fix(security): add exec for proper signal handling in Dockerfile

Dockerfile

@@ -1,3 +1,109 @@
-FROM lakhansamani/authorizer:1.3.8
-
-CMD ./build/server
+# Base runs as USER authorizer (uid 1000). For SQLite, ensure mounted /data is writable by that user.
+FROM lakhansamani/authorizer:2.0.0
+# Override so CMD runs in a shell and env vars (e.g. for Render) are expanded. See base image comment.
+# Use exec-form CMD with a single string so /bin/sh -c gets one argument; shell-form CMD can be split and drop into a shell.
+ENTRYPOINT ["/bin/sh", "-c"]
+# Single CMD string so the whole command is run by sh -c (not just "./authorizer").
+# Backslash-newline inside the string lets sh treat this as one command across lines.
+CMD ["exec ./authorizer \\\n\
+  --database-type=\"${DATABASE_TYPE:-postgres}\" \\\n\
+  --database-url=\"${DATABASE_URL}\" \\\n\
+  --client-id=\"${CLIENT_ID}\" \\\n\
+  --client-secret=\"${CLIENT_SECRET}\" \\\n\
+  --admin-secret=\"${ADMIN_SECRET}\" \\\n\
+  --redis-url=\"${REDIS_URL}\" \\\n\
+  --jwt-type=\"${JWT_TYPE}\" \\\n\
+  --jwt-secret=\"${JWT_SECRET}\" \\\n\
+  --jwt-private-key=\"${JWT_PRIVATE_KEY}\" \\\n\
+  --jwt-public-key=\"${JWT_PUBLIC_KEY}\" \\\n\
+  --jwt-role-claim=\"${JWT_ROLE_CLAIM}\" \\\n\
+  --custom-access-token-script=\"${CUSTOM_ACCESS_TOKEN_SCRIPT}\" \\\n\
+  --roles=\"${ROLES}\" \\\n\
+  --default-roles=\"${DEFAULT_ROLES}\" \\\n\
+  --protected-roles=\"${PROTECTED_ROLES}\" \\\n\
+  --allowed-origins=\"${ALLOWED_ORIGINS}\" \\\n\
+  --default-authorize-response-type=\"${DEFAULT_AUTHORIZE_RESPONSE_TYPE}\" \\\n\
+  --default-authorize-response-mode=\"${DEFAULT_AUTHORIZE_RESPONSE_MODE}\" \\\n\
+  --organization-name=\"${ORGANIZATION_NAME}\" \\\n\
+  --organization-logo=\"${ORGANIZATION_LOGO}\" \\\n\
+  --smtp-host=\"${SMTP_HOST}\" \\\n\
+  --smtp-port=\"${SMTP_PORT:-0}\" \\\n\
+  --smtp-username=\"${SMTP_USERNAME}\" \\\n\
+  --smtp-password=\"${SMTP_PASSWORD}\" \\\n\
+  --smtp-sender-email=\"${SENDER_EMAIL}\" \\\n\
+  --smtp-sender-name=\"${SENDER_NAME}\" \\\n\
+  --reset-password-url=\"${RESET_PASSWORD_URL}\" \\\n\
+  --env=\"${ENV}\" \\\n\
+  --host=\"${HOST:-0.0.0.0}\" \\\n\
+  --metrics-port=\"${METRICS_PORT:-8081}\" \\\n\
+  --enable-login-page=\"${ENABLE_LOGIN_PAGE:-true}\" \\\n\
+  --enable-playground=\"${ENABLE_PLAYGROUND:-true}\" \\\n\
+  --disable-admin-header-auth=\"${DISABLE_ADMIN_HEADER_AUTH:-true}\" \\\n\
+  --enable-graphql-introspection=\"${ENABLE_GRAPHQL_INTROSPECTION:-true}\" \\\n\
+  --app-cookie-secure=\"${APP_COOKIE_SECURE:-true}\" \\\n\
+  --admin-cookie-secure=\"${ADMIN_COOKIE_SECURE:-true}\" \\\n\
+  --database-name=\"${DATABASE_NAME}\" \\\n\
+  --database-username=\"${DATABASE_USERNAME}\" \\\n\
+  --database-password=\"${DATABASE_PASSWORD}\" \\\n\
+  --database-host=\"${DATABASE_HOST}\" \\\n\
+  --database-port=\"${DATABASE_PORT:-0}\" \\\n\
+  --database-cert=\"${DATABASE_CERT}\" \\\n\
+  --database-ca-cert=\"${DATABASE_CA_CERT}\" \\\n\
+  --database-cert-key=\"${DATABASE_CERT_KEY}\" \\\n\
+  --couchbase-bucket=\"${COUCHBASE_BUCKET}\" \\\n\
+  --couchbase-scope=\"${COUCHBASE_SCOPE}\" \\\n\
