# =============================================================================
# MCP AUTH SERVER DOCKERFILE
# =============================================================================
# Authentication service with JWT, Sessions, Password Reset
# Port: 3095
# =============================================================================

# Build stage
FROM node:20-alpine AS builder

WORKDIR /app

# Install build dependencies for bcrypt native module
RUN apk add --no-cache python3 make g++

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm ci --only=production=false

# Copy source
COPY tsconfig.json ./
COPY src ./src

# Build
RUN npm run build

# Prune dev dependencies
RUN npm prune --production

# =============================================================================
# Production stage
# =============================================================================
FROM node:20-alpine AS production

WORKDIR /app

# Create non-root user
RUN addgroup -g 1001 -S nodejs && \
    adduser -S auth -u 1001

# Copy built artifacts
COPY --from=builder --chown=auth:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=auth:nodejs /app/dist ./dist
COPY --from=builder --chown=auth:nodejs /app/package.json ./

# Create logs directory
RUN mkdir -p logs && chown auth:nodejs logs

# Switch to non-root user
USER auth

# Expose port
EXPOSE 3095

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:3095/health || exit 1

# Start server
CMD ["node", "dist/index.js"]