admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf054959bd39ef9d0b67cc00ea0044dcc8bb5aad
honeyDueAPI/Dockerfile
T
Trey t c77ff07ce9
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details
fix(security): remediate 2026-05-12 audit findings (Stages 2–5) 
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 22:28:33 -05:00

176 lines
5.0 KiB
Docker
Raw Blame History

# Admin panel build stage
FROM node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293 AS admin-builder
WORKDIR /app
# NEXT_PUBLIC_* vars are baked into the client bundle at build time.
# Pass via `--build-arg NEXT_PUBLIC_API_URL=https://api.myhoneydue.com`.
ARG NEXT_PUBLIC_API_URL
ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
# Copy admin panel files
COPY admin/package*.json ./
# Install dependencies
RUN npm ci
# Copy source
COPY admin/ .
# Strip any committed .env.local that would override the build-time URL
# with a dev value (e.g. http://localhost:8000).
RUN rm -f .env.local .env.development.local
# Build (standalone mode)
RUN npm run build
# Go build stage
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
ARG TARGETARCH
# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata
# Set working directory
WORKDIR /app
# Copy go mod files
COPY go.mod go.sum ./
# Download dependencies
RUN go mod download
# Copy source code
COPY . .
# Build the API binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -ldflags="-w -s" -o /app/api ./cmd/api
# Build the worker binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -ldflags="-w -s" -o /app/worker ./cmd/worker
# Install goose CLI for production migrations. Pinned to a specific version
# so an upstream behavioural change can't break a deploy unannounced.
# Bumping is a deliberate, reviewable diff. We `go build` rather than
# `go install` so the output path is predictable across host platforms —
# `go install` with cross-compile env vars drops the binary in
# /go/bin/<goos>_<goarch>/, which is awkward to COPY from.
RUN cd /tmp && \
git clone --depth=1 --branch=v3.22.1 https://github.com/pressly/goose.git goose-src && \
cd goose-src && \
CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
go build -ldflags="-w -s" -o /app/goose ./cmd/goose && \
cd / && rm -rf /tmp/goose-src
# Base runtime stage for Go services
FROM alpine:3.19 AS go-base
# Install runtime dependencies
RUN apk add --no-cache ca-certificates tzdata curl
# Create non-root user
RUN addgroup -g 1000 app && adduser -u 1000 -G app -s /bin/sh -D app
# Set working directory
WORKDIR /app
# Copy all binaries from builder
COPY --from=builder /app/api /app/api
COPY --from=builder /app/worker /app/worker
# goose is the migration runner — same image is reused as the migrate Job
# entrypoint via `command: ["/usr/local/bin/goose", ...]`.
COPY --from=builder /app/goose /usr/local/bin/goose
# Copy templates directory
COPY --from=builder /app/templates /app/templates
# Copy static landing page files
COPY --from=builder /app/static /app/static
# Copy migrations and seeds for production use
COPY --from=builder /app/migrations /app/migrations
COPY --from=builder /app/seeds /app/seeds
# Create uploads directory
RUN mkdir -p /app/uploads && chown -R app:app /app
# Switch to non-root user
USER app
# API stage
FROM go-base AS api
EXPOSE 8000
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
CMD curl -f http://localhost:${PORT:-8000}/api/health/ || exit 1
CMD ["/app/api"]
# Worker stage
FROM go-base AS worker
CMD ["/app/worker"]
# Admin panel runtime stage
FROM node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293 AS admin
WORKDIR /app
# Create non-root user
RUN addgroup -g 1001 nodejs && adduser -u 1001 -G nodejs -s /bin/sh -D nextjs
# Copy standalone build
COPY --from=admin-builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=admin-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=admin-builder --chown=nextjs:nodejs /app/public ./public
USER nextjs
EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
CMD ["node", "server.js"]
# Default production stage (for Dokku - runs API + Admin)
FROM node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293 AS production
# Install runtime dependencies
RUN apk add --no-cache ca-certificates tzdata curl
WORKDIR /app
# Copy Go binaries
COPY --from=builder /app/api /app/api
COPY --from=builder /app/worker /app/worker
# Copy templates directory
COPY --from=builder /app/templates /app/templates
# Copy static landing page files
COPY --from=builder /app/static /app/static
# Copy migrations and seeds
COPY --from=builder /app/migrations /app/migrations
COPY --from=builder /app/seeds /app/seeds
# Copy push notification certificates
COPY --from=builder /app/push_certs /app/push_certs
# Copy admin panel standalone build (Next.js recommended layout)
COPY --from=admin-builder /app/.next/standalone/ /app/
COPY --from=admin-builder /app/public /app/public
COPY --from=admin-builder /app/.next/static /app/.next/static
# Copy start script
COPY start.sh /app/start.sh
RUN chmod +x /app/start.sh
# Create uploads directory
RUN mkdir -p /app/uploads
EXPOSE 5000
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
CMD pgrep -f /app/worker > /dev/null && exit 0 || curl -f http://localhost:${PORT:-5000}/api/health/ || exit 1
CMD ["/app/start.sh"]
Reference in New Issue View Git Blame Copy Permalink