Fix Alpine 3.20 user conflict in platform-service Dockerfile#1
Open
railway-app[bot] wants to merge 26 commits into
Open
Fix Alpine 3.20 user conflict in platform-service Dockerfile#1railway-app[bot] wants to merge 26 commits into
railway-app[bot] wants to merge 26 commits into
Conversation
…ve watch previews, and hide dev status
…ronment variable for matchmaking-service
…provements with tests
…nknown match archive
…im validation, dead-room reconciliation, and full beta reset
…esence, castling fusion - Fix TS structural errors in App.tsx (orphan </div> from ErrorBoundary/ELO removal) - Replace PlatformContext createContext<any> with typed PlatformContextShape interface - Add TLS support to gateway (TLS_CERT_FILE/TLS_KEY_FILE env vars) - Add disconnect presence on WS close (MarkDisconnected + playerId/playerSecret query params) - Fix castling to use isAttackedWithFusion instead of isAttacked for fusion-aware checks - Remove ELO stakes section (hardcoded +16/-16 replaced by proper ELO formula) - Add resign confirmation (two-click with 3s timeout and red highlight) - Add draw offer cooldown (15s rate limit on both client and server) - Add idempotency keys (clientMoveId) to prevent duplicate intent processing
…, queue outbox, security headers, orphaned client removal CRITICAL: - HTTP timeouts (ReadHeaderTimeout/ReadTimeout/WriteTimeout/IdleTimeout) on all 4 Go servers - WebSocket CheckOrigin rejects empty Origin (CORS bypass fixed) - Hardcoded defaultAllowedOrigins removed from match-service - Queue TOCTOU race: CreateMatch HTTP call moved outside mutex via goroutine - USER nobody added to all 5 Dockerfiles (Go + web) - Security headers in next.config.mjs (CSP, X-Frame-Options, etc.) - web.Dockerfile CMD uses exec for proper signal handling - legalMovesWithFusion in applyMove intent validation (castling fusion) - Rate limiter middleware (IP-based, windowed) applied to all 4 services - Elo-range matchmaking (max 400 rating diff in findMatchCandidateLocked) - Orphaned client/ directory removed (duplicate CRA frontend) - Test ref: collectBroadcasts -> collectAndBroadcast HIGH: - In-memory rate limit package (internal/rate_limit) with configurable window/limit - Default rate limits: 60/min API, 20/10min auth, 10/30s queue - Elo-range matching for casual and rated queues - Session token hashing infrastructure (hashSessionToken function)
- Add inBounds checks to fakepiece/clone/teleport/jump card targets (4 crash fixes) - Deep-copy History and SeenClientMoveIDs in cloneState (2 data race fixes) - Harden platform-service: status endpoint, account enumeration, sensitive logging, X-Forwarded-For spoofing - Add history_public.go DTO layer and public API endpoints - Unify ELO formula across all backends (Postgres, SQLite, in-memory) - Fix guest-results and account-results tests for new auth-required handler - Fix lava test (insufficient material draw)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Alpine 3.20 ships with a built-in
nobodyuser at UID 65534. The platform-service Dockerfile (introduced in commit 7142bfc) attempts to create a second user also namednobodywith UID 1001, causingadduser: user 'nobody' in useand failing every build.Solution
Replaced both occurrences of
nobodyindeploy/railway/platform-service.Dockerfilewithappuser— theadduserinvocation and theUSERdirective. This avoids the naming collision with Alpine's built-in user while preserving the non-root security hardening at the dedicated UID 1001.Changes
deploy/railway/platform-service.DockerfileGenerated by Railway