viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

tripit: Shell auth surface — tripit-app OAuth2 provider + bearer-only tripit-api host
Some checks failed
ci/woodpecker/push/default Pipeline failed
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details

Browse source 
Viktor is adding the Android APK (Capacitor Shell) for TripIt. The Shell
cannot use the browser's forward-auth cookie dance, so per tripit ADR-0017
it logs in with OIDC Code+PKCE and calls the API with bearer JWTs:

- authentik.tf: tripit-app OAuth2 provider (public client + PKCE — an APK
  holds no secret), custom-scheme redirect me.viktorbarzin.tripit://callback,
  RS256, 1h access / 90d refresh (offline_access mapping attached so refresh
  tokens are issued), plus the TripIt App application.
- main.tf: new ingress host tripit-api.viktorbarzin.me -> same tripit
  Service, no forward-auth (backend validates the JWTs itself once tripit
  AUTH_MODE=hybrid lands — slice 2), inbound X-authentik-* deleted via the
  existing traefik strip-auth-headers middleware so the header fallback can
  never be spoofed through this host.

Closes nothing here; tracked as viktor/tripit#49.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-12 08:47:46 +00:00
parent b985686661
commit c5631cff74
2 changed files with 103 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
stacks/tripit/main.tf
View file

@ -820,3 +820,22 @@ module "ingress_planner_slack" {
port = 8080
tls_secret_name = var.tls_secret_name
}
# Bearer-only API host for the native Shell (tripit ADR-0017, viktor/tripit#49).
# auth = "none": the backend itself validates OIDC bearer JWTs from the
# tripit-app Authentik provider (AUTH_MODE=hybrid, tripit slice 2) a WebView
# client can't do the forward-auth cookie dance, and CORS preflights would die
# at the outpost. strip-auth-headers deletes inbound X-authentik-* so the
# hybrid fallback header can never be spoofed through this host.
module "ingress_api" {
source = "../../modules/kubernetes/ingress_factory"
auth = "none"
anti_ai_scraping = false
dns_type = "proxied"
namespace = kubernetes_namespace.tripit.metadata[0].name
name = "tripit-api"
service_name = "tripit"
port = 8080
tls_secret_name = var.tls_secret_name
extra_middlewares = ["traefik-strip-auth-headers@kubernetescrd"]
}