fix: strip surrounding quotes from environment variable values

dgellow · claude · dgellow · commit 5a87c83a7c98 · 2025-06-16T16:48:07.000+02:00
Fixes issue where systemd/Docker env files with quoted values like ENCRYPTION_KEY="32-char-key" were parsed with quotes included, causing "34 bytes" errors in production. Changes: - Strip matching surrounding quotes (single or double) from env values - Only strip if quotes match at both ends (e.g., "value" or 'value') - Preserve internal quotes and mismatched quotes - Add comprehensive test coverage for quote handling This resolves the production issue where JWT secrets and encryption keys were failing validation due to included quotes from .env files. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/internal/config/types.go b/internal/config/types.go
@@ -167,6 +167,13 @@ func parseConfigValue(raw json.RawMessage) (*RawConfigValue, error) {
 		if value == "" {
 			return nil, fmt.Errorf("environment variable %s not set", envVar)
 		}
+		// Strip surrounding quotes if present (only matching pairs)
+		if len(value) >= 2 {
+			if (value[0] == '"' && value[len(value)-1] == '"') ||
+				(value[0] == '\'' && value[len(value)-1] == '\'') {
+				value = value[1 : len(value)-1]
+			}
+		}
 		return &RawConfigValue{value: value, needsUserToken: false}, nil
 	}
 
diff --git a/internal/config/unmarshal_test.go b/internal/config/unmarshal_test.go
@@ -31,6 +31,41 @@ func TestParseConfigValue(t *testing.T) {
 			expectedValue: "test value",
 			expectedToken: false,
 		},
+		{
+			name:          "env reference with double quotes",
+			input:         `{"$env": "QUOTED_VAR"}`,
+			envVars:       map[string]string{"QUOTED_VAR": `"quoted value"`},
+			expectedValue: "quoted value",
+			expectedToken: false,
+		},
+		{
+			name:          "env reference with single quotes",
+			input:         `{"$env": "SINGLE_QUOTED"}`,
+			envVars:       map[string]string{"SINGLE_QUOTED": `'single quoted'`},
+			expectedValue: "single quoted",
+			expectedToken: false,
+		},
+		{
+			name:          "env reference with mixed quotes not stripped",
+			input:         `{"$env": "MIXED_QUOTES"}`,
+			envVars:       map[string]string{"MIXED_QUOTES": `"mixed quotes'`},
+			expectedValue: `"mixed quotes'`,
+			expectedToken: false,
+		},
+		{
+			name:          "env reference with no surrounding quotes",
+			input:         `{"$env": "NO_QUOTES"}`,
+			envVars:       map[string]string{"NO_QUOTES": `no quotes`},
+			expectedValue: "no quotes",
+			expectedToken: false,
+		},
+		{
+			name:          "env reference with internal quotes preserved",
+			input:         `{"$env": "INTERNAL_QUOTES"}`,
+			envVars:       map[string]string{"INTERNAL_QUOTES": `"value with "internal" quotes"`},
+			expectedValue: `value with "internal" quotes`,
+			expectedToken: false,
+		},
 		{
 			name:          "missing env var",
 			input:         `{"$env": "MISSING_VAR"}`,

Original file line number	Diff line number	Diff line change
`@@ -167,6 +167,13 @@ func parseConfigValue(raw json.RawMessage) (*RawConfigValue, error) {`
`167`	`167`	`if value == "" {`
`168`	`168`	`return nil, fmt.Errorf("environment variable %s not set", envVar)`
`169`	`169`	`}`
	`170`	`+ // Strip surrounding quotes if present (only matching pairs)`
	`171`	`+ if len(value) >= 2 {`
	`172`	`+ if (value[0] == '"' && value[len(value)-1] == '"') \|\|`
	`173`	`+ (value[0] == '\'' && value[len(value)-1] == '\'') {`
	`174`	`+ value = value[1 : len(value)-1]`
	`175`	`+ }`
	`176`	`+ }`
`170`	`177`	`return &RawConfigValue{value: value, needsUserToken: false}, nil`
`171`	`178`	`}`
`172`	`179`