grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proof-of-work/start9/0.4/Dockerfile
T
Keysat 3f22ef7600
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details
v1.1.0:9 — P2 hardening: input-validation 400s, auth rate-limit, XFF anti-spoof, non-root container 
P2 batch from the 2026-06-13 full-eval (EVALUATION.md / ROADMAP.md), reviewed by the reviewer agent. App-code + packaging only; no schema or data change, existing /data untouched.

Input validation: malformed JSON bodies, invalid date, and out-of-range or non-numeric pagination on /api/workouts now return 400 instead of 500. New lib/http.ts readJsonBody maps a bad body to a ZodError across the 11 CRUD routes whose catch maps ZodError to 400; me/import and admin/signups guard request.json() in an explicit try/catch.

Rate limiting: POST /api/auth now shares the UI login server action's per-IP 10-per-15min cap and returns 429 + Retry-After. clientIpFromHeaders reads the rightmost (trusted-proxy-appended) X-Forwarded-For entry instead of the spoofable leftmost.

Container: drops root. The entrypoint prepares /data as root, chowns it to nextjs, then exec su-exec nextjs:nodejs node server.js (su-exec added to the runner image). The container drop needs live sideload verification.
2026-06-13 00:03:47 -05:00

104 lines
4.5 KiB
Docker
Raw Permalink Blame History

# syntax=docker/dockerfile:1.6
#
# Proof of Work (proof-of-work) — StartOS 0.4 package image.
#
# Build context: repo root (see manifest.images.main.source.dockerBuild.workdir
# which is set to '../..' so all COPY paths below are repo-root-relative).
#
# This Dockerfile is self-contained: it references only files under
# `proof-of-work/` (the upstream app) and `start9/0.4/` (this wrapper).
#
# Data preservation (v1.0.0:3 — post-cutover):
# - The image NO LONGER bakes a /data seed. The one-time cutover from
# the legacy `workout-log` package happened in v1.0.0:1, was verified
# in v1.0.0:2, and /data on the live host is now the sole source of
# truth. Removing the baked seed from the image eliminates any
# possibility of a future bug accidentally overwriting live data.
# - docker_entrypoint.sh's seed-copy branch is stripped to match.
# - The empty-schema fallback DB at /app/prisma/data/app.db is kept —
# it's still useful for brand-new sideloads on a host that has never
# had proof-of-work installed before. The build-time `npm run db:seed`
# populates it with the curated exercise library + admin@local user.
# - The seed snapshot itself stays on disk under start9/0.4/seed/data/
# as a historical artifact; it's just not COPYed into the image. If
# you ever need to re-seed (e.g. spinning up a new instance with
# pre-loaded history), reintroduce the COPY line and rebuild.
FROM node:20-alpine AS builder
WORKDIR /app
# openssl: Prisma engine runtime
# python3 + make + g++: native node-gyp builds (bcrypt). Even when the
# `bcrypt` npm package ships musl prebuilts, a postinstall fallback
# compile is the safety net — no compile, no boot.
RUN apk add --no-cache openssl python3 make g++
COPY proof-of-work/package.json proof-of-work/package-lock.json ./
RUN npm ci
COPY proof-of-work/ ./
RUN npx prisma generate
# Build a fallback empty-but-schema-correct DB. Used by docker_entrypoint.sh
# only when /data has no app.db AND no baked seed is available (i.e. after
# v1.0.0:2 strips the seed). Seeded with the curated exercise library via
# `npm run db:seed`, so a brand-new install still gets the full library.
RUN mkdir -p /tmp-seed \
&& DATABASE_URL=file:/tmp-seed/app.db npx prisma db push --skip-generate \
&& DATABASE_URL=file:/tmp-seed/app.db npm run db:seed
RUN npm run build
FROM node:20-alpine AS runner
WORKDIR /app
# su-exec: drop from root to the unprivileged `nextjs` user at the end of
# the entrypoint, after the root-only /data preparation is done.
RUN apk add --no-cache dumb-init curl openssl sqlite su-exec \
&& addgroup -S nodejs -g 1001 \
&& adduser -S nextjs -u 1001 -G nodejs
ENV NODE_ENV=production \
HOSTNAME=0.0.0.0 \
PORT=3000 \
WORKOUT_DATA_DIR=/data \
WORKOUT_DB_PATH=/data/app.db \
WORKOUT_FALLBACK_SEED_DB_PATH=/app/prisma/data/app.db \
WORKOUT_LIBRARY_JSON_PATH=/app/prisma/exercises.seed.json
# Next.js standalone runtime bundle
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/prisma ./prisma
# Native bcrypt binding. Next.js standalone tracing usually picks up
# the .node file but we copy explicitly as a belt-and-braces guard —
# bundling failures here surface as auth being silently broken at boot.
COPY --from=builder --chown=nextjs:nodejs /app/node_modules/bcrypt ./node_modules/bcrypt
# Empty-schema fallback DB. Used only on brand-new sideloads where /data
# is empty and no admin user exists yet. Build-time `npm run db:seed`
# populated it with the curated exercise library + admin@local. Existing
# installs always have /data/app.db so this branch never fires.
COPY --from=builder --chown=nextjs:nodejs /tmp-seed/app.db /app/prisma/data/app.db
# (v1.0.0:3 removed the COPY of start9/0.4/seed/data into /app/seed/data.
# The baked cutover seed served its one-time purpose during v1.0.0:1's
# cutover and is no longer needed; eliminating it removes any chance of
# a future bug overwriting live /data.)
# Container entrypoint and diagnostic healthcheck
COPY start9/0.4/docker_entrypoint.sh /usr/local/bin/docker_entrypoint.sh
COPY start9/0.4/healthcheck.sh /usr/local/bin/healthcheck.sh
RUN chmod +x /usr/local/bin/docker_entrypoint.sh /usr/local/bin/healthcheck.sh \
&& mkdir -p /data \
&& chown -R nextjs:nodejs /app /data
EXPOSE 3000
ENTRYPOINT ["dumb-init", "--", "/usr/local/bin/docker_entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink