From f98c3f2049d2859a13bf51ede947e2d87a0d7369 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 11 May 2026 18:31:54 +0000 Subject: [PATCH] infra/novelapp: drop Authentik forward-auth (auth = "none") MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit novelapp handles its own user auth via NextAuth + Google OAuth, so the ingress-level Authentik forward-auth was double-gating. Mobile webviews (iOS/Android) can't follow the Authentik 302/cookie dance — they saw HTML challenges where they expected JSON. CrowdSec + rate-limit + anti-AI UA filter remain in front; novelapp's own login handles users. [ci skip] --- stacks/novelapp/main.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index 779d3c7b..644c43d6 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -223,8 +223,12 @@ resource "kubernetes_service" "novelapp" { } module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - auth = "required" + source = "../../modules/kubernetes/ingress_factory" + # auth = "none": novelapp handles its own auth via NextAuth + Google OAuth + # (AUTH_URL/AUTH_SECRET/GOOGLE_CLIENT_{ID,SECRET} env vars above). Putting + # Authentik forward-auth in front double-gates the app and breaks iOS/Android + # webview clients that can't complete the Authentik 302/cookie dance. + auth = "none" dns_type = "non-proxied" namespace = kubernetes_namespace.novelapp.metadata[0].name name = "novelapp"