security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50)
- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
and the app container's DATABASE_URL. No default — compose refuses to start
without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
an inline env prefix on the `pnpm build` RUN step. Placeholders are still
available to `next build` but no longer persist in the builder layer or in
the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
set so a misconfigured prod deploy using the baked-in ARG defaults fails
startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
(must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
dummy value in the E2E job where compose validates all services' interp.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
+11
-7
@@ -47,19 +47,23 @@ ENV NODE_ENV=production
|
||||
# next build collects page data for /api/auth/[...nextauth] which crashes
|
||||
# without these envs even though they are placeholders at image-build time
|
||||
# (real values are injected at container start). Mirrors the CI build job.
|
||||
#
|
||||
# IMPORTANT: pass these only as inline env on the RUN step, not via `ENV`.
|
||||
# `ENV` persists the placeholder into the image layer — scanned as a leaked
|
||||
# secret and inherited by the `migrator` stage (which is published).
|
||||
ARG NEXTAUTH_URL=http://localhost:3100
|
||||
ARG AUTH_URL=http://localhost:3100
|
||||
ARG NEXTAUTH_SECRET=ci-build-placeholder-secret-minimum-32-chars
|
||||
ARG AUTH_SECRET=ci-build-placeholder-secret-minimum-32-chars
|
||||
ARG DATABASE_URL=postgresql://placeholder:placeholder@localhost:5432/placeholder
|
||||
ARG REDIS_URL=redis://placeholder:6379
|
||||
ENV NEXTAUTH_URL=$NEXTAUTH_URL
|
||||
ENV AUTH_URL=$AUTH_URL
|
||||
ENV NEXTAUTH_SECRET=$NEXTAUTH_SECRET
|
||||
ENV AUTH_SECRET=$AUTH_SECRET
|
||||
ENV DATABASE_URL=$DATABASE_URL
|
||||
ENV REDIS_URL=$REDIS_URL
|
||||
RUN pnpm --filter @capakraken/web build
|
||||
RUN NEXTAUTH_URL="$NEXTAUTH_URL" \
|
||||
AUTH_URL="$AUTH_URL" \
|
||||
NEXTAUTH_SECRET="$NEXTAUTH_SECRET" \
|
||||
AUTH_SECRET="$AUTH_SECRET" \
|
||||
DATABASE_URL="$DATABASE_URL" \
|
||||
REDIS_URL="$REDIS_URL" \
|
||||
pnpm --filter @capakraken/web build
|
||||
|
||||
# ============================================================
|
||||
# Stage 3: Migration runner
|
||||
|
||||
Reference in New Issue
Block a user