fix(#1025): prevent nextauth configuration crashes for unconfigured providers

[aniruddhaadak80]

This pull request directly addresses issue #1025 where users hosting via Docker encounter a \Configuration\ error redirect upon logging in.

The issue surfaces when users specify OAuth strategies (like github or google) in their \PCHAT_AUTH_PROVIDERS\ string but fail to provide the corresponding client IDs and secrets in their environment variables. NextAuth responds to the empty strings by throwing a strict configuration error, disabling the authentication interface entirely—including the standard working email/credentials mechanism.

To fix this, the OAuth provider plugin loaders natively check if their respective environment keys are present before attempting initialization. If they are missing, it emits a setup warning in the console but safely returns a null provider that filters gracefully. This guarantees NextAuth functions securely with the remaining active providers without entering a failure crash loop.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced error handling across Apple, Azure, GitHub, and Google authentication providers to validate required credentials at runtime. Providers now gracefully disable with informative warning messages if environment variables are missing, improving reliability and preventing authentication failures from incomplete configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds runtime validation of required environment variables across all authentication provider plugins (Apple, Azure, GitHub, Google). Each plugin's getProvider method now guards against missing credentials, logging warnings and returning null if absent, replacing previous non-null assertions. The AuthPlugin interface type was updated to reflect that getProvider can return null.

Changes

Cohort / File(s)	Summary
Auth Provider Validation src/lib/plugins/auth/apple.ts, src/lib/plugins/auth/azure.ts, src/lib/plugins/auth/github.ts, src/lib/plugins/auth/google.ts	Added runtime validation guards to getProvider methods; each now checks for required environment variables (e.g., CLIENT_ID, CLIENT_SECRET) and returns null with a warning if missing, replacing previous non-null assertions.
Type Definition Update src/lib/plugins/types.ts	Updated AuthPlugin.getProvider return type from NextAuthConfig["providers"][number] to `NextAuthConfig["providers"][number]

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With guard clauses steady and checks held tight,
Our auth providers now validate each site,
No rushing ahead with assertions so bold,
Just quiet warnings when secrets untold,
A safer path forward, more careful and wise!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: preventing NextAuth crashes by validating provider configuration. It references the issue number and directly relates to the core fix across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR prevents NextAuth from throwing configuration errors when an OAuth provider is listed in PCHAT_AUTH_PROVIDERS but its required environment variables are missing/empty, allowing remaining providers (e.g., credentials) to continue working.

Changes:

• Updated AuthPlugin.getProvider() to allow returning null when a provider is not configured.
• Added env-var guards to Google/GitHub/Azure AD/Apple auth plugins that warn and disable the provider instead of crashing NextAuth.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/lib/plugins/types.ts	Allows auth plugins to return null providers (disabling misconfigured providers).
src/lib/plugins/auth/google.ts	Skips Google provider init when env vars are missing; logs a warning.
src/lib/plugins/auth/github.ts	Skips GitHub provider init when env vars are missing; logs a warning.
src/lib/plugins/auth/azure.ts	Skips Azure AD provider init when env vars are missing; logs a warning.
src/lib/plugins/auth/apple.ts	Skips Apple provider init when env vars are missing; logs a warning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The JSDoc says getProvider "Returns the NextAuth provider configuration", but the signature now allows null. Update the comment to reflect that providers may be disabled (e.g., return null when required env vars are missing) so plugin authors and callers know to handle the nullable return.

[Copilot]

After the env var guard, process.env.* is still typed as string | undefined (TypeScript does not narrow property accesses like process.env.GOOGLE_CLIENT_ID). With strict: true, passing these directly into the NextAuth provider options can cause a type error. Consider assigning to local const clientId = process.env.GOOGLE_CLIENT_ID / clientSecret = ... after the check (or using a non-null assertion after the check) so the provider receives string.

[Copilot]

TypeScript won't narrow process.env.GITHUB_CLIENT_ID / process.env.GITHUB_CLIENT_SECRET to string based on the preceding if check, so these properties remain string | undefined under strict mode. Passing them directly to GitHub({ clientId, clientSecret }) can fail type-checking; capture them into local const values after the guard (or use non-null assertions after the guard) before constructing the provider config.

[Copilot]

Even after the env var guard, process.env.AZURE_AD_CLIENT_ID / process.env.AZURE_AD_CLIENT_SECRET remain typed as string | undefined (TypeScript does not narrow property access). With strict enabled, MicrosoftEntraID({ clientId, clientSecret }) may not type-check. Assign these env values to local const variables (or assert non-null after the guard) before passing them into the provider options.

[Copilot]

The env var check prevents runtime misconfiguration, but TypeScript still types process.env.AUTH_APPLE_ID / process.env.AUTH_APPLE_SECRET as string | undefined because property accesses aren’t narrowed. Passing them directly to Apple({ clientId, clientSecret }) can fail under strict mode; store them in local const variables after the guard (or use non-null assertions after the guard) before building the provider config.

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/plugins/auth/apple.ts (1)

7-10: Extract the missing-env guard into a shared helper.

This same env check + console.warn + return null block now exists here and in src/lib/plugins/auth/azure.ts, src/lib/plugins/auth/google.ts, and src/lib/plugins/auth/github.ts. Centralizing it would keep the required keys and warning format consistent across providers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/plugins/auth/apple.ts` around lines 7 - 10, Extract the repeated
environment check into a shared helper (e.g., export a function like
ensureAuthEnv or getMissingAuthWarning) and replace the inline guard in each
provider's getProvider (Apple's getProvider, and similarly in azure.ts,
google.ts, github.ts) to call that helper; the helper should accept the required
keys (or an array of required env names) and return null/emit the standardized
console.warn when keys are missing, while getProvider should simply return the
helper's result or proceed to create the provider when it returns a truthy
signal. Ensure the helper is imported and used in getProvider so the check +
warning + null return behavior is centralized and consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/lib/plugins/auth/apple.ts`:
- Around line 7-10: Extract the repeated environment check into a shared helper
(e.g., export a function like ensureAuthEnv or getMissingAuthWarning) and
replace the inline guard in each provider's getProvider (Apple's getProvider,
and similarly in azure.ts, google.ts, github.ts) to call that helper; the helper
should accept the required keys (or an array of required env names) and return
null/emit the standardized console.warn when keys are missing, while getProvider
should simply return the helper's result or proceed to create the provider when
it returns a truthy signal. Ensure the helper is imported and used in
getProvider so the check + warning + null return behavior is centralized and
consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f13d2a25-6300-4ab0-ab0a-f5f5e1ed49de

📥 Commits

Reviewing files that changed from the base of the PR and between ef30314 and f4179c4.

📒 Files selected for processing (5)

• src/lib/plugins/auth/apple.ts
• src/lib/plugins/auth/azure.ts
• src/lib/plugins/auth/github.ts
• src/lib/plugins/auth/google.ts
• src/lib/plugins/types.ts