drop api keys on downloads (#149)

* refactor: rearrange and update Dockerfiles

* fix: disable api keys on download endpoints

docker/laravel-worker/Dockerfile

@@ -1,7 +1,7 @@
 FROM php:8.3-cli AS base
 
-COPY --from=composer:2.8.3 /usr/bin/composer /usr/bin/composer
-ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.5.2/install-php-extensions /usr/local/bin/
+COPY --from=composer:2.8.5 /usr/bin/composer /usr/bin/composer
+ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.7.14/install-php-extensions /usr/local/bin/
 
 RUN apt update && apt install -y bash git postgresql-client zip
 
@@ -33,7 +33,5 @@ RUN chown -R app:app /app
 
 USER app
 
-RUN composer install --no-dev --no-interaction --no-progress --optimize-autoloader --working-dir=/app
-
 RUN composer install --no-dev --no-interaction --no-progress --optimize-autoloader --working-dir=/app \
     && mkdir -p storage/logs storage/app/public storage/app/private storage/framework/sessions storage/framework/views storage/framework/cache/data

docker/webapp/Dockerfile

@@ -1,7 +1,7 @@
 FROM dunglas/frankenphp:1.4.1-php8.4.3-bookworm AS base
 
-COPY --from=composer:2.8.3 /usr/bin/composer /usr/bin/composer
-ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.5.2/install-php-extensions /usr/local/bin/
+COPY --from=composer:2.8.5 /usr/bin/composer /usr/bin/composer
+ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.7.14/install-php-extensions /usr/local/bin/
 
 RUN apt update && apt install -y bash zip
 
@@ -11,15 +11,18 @@ COPY ./docker/webapp/Caddyfile /etc/caddy/Caddyfile
 COPY ./docker/webapp/php.ini /usr/local/etc/php/php.ini
 
 # frankenphp sets XDG_CONFIG_HOME=/config and XDG_DATA_HOME=/data, and I won't change these in case they're hardwired
+
 RUN useradd --create-home --shell /bin/bash app \
-    && chown -R app:app /config /data
+    && chown -R app:app /config /data \
+    && apt update \
+    && apt install -y nodejs npm postgresql-client
 
 WORKDIR /app
 
 ################
 FROM base AS dev
 
-RUN apt update && apt install -y git nodejs npm postgresql-client
+RUN apt update && apt install -y git
 
 RUN install-php-extensions xdebug
 
@@ -34,8 +37,6 @@ FROM base AS prod
 COPY . /app
 RUN chown -R app:app /app
 
-RUN apt update && apt install -y nodejs npm
-
 USER app
 
 RUN composer install --no-dev --no-interaction --no-progress --optimize-autoloader --working-dir=/app \

routes/inc/download.php

@@ -9,11 +9,12 @@
 use Illuminate\Routing\Router;
 use Illuminate\Support\Facades\Route;
 
-$auth_middleware = config('app.aspirecloud.api_authentication_enable') ? ['auth:sanctum'] : [];
+// downloads can never require api keys, they're fetched by ordinary browser UI and by WP in places we don't hook.
+// $auth_middleware = config('app.aspirecloud.api_authentication_enable') ? ['auth:sanctum'] : [];
 $cache_seconds = config('app.aspirecloud.download.cache_seconds');
 $middleware = [
     "cache.headers:public;max_age=$cache_seconds", // we're streaming responses, so no etags
-    ...$auth_middleware,
+    // ...$auth_middleware,
 ];
 
 Route::prefix('/')