chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(backend/start-staging): Infisical→Nitro env-var mapping

Browse Source 
- SUPABASE_KEY/SERVICE_KEY → SUPABASE_ANON_KEY/SERVICE_ROLE_KEY aliasing
- NUXT_*_API_KEY → fallback to non-prefixed
- NITRO_-Prefix mapping für runtimeConfig-Runtime-Override
  (Nitro standalone bracht NITRO_X-prefix zur runtime override des
  build-time defaults, da Build außerhalb infisical run wrapper läuft)

Verified live auf rebreak-staging: HTTP /api/auth/me mit fake bearer
gibt jetzt 401 statt 500.
This commit is contained in:
chahinebrini 2026-05-07 03:37:16 +02:00
parent d308ea2875
commit cc0fd8f7fa
1 changed files with 37 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
backend/start-staging.sh
View File

@ -1,27 +1,16 @@
#!/bin/bash #!/bin/bash
# rebreak-backend Staging — startet Nitro mit Infisical-Secrets. # rebreak-backend Staging — startet Nitro mit Infisical-Secrets.
# #
# Pattern: infisical login (universal-auth) → infisical run (--env=staging) # Pattern: infisical login → infisical run --env=staging spritzt secrets als
# spritzt secrets als process.env.X in den node-Prozess. # process.env.X. Innerhalb des wrappers mappen wir Infisical's Namen auf die
# Nitro's runtimeConfig (siehe nitro.config.ts) liest sie direkt — kein # Namen die unser Code erwartet (SUPABASE_KEY → SUPABASE_ANON_KEY, NUXT_X → X)
# NUXT_*-Prefix-Mapping mehr nötig (jeder Key in nitro.config.ts hat # UND auf NITRO_-Prefix-Names damit Nitro's runtimeConfig zur Laufzeit overrides.
# `process.env.X ?? ""` als Default).
#
# Pfad-Konvention (Backyard-Layout, post-cutover):
# - Repo-Root: /srv/rebreak
# - Backend-Dir: /srv/rebreak/backend
# - Build-Output (deployt von scripts/deploy.sh): backend/.output-staging/server/index.mjs
#
# IMAP-Services (rebreak-imap-staging, rebreak-idle-staging) sind NICHT mehr
# Teil dieses Scripts — sie werden separat über ecosystem.config.js verwaltet
# (Mo's Scope, fährt unter /srv/rebreak/apps/rebreak/imap-{proxy,idle}/).
set -euo pipefail set -euo pipefail
source /etc/environment source /etc/environment
if [[ -z "${INFISICAL_CLIENT_ID:-}" || -z "${INFISICAL_CLIENT_SECRET:-}" ]]; then if [[ -z "${INFISICAL_CLIENT_ID:-}" || -z "${INFISICAL_CLIENT_SECRET:-}" ]]; then
echo "[start-staging] FEHLER: INFISICAL_CLIENT_ID / INFISICAL_CLIENT_SECRET nicht in /etc/environment" >&2 echo "[start-staging] FEHLER: INFISICAL_CLIENT_ID / SECRET nicht gesetzt" >&2
exit 1 exit 1
fi fi
@ -31,10 +20,7 @@ INFISICAL_TOKEN=$(infisical login \
--client-secret="${INFISICAL_CLIENT_SECRET}" \ --client-secret="${INFISICAL_CLIENT_SECRET}" \
--silent --plain 2>/dev/null) --silent --plain 2>/dev/null)
if [[ -z "$INFISICAL_TOKEN" ]]; then [[ -z "$INFISICAL_TOKEN" ]] && { echo "[start-staging] Infisical login fehlgeschlagen" >&2; exit 1; }
echo "[start-staging] FEHLER: Infisical login fehlgeschlagen" >&2
exit 1
fi
export NODE_ENV=production export NODE_ENV=production
