# Production-hardened Dockerfile for auth-gate
#
# We use a multi-stage build to keep the final image small.
# The build stage compiles the binary, and the runtime stage copies
# only the binary and the required configuration.

FROM golang:1.21-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o auth-gate .

# Runtime stage
FROM alpine:3.19
WORKDIR /app

# Create a non-root user (security best practice).
RUN addgroup -S auth-gate && adduser -S auth-gate -G auth-gate

# Copy the binary from the builder stage.
COPY --from=builder /app/auth-gate .

# Create directories for config and data.
RUN mkdir -p /config /data

# Set ownership so the non-root user can write to /data but not /config.
RUN chown -R auth-gate:auth-gate /data && chown auth-gate:auth-gate /config

# Switch to the non-root user.
USER auth-gate

# Expose the HTTP port.
EXPOSE 8080

# Start the service.
ENTRYPOINT ["/app/auth-gate"]
CMD []