feat: env validation

.github/workflows/build-and-lint.yml

@@ -91,4 +91,6 @@ jobs:
             ${{ runner.os }}-node-modules-
 
       - name: Build
+        env:
+          SKIP_ENV_VALIDATION: "1"
         run: npm run build

next.config.mjs

@@ -1,4 +1,25 @@
-/** @type {import('next').NextConfig} */
-const nextConfig = {};
+import { fileURLToPath } from "node:url";
+import createJiti from "jiti";
+import {
+  PHASE_DEVELOPMENT_SERVER,
+  PHASE_PRODUCTION_BUILD,
+} from "next/constants.js";
 
-export default nextConfig;
+/** @type {import('next').NextConfig | ((phase: string) => import('next').NextConfig)} */
+export default function nextConfig(phase) {
+  const jiti = createJiti(fileURLToPath(import.meta.url));
+
+  const skipValidation = process.env.SKIP_ENV_VALIDATION === "1";
+
+  if (!skipValidation) {
+    if (
+      phase === PHASE_DEVELOPMENT_SERVER ||
+      phase === PHASE_PRODUCTION_BUILD
+    ) {
+      jiti("./src/env/server.ts");
+      jiti("./src/env/client.ts");
+    }
+  }
+
+  return {};
+}

package.json

@@ -34,6 +34,7 @@
     "@radix-ui/react-tooltip": "^1.2.8",
     "@reown/appkit": "^1.6.8",
     "@reown/appkit-adapter-ethers5": "^1.6.8",
+    "@t3-oss/env-nextjs": "^0.13.8",
     "@tanstack/react-query": "^4.36.1",
     "@trpc/client": "^10.45.2",
     "@trpc/react-query": "^10.45.2",
@@ -63,9 +64,10 @@
     "ulid": "^2.3.0",
     "validator": "^13.12.0",
     "viem": "^2.21.48",
-    "zod": "^3.24.2"
+    "zod": "^3.25.76"
   },
   "devDependencies": {
+    "jiti": "1.21.7",
     "@biomejs/biome": "^1.9.4",
     "@types/crypto-js": "^4.2.2",
     "@types/node": "^20",

src/app/api/trpc/[trpc]/route.ts

@@ -2,6 +2,7 @@ import { fetchRequestHandler } from "@trpc/server/adapters/fetch";
 import { TRPC_ERROR_CODES_BY_KEY } from "@trpc/server/rpc";
 import type { NextRequest } from "next/server";
 
+import { env } from "@/env/server";
 import { appRouter } from "@/server/index";
 import { createTRPCContext } from "@/server/trpc";
 
@@ -60,7 +61,7 @@ const handler = (req: NextRequest) =>
     // @ts-expect-error: This works , no need to fix
     createContext: () => createContext(req),
     onError:
-      process.env.NODE_ENV === "development"
+      env.NODE_ENV === "development"
         ? ({ path, error }) => {
             console.error(
               `❌ tRPC failed on ${path ?? "<no-path>"}: ${error.message}`,

src/app/api/webhook/route.ts

@@ -1,4 +1,5 @@
 import crypto from "node:crypto";
+import { env } from "@/env/server";
 import { ResourceNotFoundError } from "@/lib/errors";
 import { generateInvoiceNumber } from "@/lib/helpers/client";
 import { getInvoiceCount } from "@/lib/helpers/invoice";
@@ -90,7 +91,7 @@ export async function POST(req: Request) {
     webhookData = body;
     const signature = req.headers.get("x-request-network-signature");
 