+  --couchbase-ram-quota=\"${COUCHBASE_RAM_QUOTA}\" \\\n\
+  --aws-region=\"${AWS_REGION}\" \\\n\
+  --aws-access-key-id=\"${AWS_ACCESS_KEY_ID}\" \\\n\
+  --aws-secret-access-key=\"${AWS_SECRET_ACCESS_KEY}\" \\\n\
+  --smtp-local-name=\"${SMTP_LOCAL_NAME}\" \\\n\
+  --smtp-skip-tls-verification=\"${SMTP_SKIP_TLS_VERIFICATION:-false}\" \\\n\
+  --enable-strong-password=\"${ENABLE_STRONG_PASSWORD:-true}\" \\\n\
+  --enable-totp-login=\"${ENABLE_TOTP_LOGIN:-false}\" \\\n\
+  --enable-basic-authentication=\"${ENABLE_BASIC_AUTHENTICATION:-true}\" \\\n\
+  --enable-email-verification=\"${ENABLE_EMAIL_VERIFICATION:-false}\" \\\n\
+  --enable-mobile-basic-authentication=\"${ENABLE_MOBILE_BASIC_AUTHENTICATION:-true}\" \\\n\
+  --enable-phone-verification=\"${ENABLE_PHONE_VERIFICATION:-false}\" \\\n\
+  --enable-magic-link-login=\"${ENABLE_MAGIC_LINK_LOGIN:-false}\" \\\n\
+  --enforce-mfa=\"${ENFORCE_MFA:-true}\" \\\n\
+  --enable-mfa=\"${ENABLE_MFA:-false}\" \\\n\
+  --enable-email-otp=\"${ENABLE_EMAIL_OTP:-false}\" \\\n\
+  --enable-sms-otp=\"${ENABLE_SMS_OTP:-false}\" \\\n\
+  --enable-signup=\"${ENABLE_SIGNUP:-true}\" \\\n\
+  --twilio-account-sid=\"${TWILIO_ACCOUNT_SID}\" \\\n\
+  --twilio-api-key=\"${TWILIO_API_KEY}\" \\\n\
+  --twilio-api-secret=\"${TWILIO_API_SECRET}\" \\\n\
+  --twilio-sender=\"${TWILIO_SENDER}\" \\\n\
+  --google-client-id=\"${GOOGLE_CLIENT_ID}\" \\\n\
+  --google-client-secret=\"${GOOGLE_CLIENT_SECRET}\" \\\n\
+  --google-scopes=\"${GOOGLE_SCOPES}\" \\\n\
+  --github-client-id=\"${GITHUB_CLIENT_ID}\" \\\n\
+  --github-client-secret=\"${GITHUB_CLIENT_SECRET}\" \\\n\
+  --github-scopes=\"${GITHUB_SCOPES}\" \\\n\
+  --facebook-client-id=\"${FACEBOOK_CLIENT_ID}\" \\\n\
+  --facebook-client-secret=\"${FACEBOOK_CLIENT_SECRET}\" \\\n\
+  --facebook-scopes=\"${FACEBOOK_SCOPES}\" \\\n\
+  --microsoft-client-id=\"${MICROSOFT_CLIENT_ID}\" \\\n\
+  --microsoft-client-secret=\"${MICROSOFT_CLIENT_SECRET}\" \\\n\
+  --microsoft-tenant-id=\"${MICROSOFT_TENANT_ID}\" \\\n\
+  --microsoft-scopes=\"${MICROSOFT_SCOPES}\" \\\n\
+  --apple-client-id=\"${APPLE_CLIENT_ID}\" \\\n\
+  --apple-client-secret=\"${APPLE_CLIENT_SECRET}\" \\\n\
+  --apple-scopes=\"${APPLE_SCOPES}\" \\\n\
+  --discord-client-id=\"${DISCORD_CLIENT_ID}\" \\\n\
+  --discord-client-secret=\"${DISCORD_CLIENT_SECRET}\" \\\n\
+  --discord-scopes=\"${DISCORD_SCOPES}\" \\\n\
+  --linkedin-client-id=\"${LINKEDIN_CLIENT_ID}\" \\\n\
+  --linkedin-client-secret=\"${LINKEDIN_CLIENT_SECRET}\" \\\n\
+  --linkedin-scopes=\"${LINKEDIN_SCOPES}\" \\\n\
+  --twitch-client-id=\"${TWITCH_CLIENT_ID}\" \\\n\
+  --twitch-client-secret=\"${TWITCH_CLIENT_SECRET}\" \\\n\
+  --twitch-scopes=\"${TWITCH_SCOPES}\" \\\n\
+  --twitter-client-id=\"${TWITTER_CLIENT_ID}\" \\\n\
+  --twitter-client-secret=\"${TWITTER_CLIENT_SECRET}\" \\\n\
+  --twitter-scopes=\"${TWITTER_SCOPES}\" \\\n\
+  --roblox-client-id=\"${ROBLOX_CLIENT_ID}\" \\\n\
+  --roblox-client-secret=\"${ROBLOX_CLIENT_SECRET}\" \\\n\
+  --roblox-scopes=\"${ROBLOX_SCOPES}\" \\\n\
+  --log-level=\"${LOG_LEVEL:-info}\" \\\n\
+  --http-port=\"${PORT:-8080}\""]

