From cc0740d1581d7f005f55ad73c2413f32b76ffe92 Mon Sep 17 00:00:00 2001
From: Kavi <kdoi@email.com>
Date: Wed, 22 Apr 2026 03:39:37 -0400
Subject: [PATCH] fix(auth): inject admin token via nginx envsubst; use
 template conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Nginx injects Authorization header on all /api and /events proxied requests.
Token supplied via KUA_ADMIN_TOKEN env var at container runtime — never in git.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile                        | 3 ++-
 docker-compose.yml                | 2 ++
 nginx.conf => nginx.conf.template | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)
 rename nginx.conf => nginx.conf.template (89%)

diff --git a/Dockerfile b/Dockerfile
index b1e3e4d..9748863 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,5 +7,6 @@ RUN npm run build
 
 FROM nginx:alpine
 COPY --from=build /app/dist /usr/share/nginx/html
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+# nginx official image runs envsubst on /etc/nginx/templates/*.template → /etc/nginx/conf.d/
+COPY nginx.conf.template /etc/nginx/templates/default.conf.template
 EXPOSE 80
diff --git a/docker-compose.yml b/docker-compose.yml
index d0094e9..2c64241 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,6 +3,8 @@ services:
     build: .
     container_name: kuamail
     restart: unless-stopped
+    environment:
+      - KUA_MAIL_ADMIN_TOKEN=${KUA_ADMIN_TOKEN}
     networks:
       - production_proxy
       - kua-services
diff --git a/nginx.conf b/nginx.conf.template
similarity index 89%
rename from nginx.conf
rename to nginx.conf.template
index 855b104..3841b63 100644
--- a/nginx.conf
+++ b/nginx.conf.template
@@ -9,6 +9,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Authorization "Bearer ${KUA_MAIL_ADMIN_TOKEN}";
         proxy_buffering off;
         proxy_read_timeout 600s;
         proxy_http_version 1.1;
@@ -21,6 +22,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Authorization "Bearer ${KUA_MAIL_ADMIN_TOKEN}";
         proxy_buffering off;
         proxy_read_timeout 600s;
         proxy_http_version 1.1;