The default Docker image symlinked /romm/assets into the nginx static web
root (/assets/romm/assets), where it was served by an unauthenticated
`location /assets { try_files ... }` block. /romm/assets holds private user
data (save files, save states, screenshots, avatars) that is meant to be
accessible only through the authenticated /api/raw/assets/{path} route
(Scope.ASSETS_READ). The static symlink bypassed that protection, letting any
unauthenticated caller read another user's files given a (guessable) path.
Avatar URLs leaked the hex user ID through the same static route, making path
construction straightforward.
Fix:
- Drop the /romm/assets symlink from the Docker image build and both
entrypoint scripts; only /romm/resources (public cover art, screenshots,
manuals) remains statically served.
- Point the frontend avatar URLs at the authenticated /api/raw/assets/ route
instead of /assets/romm/assets/. Browser <img> loads authenticate via the
existing session cookie.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When using a custom ROMM_BASE_PATH, the symbolic links used by nginx to
serve assets were not being updated to point to the correct location,
and always used the default `/romm` base path.
This change introduces a fix in the `docker-entrypoint.sh` script, so
those symbolic links are updated to point to the correct location set by
the `ROMM_BASE_PATH` environment variable.
Fixes#1626.
Using the `envsubst` command, we can replace environment variables in
the nginx template files. This allows for more flexibility when
configuring the nginx server.
The Docker image we use as base for Nginx does provide the
`20-envsubst-on-templates.sh` script that will replace environment
variables in the template files.
This change does not include any behavior change, but unblocks future
changes that require environment variables in the nginx configuration.
This change allows setting environment variables with a `_FILE` suffix,
which will be used to load the contents of the file specified in the
variable into the variable without the suffix.
For example, setting `ROMM_AUTH_SECRET_KEY_FILE=/run/secrets/romm_auth_secret_key`
and creating a file with the secret key at the specified path will set
`ROMM_AUTH_SECRET_KEY` to the contents of the file.
A common use case for this is to use secrets in Docker Compose [1], to
avoid exposing secrets in the `docker-compose.yml` or `env` files.
[1] https://docs.docker.com/compose/how-tos/use-secrets/