-    const webhookSecret = process.env.WEBHOOK_SECRET;
+    const webhookSecret = env.WEBHOOK_SECRET;
 
     if (!webhookSecret) {
       throw new Error("WEBHOOK_SECRET is not set");

src/app/layout.tsx

@@ -9,6 +9,7 @@ import type { Metadata } from "next";
 import localFont from "next/font/local";
 import { cookies } from "next/headers";
 import "./globals.css";
+import { env } from "@/env/client";
 
 const geistSans = localFont({
   src: "./fonts/GeistVF.woff",
@@ -33,7 +34,7 @@ export default function RootLayout({
 }>) {
   return (
     <html lang="en">
-      <GoogleTagManager gtmId={process.env.NEXT_PUBLIC_GTM_ID as string} />
+      <GoogleTagManager gtmId={env.NEXT_PUBLIC_GTM_ID as string} />
       <body
         className={`${geistSans.variable} ${geistMono.variable} antialiased`}
       >

src/app/login/google/route.ts

@@ -1,3 +1,4 @@
+import { env } from "@/env/server";
 import { google } from "@/server/auth";
 // app/login/google/route.ts
 import { generateCodeVerifier, generateState } from "arctic";
@@ -17,14 +18,14 @@ export async function GET(): Promise<Response> {
   cookieStore.set("google_oauth_state", state, {
     path: "/",
     httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
+    secure: env.NODE_ENV === "production",
     maxAge: 60 * 10,
     sameSite: "lax",
   });
   cookieStore.set("google_code_verifier", codeVerifier, {
     path: "/",
     httpOnly: true,
-    secure: process.env.NODE_ENV === "production",
+    secure: env.NODE_ENV === "production",
     maxAge: 60 * 10,
     sameSite: "lax",
   });

src/app/page.tsx

@@ -1,5 +1,6 @@
 import { Footer } from "@/components/footer";
 import { Header } from "@/components/header";
+import { env } from "@/env/client";
 import { getCurrentSession } from "@/server/auth";
 import type { Metadata } from "next";
 import Image from "next/image";
@@ -52,7 +53,7 @@ export default async function LoginPage() {
             <p className="text-center text-sm text-zinc-500">
               By continuing, you agree to our{" "}
               <Link
-                href={process.env.NEXT_PUBLIC_API_TERMS_CONDITIONS as string}
+                href={env.NEXT_PUBLIC_API_TERMS_CONDITIONS as string}
                 className="underline hover:text-zinc-900"
                 target="_blank"
                 rel="noopener noreferrer"

src/components/app-kit.tsx

@@ -1,5 +1,6 @@
 "use client";
 
+import { env } from "@/env/client";
 import { Ethers5Adapter } from "@reown/appkit-adapter-ethers5";
 import {
   arbitrum,
@@ -18,7 +19,7 @@ const metadata = {
   icons: ["./assets/logo.svg"],
 };
 
-const projectId = process.env.NEXT_PUBLIC_REOWN_PROJECT_ID;
+const projectId = env.NEXT_PUBLIC_REOWN_PROJECT_ID;
 
 if (!projectId) {
   throw new Error("NEXT_PUBLIC_REOWN_PROJECT_ID is not set");

src/components/compliance-form.tsx

@@ -31,6 +31,8 @@ import {
   SelectTrigger,
   SelectValue,
 } from "@/components/ui/select";
+import { env } from "@/env/client";
+import { env as serverEnv } from "@/env/server";
 import { COMPLIANCE_COUNTRIES } from "@/lib/constants/compliance";
 import {
   BeneficiaryType,
@@ -67,12 +69,12 @@ export function ComplianceForm({ user }: { user: User }) {
 
   const iframeRef = useRef<HTMLIFrameElement>(null);
   const TRUSTED_ORIGINS = useMemo(() => {
-    const origins = process.env.NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS
-      ? process.env.NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS.split(",")
+    const origins = env.NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS
+      ? env.NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS.split(",")
       : ["https://request.network", "https://core-api-staging.pay.so"];
 
     // Add localhost in development
-    if (process.env.NODE_ENV === "development") {
+    if (serverEnv.NODE_ENV === "development") {
       origins.push("http://localhost:3000");
     }
 

src/components/header.tsx

@@ -1,13 +1,14 @@
 "use client";
 
+import { env } from "@/env/client";
 import type { User } from "@/server/db/schema";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { Button } from "./ui/button";
 import { UserMenu } from "./user-menu";
 
 export function Header({ user }: { user?: User | undefined }) {
-  const demoMeetingUrl = process.env.NEXT_PUBLIC_DEMO_MEETING;
+  const demoMeetingUrl = env.NEXT_PUBLIC_DEMO_MEETING;
   const pathname = usePathname();
 
