1953 joi env validation

api/package.json

@@ -39,15 +39,17 @@
     "build": "rimraf dist && tsc",
     "dev": "ts-node-dev --poll --respawn -r tsconfig-paths/register src/index.ts -- --inspect=0.0.0.0:9229",
     "watch": "ts-node-dev --inspect=0.0.0.0:9229 --poll --respawn -r tsconfig-paths/register src/index.ts",
-    "test": "nyc mocha --require ts-node/register -r tsconfig-paths/register \"src/**/*.spec.ts\"",
+    "test": "ORGANIZATION=AcmeInc ORGANIZATION_VAULT_SECRET=AcmeIncSecret ROOT_SECRET=RootSecret nyc mocha --require ts-node/register -r tsconfig-paths/register \"src/**/*.spec.ts\"",
     "coverage": "nyc report --reporter=text-lcov",
     "generate-report": "nyc report --reporter=html",
     "lint": "eslint src --ext ts",
     "format": "prettier --write \"src/**/*.+(js|jsx|ts|tsx|yaml|mjs)\"",
     "tsc": "tsc",
     "test:here": "node ./runTest.js",
     "generate-joi": "node dist/scripts/joiGenerator.js",
-    "build-docs": "bash ./buildDocs.sh"
+    "build-docs": "bash ./buildDocs.sh",
+    "validate-env-variables": "node ./dist/scripts/envVarsValidator.js",
+    "generate-env-vars-docs": "ts-node ./scripts/envVarsDocsGenerator.ts"
   },
   "nyc": {
     "include": [

api/scripts/envVarsDocsGenerator.ts

@@ -0,0 +1,17 @@
+import { writeFileSync } from "fs";
+import { generateMarkdownFile } from "../../scripts/common/envVarsGenerator/dist";
+import { envVarsSchema } from "../src/envVarsSchema";
+
+function updateReadme(): void {
+  const mdTable = generateMarkdownFile(envVarsSchema);
+
+  const md = `# TruBudget-API
+
+## Environment variables
+
+${mdTable}`;
+
+  writeFileSync("./environment-variables.md", md, "utf-8");
+}
+
+updateReadme();

api/src/config.ts

@@ -1,5 +1,4 @@
-import logger from "./lib/logger";
-import { randomString } from "./service/hash";
+import { envVarsSchema } from "./envVarsSchema";
 
 export interface JwtConfig {
   secretOrPrivateKey: string;
@@ -18,9 +17,11 @@ interface ProcessEnvVars {
   ROOT_SECRET: string;
   MULTICHAIN_RPC_HOST: string;
   MULTICHAIN_RPC_PORT: string;
+  MULTICHAIN_RPC_PROTOCOL: "http" | "https";
   MULTICHAIN_RPC_USER: string;
   MULTICHAIN_RPC_PASSWORD: string;
   BLOCKCHAIN_PORT: string;
+  BLOCKCHAIN_PROTOCOL: "http" | "https";
   JWT_ALGORITHM: string;
   JWT_SECRET: string;
   JWT_PUBLIC_KEY: string;
@@ -30,6 +31,7 @@ interface ProcessEnvVars {
   DOCUMENT_EXTERNAL_LINKS_ENABLED: string;
   STORAGE_SERVICE_HOST: string;
   STORAGE_SERVICE_PORT: string;
+  STORAGE_SERVICE_PROTOCOL: "http" | "https";
   STORAGE_SERVICE_EXTERNAL_URL: string;
   EMAIL_HOST: string;
   EMAIL_PORT: string;
@@ -127,138 +129,80 @@ interface Config {
   silenceLoggingOnFrequentRoutes: boolean;
 }
 
-/**
- * environment variables which are required by the API
- * @notExported
- */
-const requiredEnvVars = ["ORGANIZATION", "ORGANIZATION_VAULT_SECRET"];
+const { error, value: envVars } = envVarsSchema.validate(process.env);
+if (error) {
+  throw new Error(`Config validation error: ${error.message}`);
+}
 
