From 6c9c5bd98136ea5bfa51a2eef45fcb22f124dcfe Mon Sep 17 00:00:00 2001
From: jackkav <jackkav@gmail.com>
Date: Sat, 30 May 2026 20:47:37 +0200
Subject: [PATCH] Expose env vars to renderer via contextBridge window.env

In the renderer process with nodeIntegration disabled, process.env is not
available. The preload script now explicitly whitelists the env vars the
renderer needs and exposes them as window.env via contextBridge.
constants.ts reads from window.env in the renderer and falls back to
process.env for the inso CLI and main process.
---
 packages/insomnia/src/common/constants.ts | 11 ++++---
 packages/insomnia/src/entry.preload.ts    | 40 +++++++++++++++++++++++
 packages/insomnia/types/global.d.ts       | 28 ++++++++++++++++
 3 files changed, 74 insertions(+), 5 deletions(-)

diff --git a/packages/insomnia/src/common/constants.ts b/packages/insomnia/src/common/constants.ts
index ab46c2c54e..33a4c6706a 100644
--- a/packages/insomnia/src/common/constants.ts
+++ b/packages/insomnia/src/common/constants.ts
@@ -13,10 +13,11 @@ import {
 import appConfig from '../../config/config.json';
 import { version } from '../../package.json';
 
-// Vite is filtering out process.env variables that are not prefixed with VITE_.
+// In the renderer (nodeIntegration disabled) env vars come from the preload via window.env.
+// In the inso CLI and main process, fall back to process.env.
 const ENV = 'env';
 
-const env = process[ENV];
+const env = (typeof window !== 'undefined' && window.env) ? window.env : process[ENV];
 
 export const INSOMNIA_GITLAB_REDIRECT_URI = env.INSOMNIA_GITLAB_REDIRECT_URI;
 export const INSOMNIA_GITLAB_CLIENT_ID = env.INSOMNIA_GITLAB_CLIENT_ID;
@@ -37,7 +38,7 @@ export const getProductName = () => appConfig.productName;
 export const getAppSynopsis = () => appConfig.synopsis;
 export const getAppId = () => appConfig.appId;
 export const getAppBundlePlugins = () => appConfig.bundlePlugins;
-export const getAppEnvironment = () => process.env.INSOMNIA_ENV || 'production';
+export const getAppEnvironment = () => env.INSOMNIA_ENV || 'production';
 export const isDevelopment = () => getAppEnvironment() === 'development';
 export const getSegmentWriteKey = () =>
   appConfig.segmentWriteKeys[isDevelopment() || env.PLAYWRIGHT_TEST ? 'development' : 'production'];
@@ -46,7 +47,7 @@ export const getCioWriteKey = () =>
   appConfig.cio[isDevelopment() || env.PLAYWRIGHT_TEST ? 'development' : 'production'].writeKey;
 export const getCioSiteId = () =>
   appConfig.cio[isDevelopment() || env.PLAYWRIGHT_TEST ? 'development' : 'production'].siteId;
-export const getAppBuildDate = () => new Date(process.env.BUILD_DATE ?? '').toLocaleDateString();
+export const getAppBuildDate = () => new Date(env.BUILD_DATE ?? '').toLocaleDateString();
 
 export const getBrowserUserAgent = () =>
   encodeURIComponent(
@@ -62,7 +63,7 @@ export function updatesSupported() {
   }
 
   // Updates are not supported for Windows portable binaries
-  if (isWindows && process.env['PORTABLE_EXECUTABLE_DIR']) {
+  if (isWindows && env.PORTABLE_EXECUTABLE_DIR) {
     return false;
   }
 
diff --git a/packages/insomnia/src/entry.preload.ts b/packages/insomnia/src/entry.preload.ts
index 182f610bf8..6037731a28 100644
--- a/packages/insomnia/src/entry.preload.ts
+++ b/packages/insomnia/src/entry.preload.ts
@@ -438,6 +438,44 @@ const database: Window['database'] = {
   invoke: (fnName, ...args) => invokeWithNormalizedError('database.invoke', fnName, ...args),
 };
 
