array (["a","b"]), convert to CSV (a,b) before setting WEBAUTHN_ORIGINS.
  • Populate per-env GH vars on all 11 envs (6 dev + 5 prod): API_SERVICEUSER_USERNAME, AUTH_IPS, TESTING_ENABLED, WEBAUTHN_RPID, WEBAUTHN_RPNAME, WEBAUTHN_ORIGINS.
  • Populate per-env GH secrets on all 11 envs: API_SERVICEUSER_PASSWORD, AUTH_STATIC_CREDENTIALS.
  • TESTING_ENABLED note: createTestEmailToken.js is now strict — only the literal string "true" enables the endpoint. Set TESTING_ENABLED=true on cypress-testing and any other test env that needs it (no longer accepts "1", "yes", etc.).
  • Secret-character hygiene: confirm API_SERVICEUSER_PASSWORD does not contain #, =, leading/trailing whitespace, or newlines — the CI heredoc writes raw values into a dotenv file without quoting, and those characters break the dotenv parser. AUTH_STATIC_CREDENTIALS is structurally user:pw,user:pw, so it's safe.

Post-merge canary

  1. Watch build_and_deploy_functions for lszm_test (the test project per repo convention); confirm the heredoc step renders the expected .env.<projectId> and firebase deploy reports no config errors.
  2. Probe deployed endpoints on lszm-test: API basic-auth (200), IP-mode allowed/disallowed (success/401), createTestEmailToken (token if TESTING_ENABLED=true, else 403), WebAuthn registration round-trip.
  3. firebase functions:log --project <projectId> — confirm no functions.config() is no longer available errors and no WebAuthn RP config missing errors.
  4. Roll across the remaining dev envs, then merge to master for prod rollout.

Follow-up

Once this is deployed cleanly to all dev envs, PR C is a one-line firebase-functions ^6.6.0^7.0.0 bump in functions/package.json + lockfile.

@rzueger
Migrate functions.config() reads to process.env
d036cdd 
Replaces the five remaining Gen 1 functions.config() reads with
direct process.env access, completing the prep needed for the
firebase-functions v6 -> v7 bump (v7 removes functions.config()
entirely; it throws on call).

Production code:
- api/basicAuth.js               API_SERVICEUSER_USERNAME / _PASSWORD
- auth/createTestEmailToken.js   TESTING_ENABLED
- auth/webauthnHelpers.js        WEBAUTHN_RPID / _RPNAME / _ORIGINS
- auth/modes/flightnet/index.js  AUTH_STATIC_CREDENTIALS
- auth/modes/ip/index.js         AUTH_IPS

Drops the `process.env.K_CONFIGURATION ? {} : functions.config()`
guard in the three files that had it. The guard existed only
because functions.config() throws in Gen 2 runtimes; process.env
behaves identically in both, so the guard is dead code now.

In webauthnHelpers.js, also drops the legacy alias-handling
(`rp_id`/`expected_origins`/`expectedorigins`) and the
Array.isArray(originsRaw) branch. Env vars are always strings, so
only canonical CSV is accepted. Track 2 (GH var population) must
canonicalize any alias-using env on copy.

Spec migration is purely mechanical: jest.mock('firebase-functions
/v1', { config: ... }) replaced with process.env.X = ... in
beforeEach + delete in afterEach. Same coverage. One stale test
removed ("accepts origins as array") and two added in
webauthnHelpers.spec.js ("trims whitespace", "defaults rpName").

CI workflows (firebase-hosting-{dev,prod}.yml) extended to write
the new keys into functions/.env.<projectId> from per-env GH vars
and secrets. API_SERVICEUSER_PASSWORD and AUTH_STATIC_CREDENTIALS
are secrets; the rest are vars. Unset values render as empty
strings, which the code's existing guards treat as disabled.

This PR is gated on track 2 (populating GH vars/secrets across
the 6 dev + 5 prod environments and the WebAuthn alias audit)
before un-drafting and merging.

Full suite: 36 suites / 314 tests passing.
@rzueger rzueger marked this pull request as ready for review May 15, 2026 17:28
@rzueger rzueger merged commit ae0c662 into develop May 15, 2026
2 checks passed
@rzueger rzueger deleted the chore/migrate-functions-config-to-env branch May 15, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rzueger