chore: fix docker vulnerabilities

Author: lakhansamani

.claude/settings.local.json

@@ -6,7 +6,11 @@
       "Bash(go build:*)",
       "Bash(docker rm:*)",
       "Bash(docker run:*)",
-      "WebSearch"
+      "WebSearch",
+      "Bash(docker:*)",
+      "Bash(go version)",
+      "Bash(go mod:*)",
+      "Bash(go clean:*)"
     ]
   }
 }

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.4
 # Use BuildKit for cache mounts (faster CI: DOCKER_BUILDKIT=1)
-FROM golang:1.24-alpine3.23 as go-builder
+FROM golang:1.25-alpine3.23 AS go-builder
 WORKDIR /authorizer
 
 ARG TARGETPLATFORM
@@ -24,14 +24,13 @@ COPY main.go ./
 COPY cmd/ ./cmd/
 COPY internal/ ./internal/
 COPY gqlgen.yml ./
-RUN apk add --no-cache build-base
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     mkdir -p build/${GOOS}/${GOARCH} && \
     go build -trimpath -mod=readonly -tags netgo -ldflags "-w -s -X main.VERSION=$VERSION" -o build/${GOOS}/${GOARCH}/authorizer . && \
     chmod 755 build/${GOOS}/${GOARCH}/authorizer
 
-FROM alpine:3.23.3 as node-builder
+FROM alpine:3.23.3 AS node-builder
 WORKDIR /authorizer
 COPY web/app/package*.json web/app/
 COPY web/dashboard/package*.json web/dashboard/
@@ -45,24 +44,25 @@ COPY web/app web/app
 COPY web/dashboard web/dashboard
 RUN cd web/app && npm run build && cd ../dashboard && npm run build
 
-FROM alpine:3.23.3
+FROM scratch
 
 ARG TARGETARCH=amd64
 
-RUN apk update && apk upgrade --no-cache && \
-    adduser -D -h /home/authorizer -u 1000 -k /dev/null authorizer && \
-    mkdir -p web/app web/dashboard
+# CA certificates for TLS connections (OAuth, webhooks, etc.)
+COPY --from=go-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+# Timezone data
+COPY --from=go-builder /usr/share/zoneinfo /usr/share/zoneinfo
+# passwd entry for non-root user
+COPY --from=go-builder /etc/passwd /etc/passwd
+
 WORKDIR /authorizer
-COPY --from=node-builder --chown=nobody:nobody /authorizer/web/app/build web/app/build
-COPY --from=node-builder --chown=nobody:nobody /authorizer/web/app/favicon_io web/app/favicon_io
-COPY --from=node-builder --chown=nobody:nobody /authorizer/web/dashboard/build web/dashboard/build
-COPY --from=node-builder --chown=nobody:nobody /authorizer/web/dashboard/favicon_io web/dashboard/favicon_io
-COPY --from=go-builder --chown=nobody:nobody /authorizer/build/linux/${TARGETARCH}/authorizer ./authorizer
+COPY --from=node-builder /authorizer/web/app/build web/app/build
+COPY --from=node-builder /authorizer/web/app/favicon_io web/app/favicon_io
+COPY --from=node-builder /authorizer/web/dashboard/build web/dashboard/build
+COPY --from=node-builder /authorizer/web/dashboard/favicon_io web/dashboard/favicon_io
+COPY --from=go-builder /authorizer/build/linux/${TARGETARCH}/authorizer ./authorizer
 COPY web/templates web/templates
 EXPOSE 8080 8081
-USER authorizer
-# ENTRYPOINT allows docker run args to be passed to the authorizer binary.
-# When extending this image with a shell-form CMD (e.g. to expand env vars for Railway),
-# override ENTRYPOINT in your Dockerfile: ENTRYPOINT ["/bin/sh", "-c"] so CMD runs in a shell.
+USER 65534
 ENTRYPOINT [ "./authorizer" ]
 CMD []

go.mod

@@ -1,6 +1,6 @@
 module github.com/authorizerdev/authorizer
 
-go 1.24.2
+go 1.25.5
 
 require (
 	github.com/99designs/gqlgen v0.17.73
@@ -11,6 +11,7 @@ require (
 	github.com/ekristen/gorm-libsql v0.0.0-20231101204708-6e113112bcc2
 	github.com/gin-gonic/gin v1.9.1
 	github.com/glebarez/sqlite v1.10.0
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/gocql/gocql v1.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0
@@ -28,7 +29,6 @@ require (
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.19.0
 	gopkg.in/mail.v2 v2.3.1
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gorm.io/driver/mysql v1.5.2
 	gorm.io/driver/postgres v1.5.4
 	gorm.io/driver/sqlserver v1.5.2

go.sum

@@ -98,6 +98,8 @@ github.com/glebarez/sqlite v1.10.0 h1:u4gt8y7OND/cCei/NMHmfbLxF6xP2wgKcT/BJf2pYk
 github.com/glebarez/sqlite v1.10.0/go.mod h1:IJ+lfSOmiekhQsFTJRx/lHtGYmCdtAiTaf5wI9u5uHA=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
@@ -444,8 +446,6 @@ gopkg.in/mail.v2 v2.3.1 h1:WYFn/oANrAGP2C0dcV6/pbkPzv8yGzqTjPmTeO7qoXk=
 gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
 gopkg.in/sourcemap.v1 v1.0.5 h1:inv58fC9f9J3TK2Y2R1NPntXEn3/wjWHkonhIUODNTI=
 gopkg.in/sourcemap.v1 v1.0.5/go.mod h1:2RlvNNSMglmRrcvhfuzp4hQHwOtjxlbjX7UPY/GXb78=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

internal/crypto/common.go

@@ -3,8 +3,8 @@ package crypto
 import (
 	"crypto/x509"
 
+	"github.com/go-jose/go-jose/v4"
 	"golang.org/x/crypto/bcrypt"
-	"gopkg.in/square/go-jose.v2"
 )
 
 // GetPubJWK returns JWK for given keys