+const env: Window['env'] = {
+  // GitLab OAuth — redirect URI, client ID, and API URL allow dev/enterprise overrides
+  INSOMNIA_GITLAB_REDIRECT_URI: process.env.INSOMNIA_GITLAB_REDIRECT_URI,
+  INSOMNIA_GITLAB_CLIENT_ID: process.env.INSOMNIA_GITLAB_CLIENT_ID,
+  INSOMNIA_GITLAB_API_URL: process.env.INSOMNIA_GITLAB_API_URL,
+  // E2E sentinel: switches analytics to dev keys and forces vertical layout in settings
+  PLAYWRIGHT_TEST: process.env.PLAYWRIGHT_TEST,
+  // E2E fixtures: pre-seed auth state so tests bypass login/key-derivation UI
+  INSOMNIA_SKIP_ONBOARDING: process.env.INSOMNIA_SKIP_ONBOARDING,
+  INSOMNIA_SESSION: process.env.INSOMNIA_SESSION,
+  INSOMNIA_SECRET_KEY: process.env.INSOMNIA_SECRET_KEY,
+  INSOMNIA_PUBLIC_KEY: process.env.INSOMNIA_PUBLIC_KEY,
+  // E2E vault fixtures: pre-seed deterministic salt/key/SRP secret
+  INSOMNIA_VAULT_SALT: process.env.INSOMNIA_VAULT_SALT,
+  INSOMNIA_VAULT_KEY: process.env.INSOMNIA_VAULT_KEY,
+  INSOMNIA_VAULT_SRP_SECRET: process.env.INSOMNIA_VAULT_SRP_SECRET,
+  // App environment: gates dev features and selects analytics keys
+  INSOMNIA_ENV: process.env.INSOMNIA_ENV,
+  // Injected at build time; shown in the About screen
+  BUILD_DATE: process.env.BUILD_DATE,
+  // Windows portable binary sentinel: presence disables auto-updates
+  PORTABLE_EXECUTABLE_DIR: process.env.PORTABLE_EXECUTABLE_DIR,
+  // OAuth flow URL overrides for dev/staging environments
+  OAUTH_REDIRECT_URL: process.env.OAUTH_REDIRECT_URL,
+  OAUTH_RELAY_URL: process.env.OAUTH_RELAY_URL,
+  // Service URL overrides: allow dev/CI to target local or staging backends
+  INSOMNIA_API_URL: process.env.INSOMNIA_API_URL,
+  INSOMNIA_MOCK_API_URL: process.env.INSOMNIA_MOCK_API_URL,
+  INSOMNIA_AI_URL: process.env.INSOMNIA_AI_URL,
+  KONNECT_API_URL: process.env.KONNECT_API_URL,
+  INSOMNIA_APP_WEBSITE_URL: process.env.INSOMNIA_APP_WEBSITE_URL,
+  // GitHub API URL overrides for GitHub Enterprise targets
+  INSOMNIA_GITHUB_REST_API_URL: process.env.INSOMNIA_GITHUB_REST_API_URL,
+  INSOMNIA_GITHUB_API_URL: process.env.INSOMNIA_GITHUB_API_URL,
+  // Disables the renderer↔hidden-window plugin bridge when set to 'false'
+  INSOMNIA_ENABLE_PLUGIN_BRIDGE: process.env.INSOMNIA_ENABLE_PLUGIN_BRIDGE,
+};
+
 if (process.contextIsolated) {
   contextBridge.exposeInMainWorld('main', main);
   contextBridge.exposeInMainWorld('dialog', dialog);
@@ -448,6 +486,7 @@ if (process.contextIsolated) {
   contextBridge.exposeInMainWorld('path', path);
   contextBridge.exposeInMainWorld('database', database);
   contextBridge.exposeInMainWorld('_dataServices', servicesProxy);
+  contextBridge.exposeInMainWorld('env', env);
 } else {
   window.main = main;
   window.dialog = dialog;
@@ -458,4 +497,5 @@ if (process.contextIsolated) {
   window.path = path;
   window.database = database;
   window._dataServices = servicesProxy;
+  window.env = env;
 }
diff --git a/packages/insomnia/types/global.d.ts b/packages/insomnia/types/global.d.ts
index 0f819a0877..c99151863a 100644
--- a/packages/insomnia/types/global.d.ts
+++ b/packages/insomnia/types/global.d.ts
@@ -5,8 +5,36 @@ import type { DatabaseBridgeAPI } from '../src/main/ipc/database';
 import type { DiffMatchPatch, DiffOp } from 'diff-match-patch-ts';
 import type { Services } from '~/insomnia-data';
 
+type RendererEnv = {
+  INSOMNIA_GITLAB_REDIRECT_URI: string | undefined;
+  INSOMNIA_GITLAB_CLIENT_ID: string | undefined;
+  INSOMNIA_GITLAB_API_URL: string | undefined;
+  PLAYWRIGHT_TEST: string | undefined;
+  INSOMNIA_SKIP_ONBOARDING: string | undefined;
+  INSOMNIA_SESSION: string | undefined;
+  INSOMNIA_SECRET_KEY: string | undefined;
+  INSOMNIA_PUBLIC_KEY: string | undefined;
+  INSOMNIA_VAULT_SALT: string | undefined;
+  INSOMNIA_VAULT_KEY: string | undefined;
+  INSOMNIA_VAULT_SRP_SECRET: string | undefined;
+  INSOMNIA_ENV: string | undefined;
+  BUILD_DATE: string | undefined;
+  PORTABLE_EXECUTABLE_DIR: string | undefined;
+  OAUTH_REDIRECT_URL: string | undefined;
+  OAUTH_RELAY_URL: string | undefined;
+  INSOMNIA_API_URL: string | undefined;
+  INSOMNIA_MOCK_API_URL: string | undefined;
+  INSOMNIA_AI_URL: string | undefined;
+  KONNECT_API_URL: string | undefined;
+  INSOMNIA_APP_WEBSITE_URL: string | undefined;
+  INSOMNIA_GITHUB_REST_API_URL: string | undefined;
+  INSOMNIA_GITHUB_API_URL: string | undefined;
+  INSOMNIA_ENABLE_PLUGIN_BRIDGE: string | undefined;
+};
+
 declare global {
   interface Window {
+    env: RendererEnv;
     main: RendererToMainBridgeAPI;
     bridge: HiddenBrowserWindowToMainBridgeAPI;
     database: DatabaseBridgeAPI;