From fde2d19bf7b58a53ff5133d41fe4c9fec08f46b9 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Tue, 2 Jun 2026 21:52:08 +0000 Subject: [PATCH] trading-bot: ingress auth required->app (app has own WebAuthn/JWT) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The app ships complete auth — WebAuthn/passkey (RP_ID=trading.viktorbarzin.me) + JWT bearer on every /api/* route + a /ws?token= WebSocket. Authentik forward-auth on / was 302-bouncing the WebAuthn XHR flow and the WS upgrade, making the app unusable. Flip to auth = "app" so the backend's own auth is the gate (same-origin SPA + bearer-token API, same pattern as immich). Verified all 11 route modules enforce Depends(get_current_user) and dev_mode defaults False before flipping. Co-Authored-By: Claude Opus 4.7 --- stacks/trading-bot/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index 51fe0b83..e26e728a 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -663,7 +663,8 @@ module "ingress" { name = "trading" service_name = "trading-bot-frontend" tls_secret_name = var.tls_secret_name - auth = "required" + # auth = "app": app has its own WebAuthn/passkey + JWT auth (RP_ID=trading.viktorbarzin.me); Authentik would 302-break the WebAuthn XHR + /ws WebSocket + auth = "app" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Trading Bot"