Every cookie was flagged Secure whenever NODE_ENV=production. Over
plain HTTP (single-host compose deploy without TLS) browsers silently
discard Secure cookies, so the access token, refresh token, and CSRF
cookie all vanished after login — producing 401 Unauthorized on every
GET and 403 "CSRF token missing or invalid" on every mutation.
Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to
NODE_ENV === 'production' when unset. Controllers and middleware now
read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose
file sets it to false by default with a comment to flip once TLS is in
front; HTTPS deployments can override via .env or drop the override to
pick up the secure default.
Lock images to gitea.thewrightserver.net/josh/{vector-api,vector-web}
and drop the build: sections. docker compose up now only pulls; source
builds happen exclusively in CI.
- apps/api/Dockerfile: multi-stage build, runs prisma migrate deploy on
boot. Workspace package.json "main/exports" rewritten to dist so Node
ESM resolves compiled JS at runtime.
- apps/web/Dockerfile + nginx.conf: static build served by nginx with
SPA fallback, gzip, cache-bust on hashed assets, and /api reverse
proxy to the internal api service.
- docker-compose.yml: production-oriented stack — api (SQLite on a
named volume), web (exposes WEB_PORT), redis (for the upcoming
worker). Postgres dropped since schema still targets SQLite.
- .dockerignore: keep build context lean.
- ci: add docker job gated on push-to-main that builds and pushes both
images to ${{ vars.REGISTRY_URL }} using ${{ secrets.REGISTRY_TOKEN }}.
Tags :latest + :${github.sha}.
josh