@@ -5,16 +5,34 @@ import { clientSchema, serverSchema, validateEnv } from '../src/lib/env'
55const projectDir = process . cwd ( )
66loadEnvConfig ( projectDir )
77
8+ // Always required when AUTH_PROVIDER=ory, regardless of deploy target.
89const oryRequiredEnvVars = [
910 'AUTH_SECRET' ,
1011 'ORY_SDK_URL' ,
1112 'ORY_OAUTH2_CLIENT_ID' ,
1213 'ORY_OAUTH2_CLIENT_SECRET' ,
1314 'ORY_OAUTH2_AUDIENCE' ,
14- 'ORY_PROJECT_API_TOKEN' ,
1515 'DASHBOARD_API_ADMIN_TOKEN' ,
1616] as const
1717
18+ // Identity admin surface (Kratos): pick exactly one.
19+ // - ORY_PROJECT_API_TOKEN: Ory Network. Bearer for the unified SDK host.
20+ // - ORY_KRATOS_ADMIN_URL: self-hosted Kratos admin (gated by network).
21+ // At least one must be set so IdentityApi calls can resolve.
22+ const oryIdentityAdminEnvVars = [
23+ 'ORY_PROJECT_API_TOKEN' ,
24+ 'ORY_KRATOS_ADMIN_URL' ,
25+ ] as const
26+
27+ // OAuth2 admin surface (Hydra): pick exactly one.
28+ // - ORY_PROJECT_API_TOKEN: Ory Network. Bearer for the unified SDK host.
29+ // - ORY_HYDRA_ADMIN_URL: self-hosted Hydra admin (gated by network).
30+ // At least one must be set so OAuth2Api session revocations can resolve.
31+ const oryOAuth2AdminEnvVars = [
32+ 'ORY_PROJECT_API_TOKEN' ,
33+ 'ORY_HYDRA_ADMIN_URL' ,
34+ ] as const
35+
1836const schema = serverSchema
1937 . merge ( clientSchema )
2038 . refine (
@@ -81,6 +99,28 @@ const schema = serverSchema
8199 path : [ 'AUTH_PROVIDER' ] ,
82100 } )
83101 }
102+
103+ const hasIdentityAdmin = oryIdentityAdminEnvVars . some (
104+ ( envVar ) => ! ! data [ envVar ]
105+ )
106+ if ( ! hasIdentityAdmin ) {
107+ ctx . addIssue ( {
108+ code : z . ZodIssueCode . custom ,
109+ message : `AUTH_PROVIDER=ory requires either ${ oryIdentityAdminEnvVars . join ( ' (Ory Network) or ' ) } (self-hosted Kratos admin)` ,
110+ path : [ 'AUTH_PROVIDER' ] ,
111+ } )
112+ }
113+
114+ const hasOAuth2Admin = oryOAuth2AdminEnvVars . some (
115+ ( envVar ) => ! ! data [ envVar ]
116+ )
117+ if ( ! hasOAuth2Admin ) {
118+ ctx . addIssue ( {
119+ code : z . ZodIssueCode . custom ,
120+ message : `AUTH_PROVIDER=ory requires either ${ oryOAuth2AdminEnvVars . join ( ' (Ory Network) or ' ) } (self-hosted Hydra admin)` ,
121+ path : [ 'AUTH_PROVIDER' ] ,
122+ } )
123+ }
84124 } )
85125
86126validateEnv ( schema )
0 commit comments