fix(docker): use a >=32-char build-time BETTER_AUTH_SECRET placeholder
The security-hardening pass tightened lib/auth/auth.ts to reject secrets shorter than 32 chars (or known placeholders) in production. next build evaluates that guard while collecting page data for /api/auth/[...all], so the old 21-char "build-time-placeholder" now fails the build. Lengthen the throwaway build-only value to satisfy the guard; the real secret is still injected at run time and never baked into the image. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Leon Serfaty
+3
-2
@@ -27,8 +27,9 @@ ENV NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL
|
|||||||
ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
|
ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
|
||||||
# A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV
|
# A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV
|
||||||
# layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
|
# layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
|
||||||
# Dokploy injects the real secret at run time; it's never baked into the bundle.
|
# Must be >= 32 chars (and not a known placeholder) to pass that guard; the real
|
||||||
RUN BETTER_AUTH_SECRET=build-time-placeholder npm run build
|
# secret is injected at run time and is never baked into the bundle.
|
||||||
|
RUN BETTER_AUTH_SECRET=build-time-placeholder-not-a-real-secret npm run build
|
||||||
|
|
||||||
# ---- runtime ----
|
# ---- runtime ----
|
||||||
FROM base AS runner
|
FROM base AS runner
|
||||||
|
|||||||
Reference in New Issue
Block a user