packages/auth/env.ts

import { z } from "zod/v4";

import { createBooleanSchema, createDurationSchema, createEnv } from "@homarr/core/infrastructure/env";
import { supportedAuthProviders } from "@homarr/definitions";

const authProvidersSchema = z
  .string()
  .min(1)
  .transform((providers) =>
    providers
      .replaceAll(" ", "")
      .toLowerCase()
      .split(",")
      .filter((provider) => {
        if (supportedAuthProviders.some((supportedProvider) => supportedProvider === provider)) return true;
        else if (!provider)
          console.log("One or more of the entries for AUTH_PROVIDER could not be parsed and/or returned null.");
        else console.log(`The value entered for AUTH_PROVIDER "${provider}" is incorrect.`);
        return false;
      }),
  )
  .default(["credentials"]);

const authProviders = authProvidersSchema.safeParse(process.env.AUTH_PROVIDERS).data ?? [];

export const env = createEnv({
  server: {
    AUTH_LOGOUT_REDIRECT_URL: z.string().url().optional(),
    AUTH_SESSION_EXPIRY_TIME: createDurationSchema("30d"),
    AUTH_PROVIDERS: authProvidersSchema,
    ...(authProviders.includes("oidc")
      ? {
          AUTH_OIDC_ISSUER: z.string().url(),
          AUTH_OIDC_CLIENT_ID: z.string().min(1),
          AUTH_OIDC_CLIENT_SECRET: z.string().min(1),
          AUTH_OIDC_CLIENT_NAME: z.string().min(1).default("OIDC"),
          AUTH_OIDC_AUTO_LOGIN: createBooleanSchema(false),
          AUTH_OIDC_SCOPE_OVERWRITE: z.string().min(1).default("openid email profile groups"),
          AUTH_OIDC_GROUPS_ATTRIBUTE: z.string().default("groups"), // Is used in the signIn event to assign the correct groups, key is from object of decoded id_token
          AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: z.string().optional(),
          AUTH_OIDC_FORCE_USERINFO: createBooleanSchema(false),
          AUTH_OIDC_ENABLE_DANGEROUS_ACCOUNT_LINKING: createBooleanSchema(false),
        }
      : {}),
    ...(authProviders.includes("ldap")
      ? {
          AUTH_LDAP_URI: z.string().url(),
          AUTH_LDAP_BIND_DN: z.string(),
          AUTH_LDAP_BIND_PASSWORD: z.string(),
          AUTH_LDAP_BASE: z.string(),
          AUTH_LDAP_SEARCH_SCOPE: z.enum(["base", "one", "sub"]).default("base"),
          AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default("uid"),
          AUTH_LDAP_USER_MAIL_ATTRIBUTE: z.string().default("mail"),
          AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: z.string().optional(),
          AUTH_LDAP_GROUP_CLASS: z.string().default("groupOfUniqueNames"),
          AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default("member"),
          AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default("dn"),
          AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: z.string().optional(),
        }
      : {}),
  },
  experimental__runtimeEnv: process.env,
});
fix(deps): upgrade zod to v4 and fix breaking changes (#3461) * fix(deps): update dependency drizzle-zod to ^0.8.2 * chore: update zod to v4 import * fix: path is no longer available in transform context * fix: AnyZodObject does no longer exist * fix: auth env.ts using wrong createEnv and remove unused file env-validation.ts * fix: required_error no longer exists on z.string * fix: zod error map is deprecated and replaced with config * fix: default requires callback now * fix: migrate zod resolver for mantine * fix: remove unused form translation file * fix: wrong enum type * fix: record now requires two arguments * fix: add-confirm-password-refinement type issues * fix: add missing first record argument for entityStateSchema * fix: migrate superrefine to check * fix(deps): upgrade zod-form-data to v3 * fix: migrate superRefine to check for mediaUploadSchema * fix: authProvidersSchema default is array * fix: use stringbool instead of custom implementation * fix: record requires first argument * fix: migrate superRefine to check for certificate router * fix: confirm pasword refinement is overwriting types * fix: email optional not working * fix: migrate intersection to object converter * fix: safe parse return value rename * fix: easier