josh/Vector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d739411510efcc550568dc115170c0efa6433532
Vector/docker-compose.yml
T
josh 23bd0f0c6a
CI / Playwright (smoke) (push) Has been skipped
Details
CI / Lint · Typecheck · Test · Build (push) Successful in 44s
Details
CI / Build & push images (push) Successful in 1m8s
Details
fix(deploy): auth/CSRF cookies dropped on plain-HTTP prod 
Every cookie was flagged Secure whenever NODE_ENV=production. Over
plain HTTP (single-host compose deploy without TLS) browsers silently
discard Secure cookies, so the access token, refresh token, and CSRF
cookie all vanished after login — producing 401 Unauthorized on every
GET and 403 "CSRF token missing or invalid" on every mutation.

Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to
NODE_ENV === 'production' when unset. Controllers and middleware now
read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose
file sets it to false by default with a comment to flip once TLS is in
front; HTTPS deployments can override via .env or drop the override to
pick up the secure default.
2026-04-17 08:31:12 -04:00

68 lines
1.9 KiB
YAML
Raw Blame History

# Vector — single-instance production deployment.
#
# Quick start:
# 1. Log in to the registry so compose can pull:
# docker login gitea.thewrightserver.net
#
# 2. Create a .env file next to this compose file containing at minimum:
# JWT_SECRET=<64+ char random hex>
# CLIENT_ORIGIN=http://your-host:8080
# WEB_PORT=8080
# TAG=latest # or a specific commit SHA
#
# 3. Pull + start:
# docker compose pull && docker compose up -d
#
# Data lives in the `vector-data` volume (SQLite db). Redis is included
# in anticipation of the BullMQ worker follow-up; the API does not yet
# depend on it.
services:
api:
image: gitea.thewrightserver.net/josh/vector-api:${TAG:-latest}
restart: unless-stopped
environment:
NODE_ENV: production
PORT: 3001
DATABASE_URL: file:/data/vector.db
JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required — see .env.example}
CLIENT_ORIGIN: ${CLIENT_ORIGIN:-http://localhost:8080}
# Browsers drop Secure cookies over plain HTTP. Flip to "true" once
# this deployment sits behind TLS (reverse proxy, Cloudflare, etc).
COOKIE_SECURE: ${COOKIE_SECURE:-false}
volumes:
- vector-data:/data
healthcheck:
test: ["CMD-SHELL", "wget -qO- http://localhost:3001/healthz || exit 1"]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
depends_on:
redis:
condition: service_healthy
web:
image: gitea.thewrightserver.net/josh/vector-web:${TAG:-latest}
restart: unless-stopped
ports:
- "${WEB_PORT:-8080}:80"
depends_on:
api:
condition: service_healthy
redis:
image: redis:7-alpine
restart: unless-stopped
volumes:
- vector-redisdata:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 3s
retries: 10
volumes:
vector-data:
vector-redisdata:
Reference in New Issue View Git Blame Copy Permalink