# Production-hardened Dockerfile for auth-proxy
#
# We use a multi-stage build to keep the final image small.
# The build stage compiles the binary, and the runtime stage copies
# only the binary and the required configuration.

FROM docker.iranserver.com/golang:1.26-alpine AS builder
WORKDIR /app

RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \
    && /usr/local/go/bin/go env -w GOSUMDB=off

COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o auth-proxy ./src

# Runtime stage
FROM docker.iranserver.com/alpine:3.23
WORKDIR /app

# Create a non-root user (security best practice).
RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy

# Copy the binary from the builder stage.
COPY --from=builder /app/auth-proxy .

# Create directories for config and data.
RUN mkdir -p /config /data

# Set ownership so the non-root user can write to /data but not /config.
RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config

# Switch to the non-root user.
USER auth-proxy

# Expose the HTTP port.
EXPOSE 8080

# Start the service.
ENTRYPOINT ["/app/auth-proxy"]
CMD []