Address Sonar warnings and harden runtime

Dockerfile

@@ -45,6 +45,8 @@ RUN apt-get update \
       /var/lib/apt/lists/* \
       /var/tmp/*
 
+RUN useradd -ms /bin/bash fgc
+
 # RUN node --version
 # RUN npm --version
 
@@ -61,10 +63,16 @@ RUN npm install
 # From 1.38 Playwright will no longer install browser automatically for playwright, but apparently still for playwright-firefox: https://github.com/microsoft/playwright/releases/tag/v1.38.0
 # RUN npx playwright install firefox
 
-COPY . .
+# Only copy the files we actually need in the image to avoid accidentally adding secrets.
+COPY *.js ./
+COPY eslint.config.js jsconfig.json sonar-project.properties ./
+COPY src ./src
+COPY test ./test
+COPY docker-entrypoint.sh ./
 
 # Shell scripts need Linux line endings. On Windows, git might be configured to check out dos/CRLF line endings, so we convert them for those people in case they want to build the image. They could also use --config core.autocrlf=input
 RUN dos2unix ./*.sh && chmod +x ./*.sh
+RUN chown -R fgc:fgc /fgc
 COPY docker-entrypoint.sh /usr/local/bin/
 
 ARG COMMIT=""
@@ -87,8 +95,9 @@ LABEL org.opencontainers.image.title="free-games-claimer" \
 # Configure VNC via environment variables:
 ENV VNC_PORT 5900
 ENV NOVNC_PORT 6080
-EXPOSE 5900
-EXPOSE 6080
+# Ports are not exposed by default; publish explicitly with -p when you really need GUI access.
+# EXPOSE 5900
+# EXPOSE 6080
 
 # Configure Xvfb via environment variables:
 ENV WIDTH 1920
@@ -98,6 +107,8 @@ ENV DEPTH 24
 # Show browser instead of running headless
 ENV SHOW 1
 
+USER fgc
+
 # Script to setup display server & VNC is always executed.
 ENTRYPOINT ["docker-entrypoint.sh"]
 # Default command to run. This is replaced by appending own command, e.g. `docker run ... node prime-gaming` to only run this script.