soroushdes/HokmPlay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): don't let docker compose build require runtime JWT_KEY
CI/CD / CI - API (dotnet build + engine sim) (push) Successful in 5m58s
Details
CI/CD / CI - Web (tsc + next build) (push) Successful in 1m5s
Details
CI/CD / Deploy - local stack (db + server + web) (push) Has been cancelled
Details

Browse Source 
docker compose build interpolates the whole file, so the ${JWT_KEY:?} guard
failed the build step when ENV_FILE lacked JWT_KEY. Default it empty (${JWT_KEY:-})
so build/db steps succeed, and enforce the secret at runtime instead: the server
throws on boot in Production if Jwt:Key is missing/dev/<32 chars.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-07 00:41:26 +03:30
parent ed3e11b64b
commit 0847d2c7cf
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.yml
+4 -1
View File
@@ -44,7 +44,10 @@ services:
ASPNETCORE_URLS: http://0.0.0.0:5005 ASPNETCORE_URLS: http://0.0.0.0:5005
Database__Provider: postgres Database__Provider: postgres
ConnectionStrings__Default: "Host=db;Port=5432;Database=hokm;Username=hokm;Password=${POSTGRES_PASSWORD:-hokm_dev_pass}" ConnectionStrings__Default: "Host=db;Port=5432;Database=hokm;Username=hokm;Password=${POSTGRES_PASSWORD:-hokm_dev_pass}"
Jwt__Key: ${JWT_KEY:?set JWT_KEY in .env} # Default empty so `docker compose build` (which interpolates the whole file)
# never blocks on a runtime-only secret. The server REFUSES to boot in
# Production with a missing/dev key (see Program.cs guard).
Jwt__Key: ${JWT_KEY:-}
Jwt__Issuer: ${JWT_ISSUER:-hokm} Jwt__Issuer: ${JWT_ISSUER:-hokm}
Jwt__Audience: ${JWT_AUDIENCE:-hokm-clients} Jwt__Audience: ${JWT_AUDIENCE:-hokm-clients}
# Comma-separated origins the browser uses to reach the web app. # Comma-separated origins the browser uses to reach the web app.
server/src/Hokm.Server/Program.cs
+6 -1
View File
@@ -15,9 +15,14 @@ using Microsoft.IdentityModel.Tokens;
var builder = WebApplication.CreateBuilder(args); var builder = WebApplication.CreateBuilder(args);
// --- options --- // --- options ---
const string DevJwtKey = "dev-only-insecure-key-change-me-please-32+bytes!!";
var jwt = builder.Configuration.GetSection("Jwt").Get<JwtOptions>() ?? new JwtOptions(); var jwt = builder.Configuration.GetSection("Jwt").Get<JwtOptions>() ?? new JwtOptions();
if (string.IsNullOrWhiteSpace(jwt.Key)) if (string.IsNullOrWhiteSpace(jwt.Key))
jwt.Key = "dev-only-insecure-key-change-me-please-32+bytes!!"; jwt.Key = DevJwtKey;
// In Production a real secret is mandatory — refuse to boot with the dev key.
if (builder.Environment.IsProduction() && (jwt.Key == DevJwtKey || jwt.Key.Length < 32))
throw new InvalidOperationException(
"Jwt:Key (env JWT_KEY) must be a 32+ char secret in Production. Set it in ENV_FILE: openssl rand -hex 32");
builder.Services.AddSingleton(jwt); builder.Services.AddSingleton(jwt);
builder.Services.AddSingleton<TokenService>(); builder.Services.AddSingleton<TokenService>();
builder.Services.AddSingleton<GameManager>(); builder.Services.AddSingleton<GameManager>();