viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fire-planner / k8s-portal / insta2spotify: revert auth=public to auth=none

Browse source 
The Phase 4 audit promoted three "smoke-test candidates" from `protected = false`
to `auth = "public"`, but all three are XHR / curl-driven endpoints (fetch()
calls, automation scripts) that don't survive the 302+cookie redirect dance
that the public-auto-login flow requires on first visit. fire-planner's SPA
broke immediately — every fetch() to /api/* hit a cross-origin redirect and
CORS preflight rejected it.

Important learning for the `auth = "public"` design:

  `auth = "public"` is functionally equivalent to a normal Authentik forward-auth
  for the FIRST request — it issues a 302 to authentik to set a guest session
  cookie, then 302s back. This is invisible for top-level browser navigation
  but BREAKS:
    - XHR/fetch() under CORS preflight (preflight rejects redirects)
    - curl/automation scripts that don't preserve cookies across requests
    - Mobile / native clients that can't follow OAuth-style redirects

  Use `auth = "public"` only for top-level HTML pages where the user navigates
  via the browser address bar (or links). For XHR APIs, native-client surfaces,
  webhooks, OAuth callbacks — use `auth = "none"`.

The plan's "smoke test 3 candidates" were misjudged on this front. Reverting
all three to `auth = "none"` (their previous behaviour). The end-to-end public
flow IS verified working via curl + flow API — the design is sound, just the
test targets were wrong.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-05-10 18:59:31 +00:00
parent faad99cff3
commit 09f83b4e83
3 changed files with 17 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
stacks/insta2spotify/main.tf
View file

@ -248,7 +248,9 @@ module "ingress" {
}
}
# API ingress unprotected (API key auth handled by backend)
# API ingress unprotected (API key auth handled by backend). XHR-based
# endpoints; `auth = "public"` would 302+cookie-dance and break CORS
# preflight, so we stay at `auth = "none"`.
module "ingress_api" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.insta2spotify.metadata[0].name
@ -256,7 +258,7 @@ module "ingress_api" {
host = "insta2spotify"
service_name = "insta2spotify"
tls_secret_name = var.tls_secret_name
auth = "public"
auth = "none"
ingress_path = ["/api/identify", "/api/auth", "/api/health", "/api/history"]
max_body_size = "50m"
}