 export const config: Config = {
-  organization: process.env.ORGANIZATION || "",
-  organizationVaultSecret: process.env.ORGANIZATION_VAULT_SECRET || "",
-  port: Number(process.env.PORT) || 8080,
-  rootSecret: process.env.ROOT_SECRET || randomString(32),
+  organization: envVars.ORGANIZATION,
+  organizationVaultSecret: envVars.ORGANIZATION_VAULT_SECRET,
+  port: envVars.PORT,
+  rootSecret: envVars.ROOT_SECRET,
   // RPC is the mutlichain daemon
   rpc: {
-    host: process.env.MULTICHAIN_RPC_HOST || "localhost",
-    port: Number(process.env.MULTICHAIN_RPC_PORT) || 8000,
-    protocol: process.env.MULTICHAIN_RPC_PROTOCOL === "https" ? "https" : "http",
-    user: process.env.MULTICHAIN_RPC_USER || "multichainrpc",
-    password: process.env.MULTICHAIN_RPC_PASSWORD || "s750SiJnj50yIrmwxPnEdSzpfGlTAHzhaUwgqKeb0G1j",
+    host: envVars.MULTICHAIN_RPC_HOST,
+    port: envVars.MULTICHAIN_RPC_PORT,
+    protocol: envVars.MULTICHAIN_RPC_PROTOCOL,
+    user: envVars.MULTICHAIN_RPC_USER,
+    password: envVars.MULTICHAIN_RPC_PASSWORD,
   },
   // Blockchain is the blockchain component of Trubudget
   // It serves e.g. backup or version endpoints
   blockchain: {
-    host: process.env.MULTICHAIN_RPC_HOST || "localhost",
-    port: Number(process.env.BLOCKCHAIN_PORT) || 8085,
-    protocol: process.env.BLOCKCHAIN_PROTOCOL === "https" ? "https" : "http",
+    host: envVars.MULTICHAIN_RPC_HOST,
+    port: envVars.BLOCKCHAIN_PORT,
+    protocol: envVars.BLOCKCHAIN_PROTOCOL,
   },
   jwt: {
-    secretOrPrivateKey: process.env.JWT_SECRET || randomString(32),
-    publicKey: process.env.JWT_PUBLIC_KEY || "",
-    algorithm: process.env.JWT_ALGORITHM === "RS256" ? "RS256" : "HS256",
+    secretOrPrivateKey: envVars.JWT_SECRET,
+    publicKey: envVars.JWT_PUBLIC_KEY,
+    algorithm: envVars.JWT_ALGORITHM,
   },
   secureCookie: process.env.API_SECURE_COOKIE === "true" || process.env.NODE_ENV === "production",
   npmPackageVersion: process.env.npm_package_version || "",
   // Continues Integration
   ciCommitSha: process.env.CI_COMMIT_SHA || "",
   buildTimeStamp: process.env.BUILDTIMESTAMP || "",
-  documentFeatureEnabled: process.env.DOCUMENT_FEATURE_ENABLED === "true" ? true : false,
-  documentExternalLinksEnabled:
-    process.env.DOCUMENT_EXTERNAL_LINKS_ENABLED === "true" ? true : false,
+  documentFeatureEnabled: envVars.DOCUMENT_FEATURE_ENABLED,
+  documentExternalLinksEnabled: envVars.DOCUMENT_EXTERNAL_LINKS_ENABLED,
   storageService: {
-    host: process.env.STORAGE_SERVICE_HOST || "localhost",
-    port: Number(process.env.STORAGE_SERVICE_PORT) || 8090,
-    protocol: process.env.STORAGE_SERVICE_PROTOCOL === "https" ? "https" : "http",
-    externalUrl: process.env.STORAGE_SERVICE_EXTERNAL_URL || "",
+    host: envVars.STORAGE_SERVICE_HOST,
+    port: envVars.STORAGE_SERVICE_PORT,
+    protocol: envVars.STORAGE_SERVICE_PROTOCOL,
+    externalUrl: envVars.STORAGE_SERVICE_EXTERNAL_URL,
   },
   emailService: {
-    host: process.env.EMAIL_HOST || "localhost",
-    port: Number(process.env.EMAIL_PORT) || 8089,
-    protocol: process.env.EMAIL_PROTOCOL === "https" ? "https" : "http",
+    host: envVars.EMAIL_HOST,
+    port: envVars.EMAIL_PORT,
+    protocol: envVars.EMAIL_PROTOCOL,
   },
-  encryptionPassword:
-    process.env.ENCRYPTION_PASSWORD === "" ? undefined : process.env.ENCRYPTION_PASSWORD,
-  signingMethod: process.env.SIGNING_METHOD || "node",
-  nodeEnv: process.env.NODE_ENV || "production",
-  accessControlAllowOrigin: process.env.ACCESS_CONTROL_ALLOW_ORIGIN || "*",
-  rateLimit:
-    process.env.RATE_LIMIT === "" || isNaN(Number(process.env.RATE_LIMIT))
-      ? undefined
-      : Number(process.env.RATE_LIMIT),
+  encryptionPassword: envVars.ENCRYPTION_PASSWORD,
+  signingMethod: envVars.SIGNING_METHOD,
+  nodeEnv: envVars.NODE_ENV,
+  accessControlAllowOrigin: envVars.ACCESS_CONTROL_ALLOW_ORIGIN,
+  rateLimit: envVars.RATE_LIMIT,
   authProxy: {
-    enabled: process.env.AUTHPROXY_ENABLED === "true" || false,
+    enabled: envVars.AUTHPROXY_ENABLED,
     authProxyCookie: "authorizationToken",
-    jwsSignature: process.env.AUTHPROXY_JWS_SIGNATURE || undefined,
+    jwsSignature: envVars.AUTHPROXY_JWS_SIGNATURE,
   },
   db: {
-    user: process.env.API_DB_USER || "postgres",
-    password: process.env.API_DB_PASSWORD || "test",
-    host: process.env.API_DB_HOST || "localhost",
-    database: process.env.API_DB_DATABASE || "trubudget_email_service",
-    port: Number(process.env.API_DB_PORT) || 5432,
-    ssl: process.env.API_DB_SSL === "true",
-    schema: process.env.API_DB_SCHEMA || "public",
+    user: envVars.API_DB_USER,
+    password: envVars.API_DB_PASSWORD,
+    host: envVars.API_DB_HOST,
+    database: envVars.API_DB_NAME,
+    port: envVars.API_DB_PORT,
+    ssl: envVars.API_DB_SSL,
+    schema: envVars.API_DB_SCHEMA,
   },
-  dbType: process.env.DB_TYPE || "pg",
-  sqlDebug: Boolean(process.env.SQL_DEBUG) || false,
-  refreshTokensTable: process.env.API_REFRESH_TOKENS_TABLE || "refresh_token",
-  refreshTokenStorage:
-    process.env.REFRESH_TOKEN_STORAGE &&
-    ["db", "memory"].includes(process.env.REFRESH_TOKEN_STORAGE)
-      ? process.env.REFRESH_TOKEN_STORAGE
-      : undefined,
-  snapshotEventInterval: Number(process.env.SNAPSHOT_EVENT_INTERVAL) || 3,
-  azureMonitorConnectionString: process.env.APPLICATIONINSIGHTS_CONNECTION_STRING || "",
-  silenceLoggingOnFrequentRoutes:
-    process.env.SILENCE_LOGGING_ON_FREQUENT_ROUTES === "true" || false,
-};
-
-/**
- * Checks if required environment variables are set, stops the process otherwise
- * @notExported
- *
- * @param requiredEnvVars environment variables required for the API to run
- */
-function exitIfMissing(requiredEnvVars): void {
-  let envVarMissing = false;
-  requiredEnvVars.forEach((env) => {
-    if (!envExists(process.env, env)) envVarMissing = true;
-  });
-  if (envVarMissing) process.exit(1);
-}
-
-/**
- * Checks if an environment variable is attached to the current process
- * @notExported
- *
- * @param processEnv environment variables attached to the current process
- * @param prop environment variable to check
- * @param msg optional message to print out
- * @returns a boolean indicating if an environment variable is attached to the current process
- */
-const envExists = <T, K extends keyof T>(
-  processEnv: Partial<T>,
-  prop: K,
-  msg?: string,
-): boolean => {
-  if (processEnv[prop] === undefined || processEnv[prop] === null) {
-    switch (prop) {
-      case "ORGANIZATION":
-        msg = "Please set ORGANIZATION to the organization this node belongs to.";
-        break;
-      case "ORGANIZATION_VAULT_SECRET":
-        msg =
-          "Please set ORGANIZATION_VAULT_SECRET to the secret key used to encrypt the organization's vault.";
-        break;
-      default:
-        break;
-    }
-    logger.fatal(msg || `Environment is missing required variable ${String(prop)}`);
-    return false;
-  } else {
-    return true;
-  }
+  dbType: envVars.DB_TYPE,
+  sqlDebug: envVars.SQL_DEBUG,
+  refreshTokensTable: envVars.API_REFRESH_TOKENS_TABLE,
+  refreshTokenStorage: envVars.REFRESH_TOKEN_STORAGE,
+  snapshotEventInterval: envVars.SNAPSHOT_EVENT_INTERVAL,
+  azureMonitorConnectionString: envVars.APPLICATIONINSIGHTS_CONNECTION_STRING,
+  silenceLoggingOnFrequentRoutes: envVars.SILENCE_LOGGING_ON_FREQUENT_ROUTES,
 };
 
