trading-bot: ingress auth required->app (app has own WebAuthn/JWT)
The app ships complete auth — WebAuthn/passkey (RP_ID=trading.viktorbarzin.me) + JWT bearer on every /api/* route + a /ws?token=<JWT> WebSocket. Authentik forward-auth on / was 302-bouncing the WebAuthn XHR flow and the WS upgrade, making the app unusable. Flip to auth = "app" so the backend's own auth is the gate (same-origin SPA + bearer-token API, same pattern as immich). Verified all 11 route modules enforce Depends(get_current_user) and dev_mode defaults False before flipping. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
e18e0d51a0
commit
fde2d19bf7
1 changed files with 2 additions and 1 deletions
|
|
@ -663,7 +663,8 @@ module "ingress" {
|
||||||
name = "trading"
|
name = "trading"
|
||||||
service_name = "trading-bot-frontend"
|
service_name = "trading-bot-frontend"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
auth = "required"
|
# auth = "app": app has its own WebAuthn/passkey + JWT auth (RP_ID=trading.viktorbarzin.me); Authentik would 302-break the WebAuthn XHR + /ws WebSocket
|
||||||
|
auth = "app"
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Trading Bot"
|
"gethomepage.dev/name" = "Trading Bot"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue