From ed9638bcf9924a31a8a3da354748a7cb2a7db081 Mon Sep 17 00:00:00 2001
From: Michael Schramm <michael.schramm@gmail.com>
Date: Tue, 16 Jun 2020 09:20:43 +0200
Subject: [PATCH] switch to non root dockerfile for ui and api containers
 https://github.com/ohmyform/ohmyform/issues/97

---
 CHANGELOG.md      |  2 ++
 Dockerfile        | 13 +++++++++++--
 public/index.html |  5 +++++
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 public/index.html

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef6d25c..962a57e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Fixed
 ### Security
 
+- container now runs as non root user
+
 ## [0.9.5] - 2020-06-10
  
 ### Added
diff --git a/Dockerfile b/Dockerfile
index 84c55ce..d854d98 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:12 AS builder
+FROM node:12-alpine AS builder
 MAINTAINER OhMyForm <admin@ohmyform.com>
 
 WORKDIR /usr/src/app
@@ -6,10 +6,16 @@ WORKDIR /usr/src/app
 # just copy everhing
 COPY . .
 
+RUN touch /usr/src/app/src/schema.gql && chown 9999:9999 /usr/src/app/src/schema.gql
+
 RUN yarn install --frozen-lockfile
 RUN yarn build
 
-FROM node:12
+FROM node:12-alpine
+MAINTAINER OhMyForm <admin@ohmyform.com>
+
+# Create a group and a user with name "ohmyform".
+RUN addgroup --gid 9999 ohmyform && adduser -D --uid 9999 -G ohmyform ohmyform
 
 WORKDIR /usr/src/app
 
@@ -24,4 +30,7 @@ ENV PORT=3000 \
 
 EXPOSE 3000
 
+# Change to non-root privilege
+USER ohmyform
+
 CMD [ "yarn", "start:prod" ]
diff --git a/public/index.html b/public/index.html
new file mode 100644
index 0000000..db350e6
--- /dev/null
+++ b/public/index.html
@@ -0,0 +1,5 @@
+<pre>
+<h1>OhMyForm API endpoint</h1>
+
+visit us at <a href="https://ohmyform.com">ohmyform.com</a>
+</pre>