 /**
@@ -268,37 +212,6 @@ const envExists = <T, K extends keyof T>(
  * @notExported
  */
 const getValidConfig = (): Config => {
-  exitIfMissing(requiredEnvVars);
-
-  // Environment Validation
-  const jwtSecret: string = process.env.JWT_SECRET || randomString(32);
-  if (jwtSecret.length < 32) {
-    logger.warn("Warning: the JWT secret key should be at least 32 characters long.");
-  }
-  const rootSecret: string = process.env.ROOT_SECRET || randomString(32);
-  if (!process.env.ROOT_SECRET) {
-    logger.warn(`Warning: root password not set; autogenerated to ${rootSecret}`);
-  }
-
-  // Document feature enabled
-  if (process.env.DOCUMENT_FEATURE_ENABLED === "true") {
-    const requiredDocEnvVars = ["STORAGE_SERVICE_EXTERNAL_URL"];
-    exitIfMissing(requiredDocEnvVars);
-  }
-
-  const jwtAlgorithm: string = process.env.JWT_ALGORITHM;
-  if (
-    !(
-      jwtAlgorithm === "HS256" ||
-      jwtAlgorithm === "RS256" ||
-      jwtAlgorithm === undefined ||
-      jwtAlgorithm === ""
-    )
-  ) {
-    logger.fatal("JWT_ALGORITHM must be either HS256 or RS256 or empty (defaults to HS256)");
-    process.exit(1);
-  }
-
   return config;
 };
 /**