From 81d4ec2c97a73916e804a98c2bc33bc773788f83 Mon Sep 17 00:00:00 2001
From: Toutsu <Hegin4@yandex.ru>
Date: Tue, 12 May 2026 16:05:48 +0300
Subject: [PATCH] fix(web): ensure dataprotection-keys dir is owned by app user
 before switching USER

The volume mount /app/dataprotection-keys was created under root:root
permissions on the host. When the container restarted with the 1.15.0
image, the non-root app user (uid=1654) could no longer read/write
DataProtection keys, causing every request to fail with
UnauthorizedAccessException and fall back to the generic /Error page.

Add RUN chown during the final Docker stage so the directory ownership
matches the runtime user before USER $APP_UID takes effect.
---
 src/GmRelay.Web/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/GmRelay.Web/Dockerfile b/src/GmRelay.Web/Dockerfile
index e73a6f1..acdca55 100644
--- a/src/GmRelay.Web/Dockerfile
+++ b/src/GmRelay.Web/Dockerfile
@@ -20,6 +20,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble AS final
 WORKDIR /app
 RUN apt-get update && apt-get install -y --no-install-recommends libgssapi-krb5-2 && rm -rf /var/lib/apt/lists/*
 COPY --from=build /app/publish .
+RUN mkdir -p /app/dataprotection-keys && chown -R $APP_UID:$APP_UID /app/dataprotection-keys
 ENV ASPNETCORE_URLS=http://+:8080
 EXPOSE 8080
 USER $APP_UID