feat: single env file (#1092)

* single env file

* docs

* fixy

* better comments

* serverside -> server-side
add prop to error msg

* dont crash when calling next-auth in gssp

* add min(1) to all string schema

* Update www/src/pages/ar/usage/env-variables.md

Co-authored-by: Muhammed Mustafa <[email protected]>

* simplify error formatting

* allow empty strings for discord env vars

* incorrect import

* here also

* add changeset

* don't leak env keys in prod

* fix bad merge

* cleanup

---------

Co-authored-by: Christopher Ehrlich <[email protected]>
Co-authored-by: Muhammed Mustafa <[email protected]>

Author: 3 people

Diff for: .changeset/loud-coats-sniff.md

@@ -0,0 +1,5 @@
+---
+"create-t3-app": minor
+---
+
+single env file

Diff for: cli/src/installers/envVars.ts

@@ -9,7 +9,7 @@ export const envVariablesInstaller: Installer = ({ projectDir, packages }) => {
 
   const envContent = getEnvContent(!!usingAuth, !!usingPrisma);
 
-  const envSchemaFile =
+  const envFile =
     usingAuth && usingPrisma
       ? "with-auth-prisma.mjs"
       : usingAuth
@@ -18,13 +18,13 @@ export const envVariablesInstaller: Installer = ({ projectDir, packages }) => {
       ? "with-prisma.mjs"
       : "";
 
-  if (envSchemaFile !== "") {
+  if (envFile !== "") {
     const envSchemaSrc = path.join(
       PKG_ROOT,
-      "template/extras/src/env/schema",
-      envSchemaFile,
+      "template/extras/src/env",
+      envFile,
     );
-    const envSchemaDest = path.join(projectDir, "src/env/schema.mjs");
+    const envSchemaDest = path.join(projectDir, "src/env.mjs");
     fs.copySync(envSchemaSrc, envSchemaDest);
   }
 

Diff for: cli/template/base/next.config.mjs

@@ -4,7 +4,7 @@
  * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation.
  * This is especially useful for Docker builds.
  */
-!process.env.SKIP_ENV_VALIDATION && (await import("./src/env/server.mjs"));
+!process.env.SKIP_ENV_VALIDATION && (await import("./src/env.mjs"));
 
 /** @type {import("next").NextConfig} */
 const config = {

Diff for: cli/template/base/src/env.mjs

@@ -0,0 +1,73 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
+import { z } from "zod";
+
+/**
+ * Specify your server-side environment variables schema here.
+ * This way you can ensure the app isn't built with invalid env vars.
+ */
+const server = z.object({
+  NODE_ENV: z.enum(["development", "test", "production"]),
+});
+
+/**
+ * Specify your client-side environment variables schema here.
+ * This way you can ensure the app isn't built with invalid env vars.
+ * To expose them to the client, prefix them with `NEXT_PUBLIC_`.
+ */
+const client = z.object({
+  // NEXT_PUBLIC_CLIENTVAR: z.string().min(1),
+});
+
+/**
+ * You can't destruct `process.env` as a regular object in the Next.js
+ * edge runtimes (e.g. middlewares) or client-side so we need to destruct manually.
+ * @type {Record<keyof z.infer<typeof server> | keyof z.infer<typeof client>, string | undefined>}
+ */
+const processEnv = {
+  NODE_ENV: process.env.NODE_ENV,
+  // NEXT_PUBLIC_CLIENTVAR: process.env.NEXT_PUBLIC_CLIENTVAR,
+};
+
+// Don't touch the part below
+// --------------------------
+
+const merged = server.merge(client);
+/** @type z.infer<merged>
+ *  @ts-ignore - can't type this properly in jsdoc */
+let env = process.env;
+
+if (!!process.env.SKIP_ENV_VALIDATION == false) {
+  const isServer = typeof window === "undefined";
+
+  const parsed = isServer
+    ? merged.safeParse(processEnv) // on server we can validate all env vars
+    : client.safeParse(processEnv); // on client we can only validate the ones that are exposed
+
+  if (parsed.success === false) {
+    console.error(
+      "❌ Invalid environment variables:",
+      parsed.error.flatten().fieldErrors,
+    );
+    throw new Error("Invalid environment variables");
+  }
+
+  /** @type z.infer<merged>
+   *  @ts-ignore - can't type this properly in jsdoc */
+  env = new Proxy(parsed.data, {
+    get(target, prop) {
+      if (typeof prop !== "string") return undefined;
+      // Throw a descriptive error if a server-side env var is accessed on the client
+      // Otherwise it would just be returning `undefined` and be annoying to debug
+      if (!isServer && !prop.startsWith("NEXT_PUBLIC_"))
+        throw new Error(
+          process.env.NODE_ENV === "production"
+            ? "❌ Attempted to access a server-side environment variable on the client"
+            : `❌ Attempted to access server-side environment variable '${prop}' on the client`,
+        );
+      /*  @ts-ignore - can't type this properly in jsdoc */
+      return target[prop];
+    },
+  });
+}
+
+export { env };

