Fix OAuth file permissions automatically on Docker startup

2026-03-07 10:03:19 +00:00 · 2026-03-06 23:32:44 +03:00
parent a7261c2fbe
commit fa75cef03c
3 changed files with 38 additions and 3 deletions
--- a/4
+++ b/4
@@ -67,11 +67,13 @@ RUN npm install --omit=dev --no-package-lock
 COPY --from=builder /app/.next ./.next
 COPY --from=builder /app/next.config.mjs ./next.config.mjs
 COPY --from=builder /app/bundled-skills ./bundled-skills
+COPY --from=builder /app/scripts/docker-entrypoint.sh ./scripts/docker-entrypoint.sh

 RUN mkdir -p /app/data/tmp /app/data/ms-playwright /app/data/npm-cache /app/data/.cache \
+  && chmod +x /app/scripts/docker-entrypoint.sh \
  && chown -R node:node /app "${PYTHON_VENV}"

 USER node
 EXPOSE 3000

-CMD ["npm", "run", "start"]
+CMD ["/app/scripts/docker-entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -262,8 +262,8 @@ Use one host consistently. Browser storage/cookies are origin-scoped.
 Run `docker compose logs --tail 200 app` and verify `.env` values.

 3. Codex/Gemini OAuth says "token file was not found" on VPS  
-Eggent reads OAuth files from the runtime user home (for Docker default user this is `/home/node`).
-Run CLI login as that same user (`docker compose exec -u node app codex login`, `docker compose exec -u node app gemini`) or set `CODEX_AUTH_FILE` / `GEMINI_OAUTH_CREDS_FILE` / `GEMINI_SETTINGS_FILE` in `.env`.
+Eggent auto-discovers OAuth files in common home directories and in `data/.codex` + `data/.gemini`.
+For Docker, place files in `data/.codex/auth.json`, `data/.gemini/oauth_creds.json`, `data/.gemini/settings.json`, then recreate container (`docker compose up -d --build --force-recreate app`) so startup hook can normalize file permissions for `node`.

 4. Linux Docker permissions issues  
 Try with `sudo docker ...` or add your user to the `docker` group.
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+fix_auth_dir() {
+  local dir="$1"
+  if [[ ! -d "$dir" ]]; then
+    return 0
+  fi
+
+  # data/ can be bind-mounted with root ownership from host;
+  # fix only OAuth directories to keep startup fast and scoped.
+  sudo chown node:node "$dir" >/dev/null 2>&1 || true
+  sudo chmod 700 "$dir" >/dev/null 2>&1 || true
+}
+
+fix_auth_file() {
+  local file_path="$1"
+  if [[ ! -f "$file_path" ]]; then
+    return 0
+  fi
+
+  sudo chown node:node "$file_path" >/dev/null 2>&1 || true
+  sudo chmod 600 "$file_path" >/dev/null 2>&1 || true
+}
+
+fix_auth_dir "/app/data/.codex"
+fix_auth_dir "/app/data/.gemini"
+
+fix_auth_file "/app/data/.codex/auth.json"
+fix_auth_file "/app/data/.gemini/oauth_creds.json"
+fix_auth_file "/app/data/.gemini/settings.json"
+
+exec npm run start