Add Cloud SQL connector DB mode switch with DB schema search_path + CI-safe DB init for auth-provider

[Copilot]

👋 TL;DR

Adds an environment-variable DB connection mode switch for auth-provider (direct or Cloud SQL Connector), plus DB_SCHEMA/search_path support, CI-safe lazy DB initialization, and a direct-mode guard to avoid overriding an existing search_path already set in DATABASE_URL.

🔎 Details

• Added DB mode selection in auth-provider/db/index.ts:
  • DB_CONNECTION_MODE=direct (default): uses DATABASE_URL
  • DB_CONNECTION_MODE=connector: uses @google-cloud/cloud-sql-connector
• Added connector env support and validation:
  • CLOUD_SQL_CONNECTION_NAME, DB_USER, DB_PASSWORD, DB_NAME
  • optional CLOUD_SQL_IP_TYPE (defaults to PUBLIC)
• Added PostgreSQL schema/search path support:
  • new env var DB_SCHEMA (default: public)
  • applied to connector pools via options: -c search_path=...
  • for direct mode, applies options: -c search_path=... only when DATABASE_URL does not already specify schema/search path settings
  • added schema-name validation and safe quoting for comma-separated schema lists
• Refined DB initialization behavior:
  • switched to lazy pool initialization (first DB use) instead of eager init at module import
  • prevents build-time failures when DB env vars are unavailable during Next.js build steps
• CI/build stability adjustment:
  • auth-provider/app/page.tsx now exports dynamic = 'force-dynamic' to avoid static page-data collection executing DB queries at build time
• Added dependency:
  • @google-cloud/cloud-sql-connector@1.9.2
• Updated deployment/env docs and config:
  • auth-provider/.env.example
  • auth-provider/README.md
  • auth-provider/apphosting.yaml (includes DB_SCHEMA and connector-related env/secret entries)
  • auth-provider/scripts/firebase-secrets.sh (mode-aware required vars and DB_SCHEMA support)

✅ How to Test

1. Install dependencies:
   • npm run install
2. Validate code quality:
   • npm run lint
   • npm run typecheck
3. Validate direct mode (URL already defines search path):
   • Set DB_CONNECTION_MODE=direct
   • Set DATABASE_URL with schema/search path (for example, via URL options)
   • Start app and verify DB-backed auth flows work and URL-provided schema is used
4. Validate direct mode (URL does not define search path):
   • Set DB_CONNECTION_MODE=direct, DATABASE_URL=..., and optional DB_SCHEMA=public (or comma-separated schemas)
   • Start app and verify DB-backed auth flows work using DB_SCHEMA
5. Validate connector mode:
   • Set DB_CONNECTION_MODE=connector
   • Set CLOUD_SQL_CONNECTION_NAME, DB_USER, DB_PASSWORD, DB_NAME
   • (optional) set CLOUD_SQL_IP_TYPE=PUBLIC|PRIVATE
   • (optional) set DB_SCHEMA (single schema or comma-separated list)
   • Start app and verify DB-backed auth flows work
6. If using Firebase App Hosting secret automation:
   • Ensure .env.prod includes DB_CONNECTION_MODE, DB_SCHEMA, and the appropriate vars for selected mode
   • Run npm run firebase:secrets
7. CI/build check:
   • Confirm auth-provider build no longer fails due to eager DB pool initialization when DATABASE_URL is unset at build-time data collection

🥜 GIF

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[evanpetzoldt]

This all looks fine to me... I don't suppose @pstaylor-patrick would be able to take a quick look? CC @taterhead247

[evanpetzoldt]

@copilot see suggestion, we need to use a search path to reach the right destination. This will need to be added to secrets.

Also, the CI build is failing, it says DATABASE_URL is missing; I'm not sure why that is, but I'm guessing it's in load_environment_variables()

[Copilot]

@copilot see suggestion, we need to use a search path to reach the right destination. This will need to be added to secrets.

Also, the CI build is failing, it says DATABASE_URL is missing; I'm not s...

Addressed in 0b18c9a (follow-up bd3ae10). Added DB_SCHEMA search_path support and wired it into apphosting/env/secrets. For the CI failure, logs showed DATABASE_URL was empty at build-time page-data collection, so DB pool creation is now lazy (first DB use) and app/page.tsx is force-dynamic to avoid build-time DB access.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• fonts.googleapis.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/f3-nation-auth/f3-nation-auth/auth-provider/node_modules/.bin/next build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[evanpetzoldt]

@copilot DATABASE_URL already has a search path in it... will this break by adding it again in the options argument of the Pool constructor?

[Copilot]

Good catch — I updated this in 8334ae8. In direct mode, if DATABASE_URL already includes search_path/currentSchema (or options with search_path), we now skip adding Pool options so we don’t duplicate/override it. We only add options when the URL does not already set it. UI screenshot: N/A (backend-only change).

[evanpetzoldt]

Alright, I think this looks good again from my perspective

[taterhead247]

nothing stands out as terribly bad