Cleanup KF_ envs

Author: isTravis

src/api/auth.server.ts

@@ -18,8 +18,7 @@ export type AuthEnv = {
 const publicPaths = new Set(['/api/health', '/api/query/generate-sql'])
 
 const internalToken = process.env.INTERNAL_API_TOKEN ?? 'internal-dev-token'
-const authInternalApiKey =
-  process.env.AUTH_INTERNAL_API_KEY ?? process.env.KF_INTERNAL_API_KEY ?? ''
+const authInternalApiKey = process.env.AUTH_INTERNAL_API_KEY ?? ''
 const sessionSecret = process.env.SESSION_SECRET ?? 'dev-secret-change-me'
 
 export const authMiddleware = createMiddleware<AuthEnv>(async (c, next) => {

src/api/kf-summary.ts

@@ -9,7 +9,7 @@ import { db, schema } from '../db/client.server.js'
  * Returns Underlay accounts and their collections linked to a KF org.
  * For user-type accounts it also includes UL orgs the user belongs to.
  *
- * Auth: requires KF_INTERNAL_API_KEY (service-to-service).
+ * Auth: requires AUTH_INTERNAL_API_KEY (service-to-service).
  */
 export async function summary(c: Context) {
   const kfOrgId = c.req.query('kf_org_id')
@@ -19,7 +19,7 @@ export async function summary(c: Context) {
 
   // Verify internal API key
   const authHeader = c.req.header('Authorization')
-  const expectedKey = process.env.AUTH_INTERNAL_API_KEY ?? process.env.KF_INTERNAL_API_KEY
+  const expectedKey = process.env.AUTH_INTERNAL_API_KEY
   if (!expectedKey || authHeader !== `Bearer ${expectedKey}`) {
     return c.json({ error: 'Unauthorized' }, 401)
   }

src/lib/auth-internal.server.ts

@@ -4,21 +4,16 @@
  * Optional — only active when AUTH_INTERNAL_API_URL + AUTH_INTERNAL_API_KEY are set.
  * When the internal API is unavailable, apps fall back to OIDC userinfo data only.
  *
- * Env vars (with backward-compat fallbacks):
- *   AUTH_INTERNAL_API_URL — base URL for internal API (fallback: KF_AUTH_INTERNAL_URL, then OIDC_ISSUER_INTERNAL_URL)
- *   AUTH_INTERNAL_API_KEY — shared secret for service-to-service calls (fallback: KF_INTERNAL_API_KEY)
+ * Env vars:
+ *   AUTH_INTERNAL_API_URL — base URL for internal API (falls back to OIDC_ISSUER_INTERNAL_URL)
+ *   AUTH_INTERNAL_API_KEY — shared secret for service-to-service calls
  */
 
 import { OIDC_ISSUER_INTERNAL_URL } from './oidc.server.js'
 
-const AUTH_INTERNAL_API_URL =
-  process.env.AUTH_INTERNAL_API_URL ??
-  process.env.KF_AUTH_INTERNAL_URL ??
-  process.env.KF_AUTH_URL ??
-  OIDC_ISSUER_INTERNAL_URL
+const AUTH_INTERNAL_API_URL = process.env.AUTH_INTERNAL_API_URL ?? OIDC_ISSUER_INTERNAL_URL
 
-const AUTH_INTERNAL_API_KEY =
-  process.env.AUTH_INTERNAL_API_KEY ?? process.env.KF_INTERNAL_API_KEY ?? ''
+const AUTH_INTERNAL_API_KEY = process.env.AUTH_INTERNAL_API_KEY ?? ''
 