access for min and max number value * fix: migrate superRefine to check for oldmarr import file * fix: inference of enum shape for old-import board-size wrong * fix: errors renamed to issues * chore: address pull request feedback * fix: zod form requires object * fix: inference for use-zod-form not working * fix: remove unnecessary convertion * fix(deps): upgrade trpc-to-openapi to v3 * fix: build error * fix: migrate missing zod imports to v4 * fix: migrate zod records to v4 * fix: missing core package dependency in api module * fix: unable to convert custom zod schema to openapi schema * fix(deps): upgrade zod to v4 * chore(renovate): enable zod dependency updates * test: add simple unit test for convertIntersectionToZodObject --------- Co-authored-by: homarr-renovate[bot] <158783068+homarr-renovate[bot]@users.noreply.github.com> 2025-08-15 20:15:58 +02:00			`import { z } from "zod/v4";`
Initial commit 2023-12-08 22:35:15 +01:00
feat(infra): add external redis (#3639) 2025-07-20 17:13:57 +02:00			`import { createBooleanSchema, createDurationSchema, createEnv } from "@homarr/core/infrastructure/env";`
refactor: env validation typescript and common package (#1912) 2025-01-14 19:03:38 +01:00			`import { supportedAuthProviders } from "@homarr/definitions";`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00
			`const authProvidersSchema = z`
			`.string()`
			`.min(1)`
			`.transform((providers) =>`
			`providers`
			`.replaceAll(" ", "")`
			`.toLowerCase()`
			`.split(",")`
			`.filter((provider) => {`
refactor: env validation typescript and common package (#1912) 2025-01-14 19:03:38 +01:00			`if (supportedAuthProviders.some((supportedProvider) => supportedProvider === provider)) return true;`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`else if (!provider)`
			`console.log("One or more of the entries for AUTH_PROVIDER could not be parsed and/or returned null.");`
			else console.log(`The value entered for AUTH_PROVIDER "${provider}" is incorrect.`);
			`return false;`
			`}),`
			`)`
fix(deps): upgrade zod to v4 and fix breaking changes (#3461) * fix(deps): update dependency drizzle-zod to ^0.8.2 * chore: update zod to v4 import * fix: path is no longer available in transform context * fix: AnyZodObject does no longer exist * fix: auth env.ts using wrong createEnv and remove unused file env-validation.ts * fix: required_error no longer exists on z.string * fix: zod error map is deprecated and replaced with config * fix: default requires callback now * fix: migrate zod resolver for mantine * fix: remove unused form translation file * fix: wrong enum type * fix: record now requires two arguments * fix: add-confirm-password-refinement type issues * fix: add missing first record argument for entityStateSchema * fix: migrate superrefine to check * fix(deps): upgrade zod-form-data to v3 * fix: migrate superRefine to check for mediaUploadSchema * fix: authProvidersSchema default is array * fix: use stringbool instead of custom implementation * fix: record requires first argument * fix: migrate superRefine to check for certificate router * fix: confirm pasword refinement is overwriting types * fix: email optional not working * fix: migrate intersection to object converter * fix: safe parse return value rename * fix: easier access for min and max number value * fix: migrate superRefine to check for oldmarr import file * fix: inference of enum shape for old-import board-size wrong * fix: errors renamed to issues * chore: address pull request feedback * fix: zod form requires object * fix: inference for use-zod-form not working * fix: remove unnecessary convertion * fix(deps): upgrade trpc-to-openapi to v3 * fix: build error * fix: migrate missing zod imports to v4 * fix: migrate zod records to v4 * fix: missing core package dependency in api module * fix: unable to convert custom zod schema to openapi schema * fix(deps): upgrade zod to v4 * chore(renovate): enable zod dependency updates * test: add simple unit test for convertIntersectionToZodObject --------- Co-authored-by: homarr-renovate[bot] <158783068+homarr-renovate[bot]@users.noreply.github.com> 2025-08-15 20:15:58 +02:00			`.default(["credentials"]);`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00
