Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50)

Browse Source 
- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
  and the app container's DATABASE_URL. No default — compose refuses to start
  without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
  an inline env prefix on the `pnpm build` RUN step. Placeholders are still
  available to `next build` but no longer persist in the builder layer or in
  the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
  set so a misconfigured prod deploy using the baked-in ARG defaults fails
  startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
  (must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
  dummy value in the E2E job where compose validates all services' interp.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-17 14:50:05 +02:00
parent e2dddd30df
commit 805bb0464f
8 changed files with 65 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/server/runtime-env.test.ts
+15 -1
View File
@@ -32,7 +32,21 @@ describe("runtime env validation", () => {
NEXTAUTH_SECRET: "dev-secret-change-in-production",
NEXTAUTH_URL: "https://capakraken.example.com",
}),
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
).toContain(
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
);
});
it("rejects the CI build-time placeholder that leaks from Dockerfile ARG default", () => {
expect(
getRuntimeEnvViolations({
NODE_ENV: "production",
NEXTAUTH_SECRET: "ci-build-placeholder-secret-minimum-32-chars",
NEXTAUTH_URL: "https://capakraken.example.com",
}),
).toContain(
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
);
});
it("rejects non-https auth urls in production", () => {
apps/web/src/server/runtime-env.ts
+2
View File
@@ -6,6 +6,8 @@ const DISALLOWED_PRODUCTION_SECRETS = new Set([
"change-me",
"default",
"secret",
"ci-build-placeholder-secret-minimum-32-chars",
"ci-test-secret-minimum-32-chars-xx",
]);
type RuntimeEnv = Partial<Record<string, string | undefined>>;