bd12160ebb
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized set_config() in interactive Prisma transactions (no SQL injection) - Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables - Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy - Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions - Wrap all API route and page loader queries in withTenant() - Wrap validateSession() in withBypassRLS() (joins RLS-protected users) - Keep existing tenantId where-clause filters as optimization layer - Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
777 B
Docker
44 lines
777 B
Docker
# Stage 1: Build
|
|
FROM node:22-alpine AS builder
|
|
|
|
RUN apk add --no-cache python3 make g++
|
|
|
|
WORKDIR /app
|
|
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci
|
|
|
|
COPY prisma ./prisma
|
|
RUN npx prisma generate
|
|
|
|
COPY . .
|
|
RUN npm run build
|
|
|
|
# Stage 2: Production
|
|
FROM node:22-alpine
|
|
|
|
RUN apk add --no-cache python3 make g++
|
|
|
|
WORKDIR /app
|
|
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci --omit=dev
|
|
|
|
COPY prisma ./prisma
|
|
RUN npx prisma generate
|
|
|
|
COPY --from=builder /app/build ./build
|
|
COPY --from=builder /app/server.js ./server.js
|
|
COPY scripts ./scripts
|
|
|
|
RUN apk add --no-cache postgresql-client
|
|
RUN apk del python3 make g++ && rm -rf /var/cache/apk/*
|
|
RUN mkdir -p /app/uploads
|
|
|
|
EXPOSE 3000
|
|
|
|
COPY docker-entrypoint.sh ./
|
|
RUN chmod +x docker-entrypoint.sh
|
|
|
|
CMD ["./docker-entrypoint.sh"]
|