feat(tripit): activate TripIt-native session auth — signing key + Authentik web redirect (ADR-0028 #90)

Adds SESSION_SIGNING_KEY (Vault secret/tripit -> tripit-secrets ExternalSecret -> env_from) so TripIt's own session JWTs are signed with a real key (the app fails closed under the dev default until this lands), and adds the website OIDC redirect URI https://tripit.viktorbarzin.me/api/auth/callback/authentik to the public tripit-app provider so 'Log in with Authentik' works. Reuses the Shell's existing public OAuth2 app. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 06:06:43 +00:00 · 2026-06-19 06:06:43 +00:00 · e5bb16e02a
commit e5bb16e02a
parent 077ac97df5
2 changed files with 11 additions and 0 deletions
--- a/stacks/tripit/authentik.tf
+++ b/stacks/tripit/authentik.tf
@ -65,6 +65,13 @@ resource "authentik_provider_oauth2" "tripit_app" {
      matching_mode = "strict"
      url           = "me.viktorbarzin.tripit://callback"
    },
+    {
+      # "Log in with Authentik" on the website: TripIt is the OIDC client and
+      # mints its own session on callback (tripit ADR-0028, #90). Same public
+      # tripit-app provider as the Shell — just the web redirect URI added.
+      matching_mode = "strict"
+      url           = "https://tripit.viktorbarzin.me/api/auth/callback/authentik"
+    },
  ]

  access_token_validity      = "hours=1"