feat: enhance authentication and accounts handling with server-only environment variables

Author: majkshkurti

apps/web/middlewares/withAuth.ts

@@ -19,7 +19,13 @@ const publicPaths = ["/map/public", "/print"];
 
 export const withAuth: MiddlewareFactory = (next) => {
   return async (request: NextRequest, _next) => {
-    if (process.env.NEXT_PUBLIC_AUTH_DISABLED || !process.env.NEXTAUTH_URL || !process.env.NEXTAUTH_SECRET) {
+    // Check if auth is disabled using server-only env var (without NEXT_PUBLIC_ prefix)
+    // IMPORTANT: NEXT_PUBLIC_* vars are inlined at build time and won't work for runtime checks
+    // in Edge Runtime middleware. Use AUTH_DISABLED (server-only) for runtime configuration.
+    const authDisabledEnv = process.env.AUTH_DISABLED;
+    const isAuthDisabled = authDisabledEnv && authDisabledEnv.toLowerCase() === "true";
+
+    if (isAuthDisabled || !process.env.NEXTAUTH_URL || !process.env.NEXTAUTH_SECRET) {
       return next(request, _next);
     }
     const { pathname, search, origin, basePath } = request.nextUrl;

apps/web/middlewares/withOrganization.ts

@@ -12,18 +12,25 @@ const publicPaths = ["/map/public"];
 
 export const withOrganization: MiddlewareFactory = (next) => {
   return async (request: NextRequest, _next) => {
-    // Check if auth/accounts are disabled - handle both actual values and unreplaced placeholders
+    // Check if auth/accounts are disabled using server-only env vars (without NEXT_PUBLIC_ prefix)
+    // IMPORTANT: NEXT_PUBLIC_* vars are inlined at build time and won't work for runtime checks
+    // in Edge Runtime middleware. Use AUTH_DISABLED and ACCOUNTS_DISABLED (server-only) for runtime configuration.
+    const authDisabledEnv = process.env.AUTH_DISABLED;
+    const accountsDisabledEnv = process.env.ACCOUNTS_DISABLED;
+    const isAuthDisabled = authDisabledEnv && authDisabledEnv.toLowerCase() === "true";
+    const isAccountsDisabled = accountsDisabledEnv && accountsDisabledEnv.toLowerCase() === "true";
+
     if (
-      process.env.NEXT_PUBLIC_AUTH_DISABLED ||
-      process.env.NEXT_PUBLIC_ACCOUNTS_DISABLED ||
+      isAuthDisabled ||
+      isAccountsDisabled ||
       !process.env.NEXTAUTH_URL ||
       !process.env.NEXTAUTH_SECRET ||
-      !process.env.NEXT_PUBLIC_ACCOUNTS_API_URL
+      !process.env.ACCOUNTS_API_URL
     ) {
       return next(request, _next);
     }
 
-    const USERS_API_BASE_URL = new URL("api/v1/users", process.env.NEXT_PUBLIC_ACCOUNTS_API_URL).href;
+    const USERS_API_BASE_URL = new URL("api/v1/users", process.env.ACCOUNTS_API_URL).href;
 
     const { pathname, origin, basePath } = request.nextUrl;
 

compose.yaml

@@ -555,5 +555,9 @@ services:
       NEXT_PUBLIC_SENTRY_DSN: ${NEXT_PUBLIC_SENTRY_DSN}
       NEXT_PUBLIC_AUTH_DISABLED: ${NEXT_PUBLIC_AUTH_DISABLED}
       NEXT_PUBLIC_ACCOUNTS_DISABLED: ${NEXT_PUBLIC_ACCOUNTS_DISABLED}
+      # Server-only env vars for Edge Runtime middleware (NEXT_PUBLIC_* are inlined at build time)
+      AUTH_DISABLED: ${NEXT_PUBLIC_AUTH_DISABLED}
+      ACCOUNTS_DISABLED: ${NEXT_PUBLIC_ACCOUNTS_DISABLED}
+      ACCOUNTS_API_URL: ${NEXT_PUBLIC_ACCOUNTS_API_URL}
     depends_on:
       - core

turbo.json

@@ -57,6 +57,9 @@
     "NEXTAUTH_URL",
     "NEXT_PUBLIC_AUTH_DISABLED",
     "NEXT_PUBLIC_ACCOUNTS_DISABLED",
+    "AUTH_DISABLED",
+    "ACCOUNTS_DISABLED",
+    "ACCOUNTS_API_URL",
     "NEXT_PUBLIC_SENTRY_DSN",
     "NEXT_RUNTIME",
     "NEXTAUTH_SECRET",