FROM node:22-alpine AS base
RUN corepack enable && corepack prepare pnpm@10.8.1 --activate

FROM base AS deps
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile

FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .

ENV NEXT_TELEMETRY_DISABLED=1
# Provide placeholder build-time values so Next.js SSG doesn't crash on undefined URLs
# Real values are injected at runtime via docker-compose environment.
# NextAuth v5 uses AUTH_URL (not NEXTAUTH_URL) as its canonical base URL.
ARG NEXTAUTH_URL=http://localhost:3000
ARG AUTH_URL=http://localhost:3000
ARG NEXTAUTH_SECRET=build-time-placeholder-secret-minimum-32-chars
ARG AUTH_SECRET=build-time-placeholder-secret-minimum-32-chars
ARG BACKEND_URL=http://localhost:8080
ENV NEXTAUTH_URL=${NEXTAUTH_URL}
ENV AUTH_URL=${AUTH_URL}
ENV NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
ENV AUTH_SECRET=${AUTH_SECRET}
ENV BACKEND_URL=${BACKEND_URL}
RUN pnpm build

FROM base AS runner
WORKDIR /app

ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs

COPY --from=builder /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

USER nextjs

EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"

CMD ["node", "server.js"]