Merge branch 'main' into lobby-chat-panel

Author: Phantasm0009

.dockerignore

@@ -9,7 +9,8 @@ LICENSE
 .vscode
 Makefile
 helm-charts
-.env
+.env*
 .editorconfig
 .idea
 coverage*
+tests/

.github/workflows/deploy.yml

@@ -84,11 +84,12 @@ jobs:
           token: ${{ steps.generate-token.outputs.token }}
           environment-url: https://${{ env.FQDN }}
           environment: ${{ inputs.target_domain == 'openfront.io' && 'prod' || 'staging' }}
-      - name: 🔗 Log in to Docker Hub
+      - name: 🔗 Log in to GHCR
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: 🔑 Create SSH private key
         env:
           SERVER_HOST_MASTERS: ${{ secrets.SERVER_HOST_MASTERS }}
@@ -105,21 +106,14 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
       - name: 🚢 Deploy
         env:
-          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-          DOCKER_REPO: ${{ vars.DOCKERHUB_REPO }}
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           ENV: ${{ inputs.target_domain == 'openfront.io' && 'prod' || 'staging' }}
           HOST: ${{ github.event_name == 'workflow_dispatch' && inputs.target_host || 'staging' }}
-          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
-          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
-          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
           OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
           OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
-          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
-          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
           TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
           API_KEY: ${{ secrets.API_KEY }}
           SERVER_HOST_MASTERS: ${{ secrets.SERVER_HOST_MASTERS }}

.github/workflows/release.yml

@@ -19,12 +19,13 @@ jobs:
       - name: 🔗 Log in to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - id: build
         env:
-          DOCKER_REPO: openfront-prod
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: openfront-prod
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           RELEASE_BODY: ${{ github.event.release.body }}
           RELEASE_NAME: ${{ github.event.release.name }}
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
@@ -63,21 +64,14 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
       - name: 🚀 Deploy image
         env:
-          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-          DOCKER_REPO: openfront-prod
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: openfront-prod
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           DOMAIN: ${{ vars.DOMAIN }}
           IMAGE_ID: ${{ needs.build.outputs.IMAGE_ID }}
-          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
-          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
-          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
           OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
           OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
-          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
-          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
           TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
           API_KEY: ${{ secrets.API_KEY }}
           SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
@@ -121,21 +115,14 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
       - name: 🚀 Deploy image
         env:
-          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-          DOCKER_REPO: ${{ vars.DOCKERHUB_REPO }}
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           DOMAIN: ${{ vars.DOMAIN }}
           IMAGE_ID: ${{ needs.build.outputs.IMAGE_ID }}
-          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
-          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
-          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
           OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
           OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
-          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
-          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
           TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
           API_KEY: ${{ secrets.API_KEY }}
           SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
@@ -179,21 +166,14 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
       - name: 🚀 Deploy image
         env:
-          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-          DOCKER_REPO: ${{ vars.DOCKERHUB_REPO }}
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           DOMAIN: ${{ vars.DOMAIN }}
           IMAGE_ID: ${{ needs.build.outputs.IMAGE_ID }}
-          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
-          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
-          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
           OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
           OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
-          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
-          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
           TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
           API_KEY: ${{ secrets.API_KEY }}
           SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
@@ -237,21 +217,14 @@ jobs:
           chmod 600 ~/.ssh/id_rsa
       - name: 🚀 Deploy image
         env:
-          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
           CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
-          DOCKER_REPO: ${{ vars.DOCKERHUB_REPO }}
-          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+          GHCR_REPO: ${{ vars.GHCR_REPO }}
+          GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
           DOMAIN: ${{ vars.DOMAIN }}
           IMAGE_ID: ${{ needs.build.outputs.IMAGE_ID }}
-          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
-          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
-          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
           OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
           OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
-          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
-          R2_BUCKET: ${{ secrets.R2_BUCKET }}
-          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
           TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
           API_KEY: ${{ secrets.API_KEY }}
           SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}

CREDITS.md

@@ -49,3 +49,4 @@ Copyright © opentopography.org. All Rights Reserved. [Terms of Use](https://ope
 ### [The Noun Project](https://thenounproject.com/)
 
 Stats icon by [Meko](https://thenounproject.com/mekoda/) – https://thenounproject.com/icon/stats-4942475/
+Pay Per Click icon by [Fauzan Adiima](https://thenounproject.com/creator/fauzan94/) – https://thenounproject.com/icon/pay-per-click-2586454/

Dockerfile

@@ -1,98 +1,96 @@
 # Use an official Node runtime as the base image
 FROM node:24-slim AS base
-# Set the working directory in the container
 WORKDIR /usr/src/app
 
-# Create dependency layer
-FROM base AS dependencies
-RUN apt-get update && apt-get install -y \
-    nginx \
-    git \
-    curl \
-    jq \
-    wget \
-    apache2-utils \
-    && rm -rf /var/lib/apt/lists/*
-
-# Update worker_connections in the existing nginx.conf
-RUN sed -i 's/worker_connections [0-9]*/worker_connections 8192/' /etc/nginx/nginx.conf
+# Build stage - install ALL dependencies and build
+FROM base AS build
+ENV HUSKY=0
+# Copy package files first for better caching
+COPY package*.json ./
+RUN --mount=type=cache,target=/root/.npm \
+    npm ci
+
+# Copy only what's needed for build
+COPY tsconfig.json ./
+COPY tsconfig.jest.json ./
+COPY webpack.config.js ./
+COPY tailwind.config.js ./
+COPY postcss.config.js ./
+COPY eslint.config.js ./
+COPY resources ./resources
+COPY proprietary ./proprietary
+COPY src ./src
 
