kwila/market
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: use Cloudflare runtime env for secrets #73

Merged
addison merged 2 commits from exe-dev-bot/market:fix/runtime-env into main 2026-02-07 17:09:32 -05:00
Conversation 0 Commits 2 Files changed 8 +87 -44
exe-dev-bot commented 2026-02-07 17:06:25 -05:00
Contributor
Copy link

Problem

Non-public secrets (NEWSLETTER_SECRET, SMTP_*, SUPABASE_SERVICE_ROLE_KEY, SITE_URL) were read via import.meta.env, which is a Vite build-time construct. Since CI only passes PUBLIC_* vars during build, all secrets were undefined at runtime in production.

Solution

Move all non-public secrets to Cloudflare runtime env (locals.runtime.env in Astro, env parameter in worker.ts). Secrets are now read at request time from Cloudflare dashboard bindings.

Changes

  • src/lib/email.tssendEmail() accepts SMTP config as a parameter
  • src/lib/service-client.tscreateSupabaseServiceClient() accepts serviceRoleKey as a parameter
  • src/lib/newsletter-delivery.tsdeliverNewsletters() accepts all secrets via an env object
  • src/worker.ts — Reads secrets from the Worker env parameter
  • src/pages/api/newsletter/trigger.ts — Reads secrets from locals.runtime.env
  • src/pages/newsletter/unsubscribe.astro — Reads secrets from Astro.locals.runtime.env
  • src/env.d.ts — Updated with runtime env types

Security verification

After build, confirmed:

  • Secret names appear in dist/_worker.js/ as runtime lookups (e.g. runtimeEnv.NEWSLETTER_SECRET) — values resolved at request time
  • Zero secret references in dist/_astro/ (client-side bundles)
  • PUBLIC_* and PROD vars unchanged (build-time is correct for these)

Testing

  1. Set secrets in Cloudflare dashboard (Settings → Variables)
  2. Deploy
  3. Trigger newsletter: curl -X POST https://market.kwila.cloud/api/newsletter/trigger -H "Authorization: Bearer <secret>" -H "Origin: https://market.kwila.cloud"
  4. Verify unsubscribe page works at /newsletter/unsubscribe?token=...
## Problem Non-public secrets (`NEWSLETTER_SECRET`, `SMTP_*`, `SUPABASE_SERVICE_ROLE_KEY`, `SITE_URL`) were read via `import.meta.env`, which is a Vite build-time construct. Since CI only passes `PUBLIC_*` vars during build, all secrets were `undefined` at runtime in production. ## Solution Move all non-public secrets to Cloudflare runtime env (`locals.runtime.env` in Astro, `env` parameter in worker.ts). Secrets are now read at request time from Cloudflare dashboard bindings. ### Changes - **`src/lib/email.ts`** — `sendEmail()` accepts SMTP config as a parameter - **`src/lib/service-client.ts`** — `createSupabaseServiceClient()` accepts `serviceRoleKey` as a parameter - **`src/lib/newsletter-delivery.ts`** — `deliverNewsletters()` accepts all secrets via an env object - **`src/worker.ts`** — Reads secrets from the Worker `env` parameter - **`src/pages/api/newsletter/trigger.ts`** — Reads secrets from `locals.runtime.env` - **`src/pages/newsletter/unsubscribe.astro`** — Reads secrets from `Astro.locals.runtime.env` - **`src/env.d.ts`** — Updated with runtime env types ### Security verification After build, confirmed: - ✅ Secret **names** appear in `dist/_worker.js/` as runtime lookups (e.g. `runtimeEnv.NEWSLETTER_SECRET`) — values resolved at request time - ✅ Zero secret references in `dist/_astro/` (client-side bundles) - ✅ `PUBLIC_*` and `PROD` vars unchanged (build-time is correct for these) ### Testing 1. Set secrets in Cloudflare dashboard (Settings → Variables) 2. Deploy 3. Trigger newsletter: `curl -X POST https://market.kwila.cloud/api/newsletter/trigger -H "Authorization: Bearer <secret>" -H "Origin: https://market.kwila.cloud"` 4. Verify unsubscribe page works at `/newsletter/unsubscribe?token=...`
fix: use Cloudflare runtime env for secrets instead of build-time import.meta.env
Some checks failed
CI / Unit Tests (pull_request) Successful in 2m19s
Details
CI / Lint, Type Check & Format (pull_request) Successful in 2m39s
Details
CI / E2E Tests (pull_request) Failing after 3m35s
Details
7490f80038 
Co-authored-by: Shelley <shelley@exe.dev>
docs: clarify build-time vs runtime env vars in infrastructure docs
Some checks failed
CI / Lint, Type Check & Format (pull_request) Successful in 2m12s
Details
CI / Unit Tests (pull_request) Successful in 2m21s
Details
CI / E2E Tests (pull_request) Failing after 3m26s
Details
b32f813d23 
Co-authored-by: Shelley <shelley@exe.dev>
addison deleted branch fix/runtime-env 2026-02-07 17:09:32 -05:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
kwila/market!73
No description provided.