 /** Whether the internal API is configured and available. */
 export const hasInternalApi = Boolean(AUTH_INTERNAL_API_KEY)

src/lib/kf-auth.server.ts

@@ -8,8 +8,8 @@ export {
   exchangeCode,
   fetchUserInfo,
   extractOrgs,
-  OIDC_ISSUER_URL as KF_AUTH_URL,
-  OIDC_CLIENT_ID as KF_AUTH_CLIENT_ID,
+  OIDC_ISSUER_URL,
+  OIDC_CLIENT_ID,
   REDIRECT_URI,
   type OIDCOrg as KFOrg,
   type OIDCUserInfo as KFUserInfo,

src/lib/oidc.server.ts

@@ -4,27 +4,25 @@
  * Reads endpoints from the provider's .well-known/openid-configuration.
  * Works with any standards-compliant OIDC provider (KF Auth, Keycloak, Auth0, etc.).
  *
- * Env vars (new canonical names with backward-compat fallbacks):
- *   OIDC_ISSUER_URL          — browser-facing issuer URL (fallback: KF_AUTH_URL)
- *   OIDC_ISSUER_INTERNAL_URL — server-to-server URL for Docker (fallback: KF_AUTH_INTERNAL_URL, then OIDC_ISSUER_URL)
- *   OIDC_CLIENT_ID           — OAuth client ID (fallback: KF_AUTH_CLIENT_ID)
- *   OIDC_CLIENT_SECRET       — OAuth client secret (fallback: KF_AUTH_CLIENT_SECRET)
+ * Env vars:
+ *   OIDC_ISSUER_URL          — browser-facing issuer URL
+ *   OIDC_ISSUER_INTERNAL_URL — server-to-server URL for Docker (falls back to OIDC_ISSUER_URL)
+ *   OIDC_CLIENT_ID           — OAuth client ID
+ *   OIDC_CLIENT_SECRET       — OAuth client secret
  *   OIDC_ORGS_CLAIM          — custom claim key for org memberships (default: https://knowledgefutures.org/orgs)
  */
 
 import crypto from 'node:crypto'
 
 // --- Config (with backward-compat fallbacks) ---
 
-const OIDC_ISSUER_URL =
-  process.env.OIDC_ISSUER_URL ?? process.env.KF_AUTH_URL ?? 'http://localhost:3000'
+const OIDC_ISSUER_URL = process.env.OIDC_ISSUER_URL ?? 'http://localhost:3000'
 
-const OIDC_ISSUER_INTERNAL_URL =
-  process.env.OIDC_ISSUER_INTERNAL_URL ?? process.env.KF_AUTH_INTERNAL_URL ?? OIDC_ISSUER_URL
+const OIDC_ISSUER_INTERNAL_URL = process.env.OIDC_ISSUER_INTERNAL_URL ?? OIDC_ISSUER_URL
 
-const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID ?? process.env.KF_AUTH_CLIENT_ID ?? 'kf_underlay'
+const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID ?? 'kf_underlay'
 
-const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET ?? process.env.KF_AUTH_CLIENT_SECRET ?? ''
+const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET ?? ''
 
 const OIDC_ORGS_CLAIM = process.env.OIDC_ORGS_CLAIM ?? 'https://knowledgefutures.org/orgs'
 
@@ -59,7 +57,7 @@ async function discover(): Promise<OIDCDiscovery> {
     if (!res.ok) {
       throw new Error(
         `OIDC discovery failed: ${res.status} from ${url}. ` +
-          `Ensure OIDC_ISSUER_URL or KF_AUTH_URL points to a valid OIDC provider.`,
+          `Ensure OIDC_ISSUER_URL points to a valid OIDC provider.`,
       )
     }
     const config = (await res.json()) as OIDCDiscovery

src/loaders.server.ts

@@ -93,8 +93,7 @@ const loaders: Record<string, LoaderFn> = {
   '/logout': async () => {
     return {
       data: {
-        kfAuthUrl:
-          process.env.OIDC_ISSUER_URL ?? process.env.KF_AUTH_URL ?? 'http://localhost:3000',
+        kfAuthUrl: process.env.OIDC_ISSUER_URL ?? 'http://localhost:3000',
       },
     }
   },
@@ -391,8 +390,7 @@ const loaders: Record<string, LoaderFn> = {
   },
 }
 
-const kfAccountUrl =
-  process.env.OIDC_ACCOUNT_URL ?? process.env.KF_ACCOUNT_URL ?? 'http://localhost:3001'
+const kfAccountUrl = process.env.OIDC_ACCOUNT_URL ?? 'http://localhost:3001'
 
 export async function runLoaders(
   matchedRoutes: { path: string; params: Record<string, string> }[],