feat(api): add env runtime checkks

Author: Irere123

apps/api/.env.example

@@ -5,6 +5,7 @@ REDIS_URL=redis://localhost:6379
 DATABASE_URL=postgresql://postgres:postgres@localhost:5432/codecrawl
 REDIS_RATE_LIMIT_URL=redis://localhost:6379
 CODECRAWL_ENCRYPTION_KEY=your_encryption_key
+ALLOWED_ORIGINS=http://localhost:3000,https://crawl.revoks.dev
 
 ### Better Auth
 BETTER_AUTH_SECRET=your_secret

apps/api/src/env-runtime.ts

@@ -0,0 +1,3 @@
+import { parseEnv } from './env'
+
+export const env = parseEnv(Object.assign(process.env))

apps/api/src/env.ts

@@ -0,0 +1,33 @@
+import { z } from 'zod'
+
+const EnvSchema = z.object({
+  // generic stuff
+  NODE_ENV: z.string().default('development'),
+  PORT: z.string().optional().default('4000'),
+  DATABASE_URL: z.url(),
+  REDIS_URL: z.url(),
+  ALLOWED_API_ORIGINS: z.string().default('http://localhost:3000'),
+  CODECRAWL_ENCRYPTION_KEY: z.string(),
+
+  // auth providers
+  GOOGLE_CLIENT_ID: z.string(),
+  GOOGLE_CLIENT_SECRET: z.string(),
+
+  // better-auth
+  BETTER_AUTH_SECRET: z.string(),
+  BETTER_AUTH_URL: z.url().default('http://localhost:4000'),
+  BASE_URL: z.url().default('http://localhost:4000'),
+})
+
+export type Environment = z.infer<typeof EnvSchema>
+
+export function parseEnv(data: any) {
+  const { data: env, error, success } = EnvSchema.safeParse(data)
+
+  if (!success) {
+    console.error('Invalid environment variables:', error.format())
+    process.exit(1)
+  }
+
+  return env
+}

apps/api/src/index.ts

@@ -2,6 +2,7 @@ import { Scalar } from '@scalar/hono-api-reference'
 import { cors } from 'hono/cors'
 import { secureHeaders } from 'hono/secure-headers'
 
+import { env } from '~/env-runtime'
 import { auth } from '~/lib/auth'
 import { BASE_URL } from '~/lib/constants'
 import { logger } from '~/lib/logger'
@@ -15,7 +16,7 @@ app.use(secureHeaders())
 app.use(
   '*',
   cors({
-    origin: '*',
+    origin: env.ALLOWED_API_ORIGINS.split(','),
     credentials: true,
     allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
     allowHeaders: [
@@ -83,7 +84,7 @@ app.get(
   })
 )
 
-const DEFAULT_PORT = process.env.PORT ?? 4000
+const DEFAULT_PORT = env.PORT
 
 // Graceful shutdown handling
 const shutdown = async (signal: string) => {

apps/api/src/lib/auth/auth.ts

@@ -2,13 +2,15 @@ import { betterAuth } from 'better-auth'
 import { drizzleAdapter } from 'better-auth/adapters/drizzle'
 
 import { db } from '~/db'
+import { env } from '~/env-runtime'
 import { isProd } from '~/lib/constants'
 
 export const auth = betterAuth({
   basePath: '/auth',
   database: drizzleAdapter(db, {
     provider: 'pg',
   }),
+  trustedOrigins: env.ALLOWED_API_ORIGINS.split(','),
   advanced: {
     cookiePrefix: 'codecrawl',
     crossSubDomainCookies: {
@@ -28,8 +30,8 @@ export const auth = betterAuth({
   },
   socialProviders: {
     google: {
-      clientId: process.env.GOOGLE_CLIENT_ID as string,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
+      clientId: env.GOOGLE_CLIENT_ID,
+      clientSecret: env.GOOGLE_CLIENT_SECRET,
       scopes: [
         'https://www.googleapis.com/auth/userinfo.email',
         'https://www.googleapis.com/auth/userinfo.profile',