soroushdes/HokmPlay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): don't let docker compose build require runtime JWT_KEY
CI/CD / CI - API (dotnet build + engine sim) (push) Successful in 5m58s
Details
CI/CD / CI - Web (tsc + next build) (push) Successful in 1m5s
Details
CI/CD / Deploy - local stack (db + server + web) (push) Has been cancelled
Details

Browse Source 
docker compose build interpolates the whole file, so the ${JWT_KEY:?} guard
failed the build step when ENV_FILE lacked JWT_KEY. Default it empty (${JWT_KEY:-})
so build/db steps succeed, and enforce the secret at runtime instead: the server
throws on boot in Production if Jwt:Key is missing/dev/<32 chars.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-07 00:41:26 +03:30
parent ed3e11b64b
commit 0847d2c7cf
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/Hokm.Server/Program.cs
+6 -1
View File
@@ -15,9 +15,14 @@ using Microsoft.IdentityModel.Tokens;
var builder = WebApplication.CreateBuilder(args);
// --- options ---
const string DevJwtKey = "dev-only-insecure-key-change-me-please-32+bytes!!";
var jwt = builder.Configuration.GetSection("Jwt").Get<JwtOptions>() ?? new JwtOptions();
if (string.IsNullOrWhiteSpace(jwt.Key))
jwt.Key = "dev-only-insecure-key-change-me-please-32+bytes!!";
jwt.Key = DevJwtKey;
// In Production a real secret is mandatory — refuse to boot with the dev key.
if (builder.Environment.IsProduction() && (jwt.Key == DevJwtKey || jwt.Key.Length < 32))
throw new InvalidOperationException(
"Jwt:Key (env JWT_KEY) must be a 32+ char secret in Production. Set it in ENV_FILE: openssl rand -hex 32");
builder.Services.AddSingleton(jwt);
builder.Services.AddSingleton<TokenService>();
builder.Services.AddSingleton<GameManager>();