export NITRO_PORT=3016 export NITRO_PORT=3016
@ -44,13 +30,39 @@ export PORT=3016
NODE_BIN="/root/.nvm/versions/node/v24.11.1/bin/node" NODE_BIN="/root/.nvm/versions/node/v24.11.1/bin/node"
INDEX_MJS="/srv/rebreak/backend/.output-staging/server/index.mjs" INDEX_MJS="/srv/rebreak/backend/.output-staging/server/index.mjs"
if [[ ! -f "$INDEX_MJS" ]]; then [[ ! -f "$INDEX_MJS" ]] && { echo "[start-staging] FEHLER: $INDEX_MJS fehlt — deploy.sh laufen lassen" >&2; exit 1; }
echo "[start-staging] FEHLER: $INDEX_MJS nicht gefunden — wurde deploy.sh ausgeführt?" >&2
exit 1
fi
exec infisical run \ exec infisical run \
--projectId="${INFISICAL_PROJECT_ID:-14b11b35-ef59-4b8a-a16b-398f0cc3ad93}" \ --projectId="${INFISICAL_PROJECT_ID:-14b11b35-ef59-4b8a-a16b-398f0cc3ad93}" \
--env=staging \ --env=staging \
--token="$INFISICAL_TOKEN" \ --token="$INFISICAL_TOKEN" \
-- "$NODE_BIN" "$INDEX_MJS" -- bash -c '
set -e
# ─── Infisical-Name-Aliasing → Standard-Namen ──────────────────────
export SUPABASE_ANON_KEY="${SUPABASE_KEY:-${SUPABASE_ANON_KEY:-}}"
export SUPABASE_SERVICE_ROLE_KEY="${SUPABASE_SERVICE_KEY:-${SUPABASE_SERVICE_ROLE_KEY:-}}"
export OPENROUTER_API_KEY="${OPENROUTER_API_KEY:-${NUXT_OPENROUTER_API_KEY:-}}"
export GROQ_API_KEY="${GROQ_API_KEY:-${NUXT_GROQ_API_KEY:-}}"
export GOOGLE_API_KEY="${GOOGLE_API_KEY:-${NUXT_GOOGLE_API_KEY:-}}"
export DEEPGRAM_API_KEY="${DEEPGRAM_API_KEY:-${NUXT_DEEPGRAM_API_KEY:-}}"
export DATABASE_URL="${DATABASE_URL:-${NUXT_DATABASE_URL:-}}"
# ─── NITRO_-Prefix für Runtime-Override des runtimeConfig ──────────
[[ -n "${SUPABASE_URL:-}" ]] && export NITRO_SUPABASE_URL="$SUPABASE_URL" && export NITRO_PUBLIC_SUPABASE_URL="$SUPABASE_URL"
[[ -n "${SUPABASE_ANON_KEY:-}" ]] && export NITRO_SUPABASE_ANON_KEY="$SUPABASE_ANON_KEY" && export NITRO_PUBLIC_SUPABASE_KEY="$SUPABASE_ANON_KEY"
[[ -n "${SUPABASE_SERVICE_ROLE_KEY:-}" ]] && export NITRO_SUPABASE_SERVICE_KEY="$SUPABASE_SERVICE_ROLE_KEY"
[[ -n "${DATABASE_URL:-}" ]] && export NITRO_DATABASE_URL="$DATABASE_URL"
[[ -n "${OPENROUTER_API_KEY:-}" ]] && export NITRO_OPENROUTER_API_KEY="$OPENROUTER_API_KEY"
[[ -n "${OPENAI_API_KEY:-}" ]] && export NITRO_OPENAI_API_KEY="$OPENAI_API_KEY"
[[ -n "${GROQ_API_KEY:-}" ]] && export NITRO_GROQ_API_KEY="$GROQ_API_KEY"
[[ -n "${GOOGLE_AI_API_KEY:-}" ]] && export NITRO_GOOGLE_AI_API_KEY="$GOOGLE_AI_API_KEY"
[[ -n "${GOOGLE_API_KEY:-}" ]] && export NITRO_GOOGLE_API_KEY="$GOOGLE_API_KEY"
[[ -n "${DEEPGRAM_API_KEY:-}" ]] && export NITRO_DEEPGRAM_API_KEY="$DEEPGRAM_API_KEY"
[[ -n "${CARTESIA_API_KEY:-}" ]] && export NITRO_CARTESIA_API_KEY="$CARTESIA_API_KEY"
[[ -n "${ELEVENLABS_API_KEY:-}" ]] && export NITRO_ELEVENLABS_API_KEY="$ELEVENLABS_API_KEY"
[[ -n "${JWT_SECRET:-}" ]] && export NITRO_JWT_SECRET="$JWT_SECRET"
[[ -n "${ENCRYPTION_KEY:-}" ]] && export NITRO_ENCRYPTION_KEY="$ENCRYPTION_KEY"
[[ -n "${ADMIN_SECRET:-}" ]] && export NITRO_ADMIN_SECRET="$ADMIN_SECRET"
exec '"$NODE_BIN"' '"$INDEX_MJS"'
'