trading-bot: ingress auth required->app (app has own WebAuthn/JWT)

The app ships complete auth — WebAuthn/passkey (RP_ID=trading.viktorbarzin.me) + JWT bearer on every /api/* route + a /ws?token=<JWT> WebSocket. Authentik forward-auth on / was 302-bouncing the WebAuthn XHR flow and the WS upgrade, making the app unusable. Flip to auth = "app" so the backend's own auth is the gate (same-origin SPA + bearer-token API, same pattern as immich). Verified all 11 route modules enforce Depends(get_current_user) and dev_mode defaults False before flipping. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 21:52:08 +00:00 · 2026-06-02 21:52:08 +00:00 · fde2d19bf7
commit fde2d19bf7
parent e18e0d51a0
1 changed files with 2 additions and 1 deletions
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@ -663,7 +663,8 @@ module "ingress" {
  name            = "trading"
  service_name    = "trading-bot-frontend"
  tls_secret_name = var.tls_secret_name
-  auth            = "required"
+  # auth = "app": app has its own WebAuthn/passkey + JWT auth (RP_ID=trading.viktorbarzin.me); Authentik would 302-break the WebAuthn XHR + /ws WebSocket
+  auth = "app"
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Trading Bot"