From b13545d562226af040fc3a92d0d60b3263a796e7 Mon Sep 17 00:00:00 2001
From: Howard Gao <howard.gao@gmail.com>
Date: Mon, 11 Nov 2024 21:42:32 +0800
Subject: [PATCH] [#30] Do not use the default secret when deploying the
 api-server

Added a script to generate random secret
Updated Dockerfile to generate a random secret into .env
Removed unused commands in Dockerfile
Updated README
Change stage name from BUILD_IMAGE to build-image in Dockerfile
ref: https://docs.docker.com/reference/build-checks/stage-name-casing/
---
 Dockerfile     | 14 +++++---------
 README.md      | 11 +++++++++++
 jwt-key-gen.sh |  5 +++++
 3 files changed, 21 insertions(+), 9 deletions(-)
 create mode 100755 jwt-key-gen.sh

diff --git a/Dockerfile b/Dockerfile
index eb5a71a..0d52e00 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi8/nodejs-20:latest AS BUILD_IMAGE
+FROM registry.access.redhat.com/ubi8/nodejs-20:latest AS build-image
 
 ### BEGIN REMOTE SOURCE
 # Use the COPY instruction only inside the REMOTE SOURCE block
@@ -25,23 +25,19 @@ RUN yarn install  --network-timeout 1000000
 
 ## Build application
 RUN yarn build
+RUN NEWKEY=`/usr/src/app/jwt-key-gen.sh` && sed -i "s/^SECRET_ACCESS_TOKEN=.*/SECRET_ACCESS_TOKEN=$NEWKEY/" /usr/src/app/.env
 
 ## Gather productization dependencies
 RUN yarn install --network-timeout 1000000 --modules-folder node_modules_prod --production
 
 FROM registry.access.redhat.com/ubi8/nodejs-20-minimal:latest
 
-COPY --from=BUILD_IMAGE /usr/src/app/dist /usr/share/amq-spp/dist
-COPY --from=BUILD_IMAGE /usr/src/app/.env /usr/share/amq-spp/.env
-COPY --from=BUILD_IMAGE /usr/src/app/node_modules_prod /usr/share/amq-spp/node_modules
+COPY --from=build-image /usr/src/app/dist /usr/share/amq-spp/dist
+COPY --from=build-image /usr/src/app/.env /usr/share/amq-spp/.env
+COPY --from=build-image /usr/src/app/node_modules_prod /usr/share/amq-spp/node_modules
 
 WORKDIR /usr/share/amq-spp
 
-USER root
-
-RUN echo "node /usr/share/amq-spp/dist/app.js" > run.sh
-RUN chmod +x run.sh
-
 USER 1001
 
 ENV NODE_ENV=production
diff --git a/README.md b/README.md
index 59a06a6..57414ce 100644
--- a/README.md
+++ b/README.md
@@ -59,3 +59,14 @@ To undeploy, run
 ```sh
 ./undeploy.sh
 ```
+
+### Notes about the JWT secret
+
+The api server uses SECRET_ACCESS_TOKEN env var to get the secret for generating
+jwt tokens. It has a default value in .env for dev purposes.
+
+In production you should override it with your own secret.
+
+The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile. 
+It makes sure when you build the api server image a new random key is used.
+
diff --git a/jwt-key-gen.sh b/jwt-key-gen.sh
new file mode 100755
index 0000000..b8b93e0
--- /dev/null
+++ b/jwt-key-gen.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+# generate a new jwt secret
+node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+