From 328cd62766a5e9008425f0a75cb35ee4343b29c1 Mon Sep 17 00:00:00 2001
From: Leon Serfaty <80597822+silkoserfo@users.noreply.github.com>
Date: Sat, 20 Jun 2026 21:19:56 -0400
Subject: [PATCH] fix(docker): use a >=32-char build-time BETTER_AUTH_SECRET
 placeholder

The security-hardening pass tightened lib/auth/auth.ts to reject secrets
shorter than 32 chars (or known placeholders) in production. next build
evaluates that guard while collecting page data for /api/auth/[...all], so
the old 21-char "build-time-placeholder" now fails the build. Lengthen the
throwaway build-only value to satisfy the guard; the real secret is still
injected at run time and never baked into the image.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0ad5d0e..3a4035e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,8 +27,9 @@ ENV NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL
 ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
 # A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV
 # layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
-# Dokploy injects the real secret at run time; it's never baked into the bundle.
-RUN BETTER_AUTH_SECRET=build-time-placeholder npm run build
+# Must be >= 32 chars (and not a known placeholder) to pass that guard; the real
+# secret is injected at run time and is never baked into the bundle.
+RUN BETTER_AUTH_SECRET=build-time-placeholder-not-a-real-secret npm run build
 
 # ---- runtime ----
 FROM base AS runner