README.md

@@ -1,6 +1,6 @@
 # Authorizer on Render
 
-Click to deploy a [Authorizer](https://authorizer.dev) instance with a managed PostgreSQL database on [Render](https://render.com/).
+Deploy production ready [authorizer.dev](https://authorizer.dev) instance on [Render](https://render.com/) with a managed PostgreSQL database and build with it in 30seconds
 
 [![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/authorizerdev/authorizer-render)
 
@@ -10,16 +10,31 @@ After clicking the above button, follow the steps mentioned below:
 
 Enter the name for your instance.
 
-> Note: Optionally you can choose to deploy a branch `without-postgres` and configure database env, if you already have an postgres instance running.
+> Note: Optionally you can choose to deploy a branch `without-postgres` and configure database env, if you already have a postgres instance running.
 
-<img src="/images/render_1.png" style="height:20em;width:100%;object-fit:contain;"/>
+### Step 2: Configure Required Variables
 
-### Step 2: Configure Envs
+Authorizer v2 requires the following variables. Configure them in Render's environment settings:
 
-Open authorizer URL in your browser and configure rest of your [envs](https://docs.authorizer.dev/core/env).
+| Variable | Description | Example |
+| -------- | ----------- | ------- |
+| `DATABASE_TYPE` | Database type | `postgres` |
+| `DATABASE_URL` | Database connection string | *(auto-configured by Render)* |
+| `JWT_TYPE` | JWT signing algorithm | `HS256` |
+| `JWT_SECRET` | JWT signing secret | `test` |
+| `ADMIN_SECRET` | Admin secret for admin operations | `admin` |
+| `CLIENT_ID` | Client identifier **(required)** | `123456` |
+| `CLIENT_SECRET` | Client secret **(required)** | `secret` |
 
-> Note: `DATABASE_URL` and `DATABASE_TYPE` are only configurable via render envs
+These are mapped to CLI flags at startup. Please refer to the [server configuration docs](https://docs.authorizer.dev/core/server-config) for all available flags.
 
-<img src="/images/render_2.png" style="height:20em;width:100%;object-fit:contain;"/>
+## Notes
 
-That's all 🎉 you can get started with [Authorizer](https://docs.authorizer.dev/getting-started) now! You have your authentication and authorization layer ready.
+- Source repo: https://github.com/authorizerdev/authorizer
+- Docs: https://docs.authorizer.dev/deployment/render/
+
+### Updating Authorizer on existing Render instance
+
+- You can update the [docker image](https://github.com/authorizerdev/authorizer-render/blob/main/Dockerfile#L2) to the desired version in your repository which gets created with your deployment.
+
+- You can find all the versions on [github](https://github.com/authorizerdev/authorizer/releases) or [dockerhub](https://hub.docker.com/r/lakhansamani/authorizer)

render.yaml

@@ -11,5 +11,18 @@ services:
           property: connectionString
       - key: DATABASE_TYPE
         value: postgres
+      - key: CLIENT_ID
+        generateValue: true
+      - key: CLIENT_SECRET
+        generateValue: true
+      - key: ADMIN_SECRET
+        generateValue: true
+      - key: JWT_SECRET
+        generateValue: true
+      - key: JWT_TYPE
+        value: HS256
+
 databases:
   - name: authorizer-db
+    plan: free
+    databaseName: authorizer