   // Don't show nav items on invoice payment pages

src/env/client.ts

@@ -0,0 +1,21 @@
+import { createEnv } from "@t3-oss/env-nextjs";
+import { z } from "zod";
+
+export const env = createEnv({
+  client: {
+    NEXT_PUBLIC_REOWN_PROJECT_ID: z.string().min(1),
+    NEXT_PUBLIC_API_TERMS_CONDITIONS: z.string().url(),
+    NEXT_PUBLIC_GTM_ID: z.string().optional(),
+    NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS: z.string().optional(),
+    NEXT_PUBLIC_DEMO_MEETING: z.string().optional(),
+  },
+  runtimeEnv: {
+    NEXT_PUBLIC_REOWN_PROJECT_ID: process.env.NEXT_PUBLIC_REOWN_PROJECT_ID,
+    NEXT_PUBLIC_API_TERMS_CONDITIONS:
+      process.env.NEXT_PUBLIC_API_TERMS_CONDITIONS,
+    NEXT_PUBLIC_GTM_ID: process.env.NEXT_PUBLIC_GTM_ID,
+    NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS:
+      process.env.NEXT_PUBLIC_CRYPTO_TO_FIAT_TRUSTED_ORIGINS,
+    NEXT_PUBLIC_DEMO_MEETING: process.env.NEXT_PUBLIC_DEMO_MEETING,
+  },
+});

src/env/server.ts

@@ -0,0 +1,24 @@
+import { createEnv } from "@t3-oss/env-nextjs";
+import { z } from "zod";
+
+export const env = createEnv({
+  server: {
+    ENCRYPTION_KEY: z.string().min(1),
+    DATABASE_URL: z.string().min(1),
+    GOOGLE_CLIENT_ID: z.string().min(1),
+    GOOGLE_CLIENT_SECRET: z.string().min(1),
+    GOOGLE_REDIRECT_URI: z.string().min(1),
+    CURRENT_ENCRYPTION_VERSION: z.string().min(1),
+    REQUEST_API_URL: z.string().url(),
+    REQUEST_API_KEY: z.string().min(1),
+    WEBHOOK_SECRET: z.string().min(1),
+    FEE_PERCENTAGE_FOR_PAYMENT: z.string().default(""),
+    FEE_ADDRESS_FOR_PAYMENT: z.string().default(""),
+    REDIS_URL: z.string().default(""),
+    INVOICE_PROCESSING_TTL: z.string().default(""),
+    NODE_ENV: z.enum(["development", "production", "test"]),
+    VERCEL_URL: z.string().optional(),
+    PORT: z.coerce.number().optional(),
+  },
+  experimental__runtimeEnv: process.env,
+});

src/lib/axios.ts

@@ -1,8 +1,9 @@
+import { env } from "@/env/server";
 import axios from "axios";
 
 export const apiClient = axios.create({
-	baseURL: process.env.REQUEST_API_URL,
-	headers: {
-		"x-api-key": process.env.REQUEST_API_KEY,
-	},
+  baseURL: env.REQUEST_API_URL,
+  headers: {
+    "x-api-key": env.REQUEST_API_KEY,
+  },
 });

src/lib/encryption/index.ts

@@ -1,8 +1,10 @@
+import { env } from "@/env/server";
+
 export type EncryptionVersion = "v1";
 
 export function getEncryptionKey(version: EncryptionVersion = "v1"): string {
   return ENCRYPTION_KEYS[version];
 }
 const ENCRYPTION_KEYS = {
-  v1: process.env.ENCRYPTION_KEY as string,
+  v1: env.ENCRYPTION_KEY as string,
 };

src/lib/redis/index.ts

@@ -1,10 +1,11 @@
+import { env } from "@/env/server";
 import Redis from "ioredis";
 
 let redis: Redis | null = null;
 
 export function getRedis(): Redis {
   if (!redis) {
-    redis = new Redis(process.env.REDIS_URL || "redis://localhost:6379", {
+    redis = new Redis(env.REDIS_URL || "redis://localhost:6379", {
       lazyConnect: true,
     });