Diff for: cli/template/base/tsconfig.json

@@ -3,6 +3,7 @@
     "target": "es2017",
     "lib": ["dom", "dom.iterable", "esnext"],
     "allowJs": true,
+    "checkJs": true,
     "skipLibCheck": true,
     "strict": true,
     "forceConsistentCasingInFileNames": true,

Diff for: cli/template/extras/src/env/schema/with-auth-prisma.mjs

@@ -0,0 +1,93 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
+import { z } from "zod";
+
+/**
+ * Specify your server-side environment variables schema here.
+ * This way you can ensure the app isn't built with invalid env vars.
+ */
+const server = z.object({
+  DATABASE_URL: z.string().url(),
+  NODE_ENV: z.enum(["development", "test", "production"]),
+  NEXTAUTH_SECRET:
+    process.env.NODE_ENV === "production"
+      ? z.string().min(1)
+      : z.string().min(1).optional(),
+  NEXTAUTH_URL: z.preprocess(
+    // This makes Vercel deployments not fail if you don't set NEXTAUTH_URL
+    // Since NextAuth.js automatically uses the VERCEL_URL if present.
+    (str) => process.env.VERCEL_URL ?? str,
+    // VERCEL_URL doesn't include `https` so it cant be validated as a URL
+    process.env.VERCEL ? z.string().min(1) : z.string().url(),
+  ),
+  // Add `.min(1) on ID and SECRET if you want to make sure they're not empty
+  DISCORD_CLIENT_ID: z.string(),
+  DISCORD_CLIENT_SECRET: z.string(),
+});
+
+/**
+ * Specify your client-side environment variables schema here.
+ * This way you can ensure the app isn't built with invalid env vars.
+ * To expose them to the client, prefix them with `NEXT_PUBLIC_`.
+ */
+const client = z.object({
+  // NEXT_PUBLIC_CLIENTVAR: z.string().min(1),
+});
+
+/**
+ * You can't destruct `process.env` as a regular object in the Next.js
+ * edge runtimes (e.g. middlewares) or client-side so we need to destruct manually.
+ * @type {Record<keyof z.infer<typeof server> | keyof z.infer<typeof client>, string | undefined>}
+ */
+const processEnv = {
+  DATABASE_URL: process.env.DATABASE_URL,
+  NODE_ENV: process.env.NODE_ENV,
+  NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
+  NEXTAUTH_URL: process.env.NEXTAUTH_URL,
+  DISCORD_CLIENT_ID: process.env.DISCORD_CLIENT_ID,
+  DISCORD_CLIENT_SECRET: process.env.DISCORD_CLIENT_SECRET,
+  // NEXT_PUBLIC_CLIENTVAR: process.env.NEXT_PUBLIC_CLIENTVAR,
+};
+
+// Don't touch the part below
+// --------------------------
+
+const merged = server.merge(client);
+/** @type z.infer<merged>
+ *  @ts-ignore - can't type this properly in jsdoc */
+let env = process.env;
+
+if (!!process.env.SKIP_ENV_VALIDATION == false) {
+  const isServer = typeof window === "undefined";
+
+  const parsed = isServer
+    ? merged.safeParse(processEnv) // on server we can validate all env vars
+    : client.safeParse(processEnv); // on client we can only validate the ones that are exposed
+
+  if (parsed.success === false) {
+    console.error(
+      "❌ Invalid environment variables:",
+      parsed.error.flatten().fieldErrors,
+    );
+    throw new Error("Invalid environment variables");
+  }
+
+  /** @type z.infer<merged>
+   *  @ts-ignore - can't type this properly in jsdoc */
+  env = new Proxy(parsed.data, {
+    get(target, prop) {
+      if (typeof prop !== "string") return undefined;
+      // Throw a descriptive error if a server-side env var is accessed on the client
+      // Otherwise it would just be returning `undefined` and be annoying to debug
+      if (!isServer && !prop.startsWith("NEXT_PUBLIC_"))
+        throw new Error(
+          process.env.NODE_ENV === "production"
+            ? "❌ Attempted to access a server-side environment variable on the client"
+            : `❌ Attempted to access server-side environment variable '${prop}' on the client`,
+        );
+      /*  @ts-ignore - can't type this properly in jsdoc */
+      return target[prop];
+    },
+  });
+}
+
+export { env };