response to comments

taeold · taeold · commit 8fdad4c25a1d · 2025-10-27T20:43:57.000-07:00
diff --git a/src/commands/functions-config-export.ts b/src/commands/functions-config-export.ts
@@ -1,14 +1,15 @@
 import * as clc from "colorette";
+import * as semver from "semver";
 
 import * as functionsConfig from "../functionsConfig";
 import { Command } from "../command";
 import { FirebaseError } from "../error";
-import { input } from "../prompt";
+import { input, confirm } from "../prompt";
 import { requirePermissions } from "../requirePermissions";
-import { logBullet, logWarning, logSuccess } from "../utils";
+import { logBullet, logSuccess } from "../utils";
 import { requireConfig } from "../requireConfig";
 import { ensureValidKey, ensureSecret } from "../functions/secrets";
-import { addVersion, toSecretVersionResourceName } from "../gcp/secretManager";
+import { addVersion, listSecretVersions, toSecretVersionResourceName } from "../gcp/secretManager";
 import { needProjectId } from "../projectUtils";
 import { requireAuth } from "../requireAuth";
 import { ensureApi } from "../gcp/secretManager";
@@ -29,6 +30,17 @@ const SECRET_MANAGER_PERMISSIONS = [
   "secretmanager.versions.add",
 ];
 
+function maskConfigValues(obj: any): any {
+  if (typeof obj === "object" && obj !== null && !Array.isArray(obj)) {
+    const masked: Record<string, any> = {};
+    for (const [key, value] of Object.entries(obj)) {
+      masked[key] = maskConfigValues(value);
+    }
+    return masked;
+  }
+  return "******";
+}
+
 export const command = new Command("functions:config:export")
   .description("export environment config as a JSON secret to store in Cloud Secret Manager")
   .option("--secret <name>", "name of the secret to create (default: RUNTIME_CONFIG)")
@@ -72,26 +84,48 @@ export const command = new Command("functions:config:export")
     // Display config in interactive mode
     if (!options.nonInteractive) {
       logBullet(clc.bold("Configuration to be exported:"));
-      logWarning("This may contain sensitive data. Do not share this output.");
-      console.log("");
-      console.log(JSON.stringify(configJson, null, 2));
+      console.log(JSON.stringify(maskConfigValues(configJson), null, 2));
       console.log("");
     }
 
-    const defaultSecretName = "RUNTIME_CONFIG";
+    const defaultSecretName = "FUNCTIONS_CONFIG_EXPORT";
     let secretName = options.secret as string;
     if (!secretName) {
-      secretName = await input({
-        message: "What would you like to name the new secret for your configuration?",
-        default: defaultSecretName,
-        nonInteractive: options.nonInteractive,
-        force: options.force,
-      });
+      if (options.force) {
+        secretName = defaultSecretName;
+      } else {
+        secretName = await input({
+          message: "What would you like to name the new secret for your configuration?",
+          default: defaultSecretName,
+          nonInteractive: options.nonInteractive,
+        });
+      }
     }
 
     const key = await ensureValidKey(secretName, options);
     await ensureSecret(projectId, key, options);
 
+    const versions = await listSecretVersions(projectId, key);
+    const enabledVersions = versions.filter((v) => v.state === "ENABLED");
+    enabledVersions.sort((a, b) => (b.createTime || "").localeCompare(a.createTime || ""));
+    const latest = enabledVersions[0];
+
+    if (latest) {
+      logBullet(
+        `Secret ${clc.bold(key)} already exists (latest version: ${clc.bold(latest.versionId)}, created: ${latest.createTime}).`,
+      );
+      const proceed = await confirm({
+        message: "Do you want to add a new version to this secret?",
+        default: false,
+        nonInteractive: options.nonInteractive,
+        force: options.force,
+      });
+      if (!proceed) {
+        return;
+      }
+      console.log("");
+    }
+
     const secretValue = JSON.stringify(configJson, null, 2);
 
     // Check size limit (64KB)
@@ -111,32 +145,52 @@ export const command = new Command("functions:config:export")
     console.log("");
     logBullet(clc.bold("To complete the migration, update your code:"));
     console.log("");
-    console.log(clc.gray("  // Before:"));
-    console.log(clc.gray(`  const functions = require('firebase-functions');`));
-    console.log(clc.gray(`  `));
-    console.log(clc.gray(`  exports.myFunction = functions.https.onRequest((req, res) => {`));
-    console.log(clc.gray(`    const apiKey = functions.config().service.key;`));
-    console.log(clc.gray(`    // ...`));
-    console.log(clc.gray(`  });`));
-    console.log("");
-    console.log(clc.gray("  // After:"));
-    console.log(clc.gray(`  const functions = require('firebase-functions');`));
-    console.log(clc.gray(`  const { defineJsonSecret } = require('firebase-functions/params');`));
-    console.log(clc.gray(`  `));
-    console.log(clc.gray(`  const config = defineJsonSecret("${key}");`));
-    console.log(clc.gray(`  `));
-    console.log(clc.gray(`  exports.myFunction = functions`));
-    console.log(clc.gray(`    .runWith({ secrets: [config] })  // Bind secret here`));
-    console.log(clc.gray(`    .https.onRequest((req, res) => {`));
-    console.log(clc.gray(`      const apiKey = config.value().service.key;`));
-    console.log(clc.gray(`      // ...`));
-    console.log(clc.gray(`    });`));
-    console.log("");
-    logBullet(
-      clc.bold("Note: ") +
-        "defineJsonSecret requires firebase-functions v6.6.0 or later. " +
-        "Update your package.json if needed.",
+    console.log(
+      clc.gray(`  // Before:
+  const functions = require('firebase-functions');
+
+  exports.myFunction = functions.https.onRequest((req, res) => {
+    const apiKey = functions.config().service.key;
+    // ...
+  });
+
+  // After:
+  const functions = require('firebase-functions');
+  const { defineJsonSecret } = require('firebase-functions/params');
+
+  const config = defineJsonSecret("${key}");
+
+  exports.myFunction = functions
+    .runWith({ secrets: [config] })  // Bind secret here
+    .https.onRequest((req, res) => {
+      const apiKey = config.value().service.key;
+      // ...
+    });`),
     );
+    console.log("");
+
+    // Try to detect the firebase-functions version to see if we need to warn about defineJsonSecret
+    let sdkVersion: string | undefined;
+    try {
+      const functionsConfig = options.config.get("functions");
+      const source = Array.isArray(functionsConfig)
+        ? functionsConfig[0]?.source
+        : functionsConfig?.source;
+      if (source) {
+        const sourceDir = options.config.path(source);
+        sdkVersion = getFunctionsSDKVersion(sourceDir);
+      }
+    } catch (e) {
+      // ignore error, just show the warning if we can't detect the version
+    }
+
+    if (!sdkVersion || semver.lt(sdkVersion, "6.6.0")) {
+      logBullet(
+        clc.bold("Note: ") +
+          "defineJsonSecret requires firebase-functions v6.6.0 or later. " +
+          "Update your package.json if needed.",
+      );
+    }
     logBullet("Then deploy your functions:\n  " + clc.bold("firebase deploy --only functions"));
 
     return secretName;
