Skip to content

really lazy replace env vars to allow for parallel secret loading during plugin init #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

really lazy replace env vars to allow for parallel secret loading during plugin init #9

wants to merge 1 commit into from
+463 −57

Conversation

@heskew
Copy link
Contributor

@heskew heskew commented Nov 5, 2025

resolves #8

@heskew heskew requested a review from a team as a code owner November 5, 2025 02:46
kriszyp
kriszyp approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@kriszyp kriszyp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. But we really should get the race condition addressed. Do you have any idea if it is bug in the secrets/env loader (not returning a promise that resolves after env loaded) or if it is a core component loader bug (not waiting for the promise to resolve)? Might be something for @Ethan-Arrowood to look at?

@heskew
Copy link
Contributor Author

heskew commented Nov 5, 2025

Ok. But we really should get the race condition addressed. Do you have any idea if it is bug in the secrets/env loader (not returning a promise that resolves after env loaded) or if it is a core component loader bug (not waiting for the promise to resolve)? Might be something for @Ethan-Arrowood to look at?

@kriszyp This really is a fun one. The harper app has the oauth plugin in its own config.yaml, before has a resources config with a resources.js that loads secrets, e.g. await loadsecrets() which downloads secrets from a service and stuffs those into process.env - but that happens after the oauth plugin env var substitution happens (currently). I've reprod this with a local secrets file in resources.js...

@kriszyp
Copy link
Member

kriszyp commented Nov 5, 2025
edited
Loading

Ok, I see what is going on here. I had actually thought we were using a plugin for loading secrets, which I believe would make this a little more straightforward since a secrets plugin could return a promise from handleApplication and ensure that component loading waits for the secrets to finish loading.
But we are using resources.js which uses jsResource. And indeed this built-in plugin is not really properly waiting for the loading resource modules. It is not waiting for import and it doesn't really have a way to wait for all resources to be notified. Ticket filed here: HarperFast/harper#29
Anyway, this looks good.

cb1kenobi
cb1kenobi reviewed Nov 5, 2025
View reviewed changes
src/index.ts
Comment on lines +89 to +91
for (const [key, value] of Object.entries(rawOptions)) {
if (typeof value === 'string' && value.startsWith('${') && value.endsWith('}')) {
const envVar = value.slice(2, -1);
Copy link

@cb1kenobi cb1kenobi Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You no like regexes?

Suggested change
for (const [key, value] of Object.entries(rawOptions)) {
if (typeof value === 'string' && value.startsWith('${') && value.endsWith('}')) {
const envVar = value.slice(2, -1);
const re = /^\${(.+)}$/;
for (const [key, value] of Object.entries(rawOptions)) {
const m = typeof value === 'string' && value.match(re);
if (m) {
const envVar = m[1];

J/K, yours is more readable, though I do wonder which is faster...

Copy link
Contributor Author

@heskew heskew Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be an interesting test...might try something later

src/lib/config.ts
const missingFields = REQUIRED_PROVIDER_FIELDS.filter((key) => {
const value = config[key as keyof OAuthProviderConfig];
// Consider env var placeholders as "missing" if they haven't been loaded yet
return !value || (typeof value === 'string' && value.startsWith('${') && value.endsWith('}'));
Copy link

@cb1kenobi cb1kenobi Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

!value will cause 0 and '' (empty strings) to be true. Maybe this should check if value !== undefined or maybe !Object.hasOwn(config, key)?

src/lib/config.ts
Comment on lines +208 to +211
const missingFields = REQUIRED_PROVIDER_FIELDS.filter((key) => {
const value = config[key as keyof OAuthProviderConfig];
return !value || (typeof value === 'string' && value.startsWith('${') && value.endsWith('}'));
});
Copy link

@cb1kenobi cb1kenobi Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate code? Could this be handled by a function?

Copy link
Contributor Author

@heskew heskew Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should totally be pulled out :) -> https://github.com/HarperFast/oauth/pull/11/files

@heskew
Copy link
Contributor Author

heskew commented Nov 6, 2025

going to hold off on this pr to see if resolving this issue is sufficient: HarperFast/harper#29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cb1kenobi cb1kenobi cb1kenobi left review comments

@kriszyp kriszyp kriszyp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Config environment variable substitution can be attempted too early, leaving template strings un-substituted

4 participants

@heskew @kriszyp @cb1kenobi