viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fire-planner / k8s-portal / insta2spotify: revert auth=public to auth=none

Browse source 
The Phase 4 audit promoted three "smoke-test candidates" from `protected = false`
to `auth = "public"`, but all three are XHR / curl-driven endpoints (fetch()
calls, automation scripts) that don't survive the 302+cookie redirect dance
that the public-auto-login flow requires on first visit. fire-planner's SPA
broke immediately — every fetch() to /api/* hit a cross-origin redirect and
CORS preflight rejected it.

Important learning for the `auth = "public"` design:

  `auth = "public"` is functionally equivalent to a normal Authentik forward-auth
  for the FIRST request — it issues a 302 to authentik to set a guest session
  cookie, then 302s back. This is invisible for top-level browser navigation
  but BREAKS:
    - XHR/fetch() under CORS preflight (preflight rejects redirects)
    - curl/automation scripts that don't preserve cookies across requests
    - Mobile / native clients that can't follow OAuth-style redirects

  Use `auth = "public"` only for top-level HTML pages where the user navigates
  via the browser address bar (or links). For XHR APIs, native-client surfaces,
  webhooks, OAuth callbacks — use `auth = "none"`.

The plan's "smoke test 3 candidates" were misjudged on this front. Reverting
all three to `auth = "none"` (their previous behaviour). The end-to-end public
flow IS verified working via curl + flow API — the design is sound, just the
test targets were wrong.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-05-10 18:59:31 +00:00
parent faad99cff3
commit 09f83b4e83
3 changed files with 17 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
stacks/k8s-portal/modules/k8s-portal/main.tf
View file

@ -159,7 +159,9 @@ module "ingress" {
}
}
# Unprotected ingress for the setup script and agent endpoint (needs to be curl-able without auth)
# Unprotected ingress for the setup script and agent endpoint (needs to be
# curl-able without auth). `auth = "public"` would 302+cookie-dance on
# first visit, breaking automation that doesn't preserve cookies.
module "ingress_setup_script" {
source = "../../../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
@ -168,5 +170,5 @@ module "ingress_setup_script" {
service_name = "k8s-portal"
ingress_path = ["/setup/script", "/agent"]
tls_secret_name = var.tls_secret_name
auth = "public"
auth = "none"
}