jim800121/visionA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
visionA/visionA-backend/docker/Dockerfile.remote-proxy
jim800121chen 22f0837ba8 feat(visionA-backend): Phase 0 → 0.7 雲端後端(雙 binary + OIDC BFF + stage 部署) 
從 edge-ai-platform POC 轉為正式產品的雲端後端,含以下整合階段:

- Phase 0:雛形骨架 — `cmd/api-server` (REST :3721) + `cmd/remote-proxy`
  (tunnel :3800 / internal :3801) 雙 binary 共用 internal/,沿用 POC 的
  WebSocket+yamux tunnel 協定但解耦 relay 與 API
- Phase 0.6:OIDC BFF 接 Innovedus Member Center
  - internal/oidc package(coreos/go-oidc + PKCE S256 + state + nonce)
  - internal/usersession package(HMAC-SHA256 cookie + RotateSessionID
    防 session fixation, OWASP ASVS V3.2.1)
  - 4 個 OIDC handler(/api/auth/login|callback|me|logout)+ AuthMiddleware
  - 完全拔除 StaticAuthProvider,OIDC 是唯一認證路徑
  - 9 個 ADR(含 ADR-010 BFF / ADR-011 取代 static auth /
    ADR-012 pending session shared cookie / ADR-013 PKCE-only public client)
- Phase 0.7:A1 改造 + security audit 修復
  - OIDC ClientSecret 變選填,支援 stage MC 的 public PKCE-only client
    (AuthStyleInParams 強制 token endpoint 不送 client_secret)
  - 預留 ServiceClient* 欄位給未來 client_credentials grant
  - 移除 13+ 處 resolveUserID(uc, StaticUserID) fallback 改 strict mode
    (Audit C1:multi-tenant 隔離破口)
  - Pairing exchange MarkUsed 失敗 abort + revoke session token(Audit M3)
  - 新增 all_endpoints_require_auth_test 整合測試(51 endpoint × 401)

驗證:go test -race -count=3 ./... 17 packages 全綠 / go vet 0 warning

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 11:21:20 +08:00

53 lines
1.6 KiB
Docker
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# syntax=docker/dockerfile:1.6
#
# visionA-backend / remote-proxy — multi-stage Docker image
#
# 設計原則同 Dockerfile.api-server見該檔 header
# 唯一差別:
# - build 的是 ./cmd/remote-proxy
# - 對外 expose 3800tunnel WSlocal agent 用)+ 3801internal HTTPapi-server 用)
# - HEALTHCHECK 打 tunnel port 的 /healthz
# ---- Stage 1: builder ----------------------------------------------------
FROM golang:1.26-alpine AS builder
RUN apk add --no-cache git ca-certificates
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
ENV CGO_ENABLED=0 GOOS=linux
RUN go build -trimpath -ldflags="-s -w" -o /out/remote-proxy ./cmd/remote-proxy
# ---- Stage 2: runtime ----------------------------------------------------
FROM alpine:3.19
RUN apk add --no-cache ca-certificates curl tzdata && \
addgroup -S -g 1001 visiona && \
adduser -S -u 1001 -G visiona visiona
WORKDIR /app
COPY --from=builder --chown=visiona:visiona /out/remote-proxy /app/remote-proxy
USER visiona:visiona
# 3800tunnel server面向 local agentWebSocket upgrade
# 3801internal HTTP面向 api-server同 compose network 內互通)
EXPOSE 3800 3801
ENV VISIONA_HOST=0.0.0.0 \
VISIONA_TUNNEL_PORT=3800 \
VISIONA_PROXY_INTERNAL_PORT=3801 \
VISIONA_LOG_LEVEL=info
# Healthcheck 打 tunnel listener 的 /healthzinternal port 雖然也有但不對外)
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -fsS http://localhost:3800/healthz || exit 1
ENTRYPOINT ["/app/remote-proxy"]
Reference in New Issue View Git Blame Copy Permalink