-FROM dependencies AS build
 ARG GIT_COMMIT=unknown
 ENV GIT_COMMIT="$GIT_COMMIT"
-# Disable Husky hooks
-ENV HUSKY=0
-# Copy package.json and package-lock.json
-COPY package*.json ./
-# Install dependencies
-RUN npm ci
-# Copy the rest of the application code
-COPY . .
-# Build the client-side application
 RUN npm run build-prod
-# So we can see which commit was used to build the container
-# https://openfront.io/commit.txt
-RUN echo "$GIT_COMMIT" > static/commit.txt
-
-# Remove maps data from final image
-FROM base AS prod-files
-COPY . .
-RUN rm -rf resources/maps
 
-FROM dependencies AS npm-dependencies
-# Disable Husky hooks
+# Production dependencies stage - separate from build
+FROM base AS prod-deps
 ENV HUSKY=0
 ENV NPM_CONFIG_IGNORE_SCRIPTS=1
-# Copy package.json and package-lock.json
 COPY package*.json ./
-# Install dependencies
-RUN npm ci --omit=dev
+RUN --mount=type=cache,target=/root/.npm \
+    npm ci --omit=dev
 
-# Final image
+# Final production image
 FROM base
-ARG GIT_COMMIT=unknown
-ENV GIT_COMMIT="$GIT_COMMIT"
+
+# Install system dependencies
 RUN apt-get update && apt-get install -y \
     nginx \
-    supervisor \
     curl \
+    jq \
+    wget \
+    supervisor \
+    apache2-utils \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy installed packages from dependencies stage
 RUN curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb > cloudflared.deb \
     && dpkg -i cloudflared.deb \
     && rm cloudflared.deb
 
-# Copy Nginx configuration and ensure it's used instead of the default
-COPY nginx.conf /etc/nginx/conf.d/default.conf
-RUN rm -f /etc/nginx/sites-enabled/default
-COPY --from=dependencies /etc/nginx/nginx.conf /etc/nginx/nginx.conf
-
-# Copy npm dependencies
-COPY --from=npm-dependencies /usr/src/app/node_modules node_modules
-COPY package.json .
-
-# Copy the rest of the application code
-COPY --from=prod-files /usr/src/app/ /usr/src/app/
+# Update worker_connections in nginx.conf
+RUN sed -i 's/worker_connections [0-9]*/worker_connections 8192/' /etc/nginx/nginx.conf
 
-# Copy frontend
-COPY --from=build /usr/src/app/static static
+# Create cloudflared directory with proper permissions
+RUN mkdir -p /etc/cloudflared && \
+    chown -R node:node /etc/cloudflared && \
+    chmod -R 755 /etc/cloudflared
 
 # Setup supervisor configuration
 RUN mkdir -p /var/log/supervisor
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
+# Copy Nginx configuration
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+RUN rm -f /etc/nginx/sites-enabled/default
+
 # Copy and make executable the startup script
 COPY startup.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/startup.sh
 
-RUN mkdir -p /etc/cloudflared && \
-    chown -R node:node /etc/cloudflared && \
-    chmod -R 755 /etc/cloudflared
+# Copy production node_modules from prod-deps stage (cached separately from build)
+COPY --from=prod-deps /usr/src/app/node_modules ./node_modules
+COPY package*.json ./
+
+# Copy built artifacts from build stage
+COPY --from=build /usr/src/app/static ./static
+
+COPY resources ./resources
+
+# Remove maps because they are not used by the server.
+RUN rm -rf ./resources/maps
+COPY tsconfig.json ./
+COPY src ./src
 
-# Set Cloudflared config directory to a volume mount location
+
+ARG GIT_COMMIT=unknown
+RUN echo "$GIT_COMMIT" > static/commit.txt
+
+ENV GIT_COMMIT="$GIT_COMMIT"
 ENV CF_CONFIG_PATH=/etc/cloudflared/config.yml
 ENV CF_CREDS_PATH=/etc/cloudflared/creds.json
 
 # Use the startup script as the entrypoint
-ENTRYPOINT ["/usr/local/bin/startup.sh"]
+ENTRYPOINT ["/usr/local/bin/startup.sh"]

README.md

@@ -57,9 +57,11 @@ For license history, see [LICENSING.md](LICENSING.md).
 2. **Install dependencies**
 
    ```bash
-   npm i
+   npm run inst
    ```
 
+   Do NOT use `npm install` nor `npm i` but instead use our `npm run inst`. It runs the safer `npm ci --ignore-scripts` to install dependencies exactly according to the versions in `package-lock.json` and doesn't run scripts. This can prevent being hit by a supply chain attack.
+
 ## 🎮 Running the Game
 
 ### Development Mode