From 2a75a63ad3d96b7b2a21d6add4a544f8dafdad6a Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Fri, 16 Aug 2024 10:48:26 +1000
Subject: [PATCH] Do not provide manual creds when using workload identity

---
 server/routes/readingHistory.js | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/server/routes/readingHistory.js b/server/routes/readingHistory.js
index 0f0e05df..5a9cad78 100644
--- a/server/routes/readingHistory.js
+++ b/server/routes/readingHistory.js
@@ -112,12 +112,20 @@ async function getDatastoreClient() {
   // because auth credentials may be passed in multiple ways, recycle pathway used by main auth logic
   const {email, key} = await getAuth()
 
-  return new Datastore({
-    projectId,
-    credentials: {
+  // When using workload identity, email and key will be missing. Passing
+  // blank credentials will block authentication, so leave these out so we can
+  // default to using the workload identity.
+  let credentials = {}
+  if (email && key) {
+    credentials = {
       client_email: email,
       private_key: key
     }
+  }
+
+  return new Datastore({
+    projectId,
+    ...credentials
   })
 }