From e5bb16e02accdacdc013a519ad6763c4c026faba Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 19 Jun 2026 06:06:43 +0000
Subject: [PATCH] =?UTF-8?q?feat(tripit):=20activate=20TripIt-native=20sess?=
 =?UTF-8?q?ion=20auth=20=E2=80=94=20signing=20key=20+=20Authentik=20web=20?=
 =?UTF-8?q?redirect=20(ADR-0028=20#90)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds SESSION_SIGNING_KEY (Vault secret/tripit -> tripit-secrets ExternalSecret -> env_from) so TripIt's own session JWTs are signed with a real key (the app fails closed under the dev default until this lands), and adds the website OIDC redirect URI https://tripit.viktorbarzin.me/api/auth/callback/authentik to the public tripit-app provider so 'Log in with Authentik' works. Reuses the Shell's existing public OAuth2 app.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/tripit/authentik.tf | 7 +++++++
 stacks/tripit/main.tf      | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/stacks/tripit/authentik.tf b/stacks/tripit/authentik.tf
index 6b2a9921..a426101a 100644
--- a/stacks/tripit/authentik.tf
+++ b/stacks/tripit/authentik.tf
@@ -65,6 +65,13 @@ resource "authentik_provider_oauth2" "tripit_app" {
       matching_mode = "strict"
       url           = "me.viktorbarzin.tripit://callback"
     },
+    {
+      # "Log in with Authentik" on the website: TripIt is the OIDC client and
+      # mints its own session on callback (tripit ADR-0028, #90). Same public
+      # tripit-app provider as the Shell — just the web redirect URI added.
+      matching_mode = "strict"
+      url           = "https://tripit.viktorbarzin.me/api/auth/callback/authentik"
+    },
   ]
 
   access_token_validity      = "hours=1"
diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf
index ced66a04..d2acbf7d 100644
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@@ -216,6 +216,10 @@ resource "kubernetes_manifest" "external_secret" {
         }
       }
       data = [
+        # HS256 key signing TripIt's OWN session JWTs (tripit ADR-0028, #90).
+        # Delivered via env_from -> SESSION_SIGNING_KEY env; the app fails closed
+        # (TripIt sessions disabled) until this real key replaces the dev default.
+        { secretKey = "SESSION_SIGNING_KEY", remoteRef = { key = "tripit", property = "SESSION_SIGNING_KEY" } },
         { secretKey = "VAPID_PUBLIC_KEY", remoteRef = { key = "tripit", property = "VAPID_PUBLIC_KEY" } },
         { secretKey = "VAPID_PRIVATE_KEY", remoteRef = { key = "tripit", property = "VAPID_PRIVATE_KEY" } },
         { secretKey = "VAPID_SUBJECT", remoteRef = { key = "tripit", property = "VAPID_SUBJECT" } },