veza/veza-backend-api/Dockerfile.production

# Production Dockerfile for Backend API
# Optimized for smaller size and security

# Build stage
FROM golang:1.23-alpine AS builder

WORKDIR /app

# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata

# Copy go mod files first for better caching
COPY go.mod go.sum ./

# Download dependencies (this layer will be cached if go.mod/go.sum don't change)
RUN go mod download

# Copy source code
COPY . .

# Build the application with optimizations
# - CGO_ENABLED=0: static binary, no C dependencies
# - -ldflags="-w -s": strip debug info and symbol table
# - -trimpath: remove file system paths from binaries
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
    -a -installsuffix cgo \
    -ldflags="-w -s -extldflags '-static'" \
    -trimpath \
    -o veza-api \
    ./cmd/api/main.go

# Runtime stage - minimal alpine
FROM alpine:latest

# Install only runtime dependencies
RUN apk --no-cache add ca-certificates tzdata && \
    # Add wget for health checks
    apk --no-cache add wget && \
    # Clean up apk cache
    rm -rf /var/cache/apk/*

# Create non-root user for security
RUN addgroup -g 1001 -S app && \
    adduser -S app -u 1001 -G app -h /app -s /bin/sh

# Create app directory
WORKDIR /app

# Copy binary from builder
COPY --from=builder --chown=app:app /app/veza-api /app/veza-api

# Copy migrations if they exist (optional)
# Use RUN with conditional check to handle missing migrations directory gracefully
RUN --mount=from=builder,source=/app,target=/tmp/builder \
    if [ -d /tmp/builder/migrations ] && [ "$(ls -A /tmp/builder/migrations 2>/dev/null)" ]; then \
        cp -r /tmp/builder/migrations /app/migrations && \
        chown -R app:app /app/migrations; \
    fi

# Switch to non-root user
USER app

# Expose port
EXPOSE 8080

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:8080/api/v1/health || exit 1

# Run the application
ENTRYPOINT ["./veza-api"]
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00			`# Production Dockerfile for Backend API`
			`# Optimized for smaller size and security`

			`# Build stage`
			`FROM golang:1.23-alpine AS builder`

			`WORKDIR /app`

			`# Install build dependencies`
			`RUN apk add --no-cache git ca-certificates tzdata`

			`# Copy go mod files first for better caching`
			`COPY go.mod go.sum ./`

			`# Download dependencies (this layer will be cached if go.mod/go.sum don't change)`
			`RUN go mod download`

			`# Copy source code`
			`COPY . .`

			`# Build the application with optimizations`
			`# - CGO_ENABLED=0: static binary, no C dependencies`
			`# - -ldflags="-w -s": strip debug info and symbol table`
			`# - -trimpath: remove file system paths from binaries`
			`RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \`
			`-a -installsuffix cgo \`
			`-ldflags="-w -s -extldflags '-static'" \`
			`-trimpath \`
			`-o veza-api \`
refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`./cmd/api/main.go`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Runtime stage - minimal alpine`
			`FROM alpine:latest`

			`# Install only runtime dependencies`
			`RUN apk --no-cache add ca-certificates tzdata && \`
			`# Add wget for health checks`
			`apk --no-cache add wget && \`
			`# Clean up apk cache`
			`rm -rf /var/cache/apk/*`

			`# Create non-root user for security`
			`RUN addgroup -g 1001 -S app && \`
			`adduser -S app -u 1001 -G app -h /app -s /bin/sh`

			`# Create app directory`
			`WORKDIR /app`

			`# Copy binary from builder`
			`COPY --from=builder --chown=app:app /app/veza-api /app/veza-api`

refonte: backend-api go first; phase 1 2025-12-13 02:34:34 +00:00			`# Copy migrations if they exist (optional)`
			`# Use RUN with conditional check to handle missing migrations directory gracefully`
			`RUN --mount=from=builder,source=/app,target=/tmp/builder \`
			`if [ -d /tmp/builder/migrations ] && [ "$(ls -A /tmp/builder/migrations 2>/dev/null)" ]; then \`
			`cp -r /tmp/builder/migrations /app/migrations && \`
			`chown -R app:app /app/migrations; \`
			`fi`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Switch to non-root user`
			`USER app`

			`# Expose port`
			`EXPOSE 8080`

			`# Health check`
			`HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \`
fix(security): add SSRF protection, real track access validation, and pagination bounds - Add IsURLSafe() function to webhook service blocking private IPs, localhost, and cloud metadata endpoints (SSRF protection) - Implement real validate_track_access() in stream server querying DB for track visibility, ownership, and purchase status - Remove dangerous JWT fallback user in chat server that allowed deleted users to maintain access with forged credentials - Add upper limit (100) on pagination in profile, track, and room handlers - Fix Dockerfile.production healthcheck path to /api/v1/health Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 21:44:03 +00:00			`CMD wget --no-verbose --tries=1 --spider http://localhost:8080/api/v1/health \|\| exit 1`
adding initial backend API (Go) 2025-12-03 19:29:37 +00:00
			`# Run the application`
			`ENTRYPOINT ["./veza-api"]`