fix: create /app/data owned by runtime user; add DATABASE_PATH to compose

SPCFXDA · SPCFXDA · commit d66cb7464c8b · 2026-03-14T16:20:06.000+01:00
Dockerfile: create /app/data and chown it to the runtime user before
USER switch so Docker volume initialization inherits correct ownership.
Previously, Docker named volumes were root:root on first mount, causing
SQLite SQLITE_CANTOPEN (even though Node fs writes worked fine).

The actual compose volume names are prefixed by docker compose project
names (cas_cas-data, template_template-data) — the chown fix ensures
any fresh volume deploy initialises with the correct uid 100:101.

docker-compose.yml: add explicit DATABASE_PATH env var (was missing,
though the code has a sensible default, explicit is better).
diff --git a/apps/cas/backend/Dockerfile b/apps/cas/backend/Dockerfile
@@ -72,6 +72,9 @@ COPY --from=builder /app/apps/cas/backend/dist         ./dist
 COPY --from=builder /app/apps/cas/backend/package.json ./package.json
 
 RUN addgroup --system cas && adduser --system --ingroup cas cas
+# Create the data directory owned by the runtime user so that Docker volume
+# mounts (and mkdirSync inside the app) can write to it without root privs.
+RUN mkdir -p /app/data && chown -R cas:cas /app/data
 USER cas
 
 ENV NODE_ENV=production \
diff --git a/apps/cas/docker-compose.yml b/apps/cas/docker-compose.yml
@@ -17,6 +17,7 @@ services:
       NODE_ENV: production
       PORT: "3001"
       HOST: "0.0.0.0"
+      DATABASE_PATH: "/app/data/cas.db"
       CAS_API_KEY: "${CAS_API_KEY}"
       CORS_ORIGIN: "${CORS_ORIGIN:-https://cas.cfxdevkit.org}"  # CAS frontend on Vercel
     volumes:
diff --git a/apps/template/backend/Dockerfile b/apps/template/backend/Dockerfile
@@ -82,6 +82,9 @@ COPY --from=builder /app/apps/template/backend/dist           ./dist
 COPY --from=builder /app/apps/template/backend/package.json   ./package.json
 
 RUN addgroup --system template && adduser --system --ingroup template template
+# Create the data directory owned by the runtime user so that Docker volume
+# mounts (and mkdirSync inside the app) can write to it without root privs.
+RUN mkdir -p /app/data && chown -R template:template /app/data
 USER template
 
 ENV NODE_ENV=production \
diff --git a/apps/template/docker-compose.yml b/apps/template/docker-compose.yml
@@ -17,6 +17,7 @@ services:
       NODE_ENV: production
       PORT: "3002"
       HOST: "0.0.0.0"
+      DATABASE_PATH: "/app/data/template.db"
       JWT_SECRET: "${JWT_SECRET}"
       CORS_ORIGIN: "${CORS_ORIGIN:-https://template.cfxdevkit.org}"
     volumes:
