kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ad7d20021d541638e96f74ff5ba32ea5430465fb
SharepointToolbox-Web/docker-compose.yml
T
kawa ebda614aaa Fix prod auth: persist DataProtection keys; redirect unauth to login 
Two deployment-breaking issues caused 404s on protected pages after a
container recreate:

1. DataProtection keys were stored in the container's ephemeral home dir.
   Every redeploy regenerated them, invalidating all auth cookies (users
   silently logged out) and — worse — making the app-only certs encrypted
   under /data/appcerts undecryptable. Persist keys to /data/dpkeys with a
   stable application name so they survive recreates.

2. DefaultChallengeScheme was OpenIdConnect, so a logged-out request to any
   [Authorize] Blazor page forced an OIDC challenge. When OIDC is
   unconfigured/unreachable the challenge throws and the request 404s, with
   no path to the login page. Challenge the cookie scheme instead, which
   redirects to /account/login (the combined local + Microsoft page). OIDC
   is still triggered explicitly from /account/login/entra.

Also harden the container image:
- Pin base images to exact patch (sdk:10.0.300, aspnet:10.0.8). Floating
  :10.0 tags drift; a stale/pre-GA SDK base silently drops blazor.web.js
  from the publish manifest, 404ing framework assets in production.
- Install curl and switch the compose healthcheck to it (the aspnet image
  ships no wget/curl, so the old healthcheck always reported unhealthy).
  Probe /account/login (anonymous, 200) since / now 302-redirects.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 14:34:58 +02:00

29 lines
734 B
YAML
Raw Blame History

services:
sptb-web:
build:
context: .
dockerfile: Dockerfile
image: sptb-web:latest
container_name: sptb-web
ports:
- "8080:8080"
volumes:
- sptb-data:/data
environment:
- ASPNETCORE_ENVIRONMENT=Production
- DataFolder=/data
restart: unless-stopped
healthcheck:
# /account/login is anonymous and returns 200 (the app root now 302-redirects
# unauthenticated users, which would read as unhealthy). curl is installed in
# the image; -f fails on >=400.
test: ["CMD", "curl", "-fsS", "http://localhost:8080/account/login"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
volumes:
sptb-data:
driver: local
Reference in New Issue View Git Blame Copy Permalink