feat(logging): add log level env variable (#2299) 2025-02-18 22:54:15 +01:00			`const authProviders = authProvidersSchema.safeParse(process.env.AUTH_PROVIDERS).data ?? [];`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00
Initial commit 2023-12-08 22:35:15 +01:00			`export const env = createEnv({`
			`server: {`
feat: add logout redirect url (#954) * feat: add logout redirect url * fix: format issue 2024-08-09 19:24:07 +02:00			`AUTH_LOGOUT_REDIRECT_URL: z.string().url().optional(),`
feat: add session expiry (#951) 2024-08-09 15:59:00 +02:00			`AUTH_SESSION_EXPIRY_TIME: createDurationSchema("30d"),`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`AUTH_PROVIDERS: authProvidersSchema,`
			`...(authProviders.includes("oidc")`
			`? {`
			`AUTH_OIDC_ISSUER: z.string().url(),`
			`AUTH_OIDC_CLIENT_ID: z.string().min(1),`
			`AUTH_OIDC_CLIENT_SECRET: z.string().min(1),`
			`AUTH_OIDC_CLIENT_NAME: z.string().min(1).default("OIDC"),`
refactor: env validation typescript and common package (#1912) 2025-01-14 19:03:38 +01:00			`AUTH_OIDC_AUTO_LOGIN: createBooleanSchema(false),`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`AUTH_OIDC_SCOPE_OVERWRITE: z.string().min(1).default("openid email profile groups"),`
refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider (#1223) * refactor: replace signIn callback with signIn event, adjust getUserByEmail in adapter to check provider * test: adjusting tests for adapter and events * docs: add comments for unknown auth provider * fix: missing dayjs import 2024-10-07 21:13:15 +02:00			`AUTH_OIDC_GROUPS_ATTRIBUTE: z.string().default("groups"), // Is used in the signIn event to assign the correct groups, key is from object of decoded id_token`
feat(auth): add env variable for oidc-name-attribute-overwrite (#1850) 2025-01-04 21:49:33 +01:00			`AUTH_OIDC_NAME_ATTRIBUTE_OVERWRITE: z.string().optional(),`
feat(auth): add env variable to force user-info usage instead of idtoken (#2711) 2025-03-27 22:57:06 +01:00			`AUTH_OIDC_FORCE_USERINFO: createBooleanSchema(false),`
feat(auth): add account linking for oidc providers (#3106) Co-authored-by: Manuel <30572287+manuel-rw@users.noreply.github.com> 2025-05-16 20:57:51 +02:00			`AUTH_OIDC_ENABLE_DANGEROUS_ACCOUNT_LINKING: createBooleanSchema(false),`
feat: add ldap and oidc sso (#500) * wip: sso * feat: add ldap client and provider * feat: implement login form * feat: finish sso * fix: lint and format issue * chore: address pull request feedback * fix: build not working * fix: oidc is redirected to internal docker container hostname * fix: build not working * refactor: migrate to ldapts * fix: format and frozen lock file * fix: deepsource issues * fix: unit tests for ldap authorization not working * refactor: remove unnecessary args from dockerfile * chore: address pull request feedback * fix: use console instead of logger in auth env.mjs * fix: default value for auth provider of wrong type * fix: broken lock file * fix: format issue 2024-07-20 22:23:58 +02:00			`}`
			`: {}),`
			`...(authProviders.includes("ldap")`
			`? {`
			`AUTH_LDAP_URI: z.string().url(),`
			`AUTH_LDAP_BIND_DN: z.string(),`
			`AUTH_LDAP_BIND_PASSWORD: z.string(),`
			`AUTH_LDAP_BASE: z.string(),`
			`AUTH_LDAP_SEARCH_SCOPE: z.enum(["base", "one", "sub"]).default("base"),`
			`AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default("uid"),`
			`AUTH_LDAP_USER_MAIL_ATTRIBUTE: z.string().default("mail"),`
			`AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: z.string().optional(),`
			`AUTH_LDAP_GROUP_CLASS: z.string().default("groupOfUniqueNames"),`
			`AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default("member"),`
			`AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default("dn"),`
			`AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: z.string().optional(),`
			`}`
			`: {}),`
Initial commit 2023-12-08 22:35:15 +01:00			`},`
feat(logging): add log level env variable (#2299) 2025-02-18 22:54:15 +01:00			`experimental__runtimeEnv: process.env,`
Initial commit 2023-12-08 22:35:15 +01:00			`});`