|
|
@@ -1,50 +0,0 @@
|
|
|
-# Poyee App Password Reset Public Route Design
|
|
|
-
|
|
|
-## Goal
|
|
|
-
|
|
|
-Permit unauthenticated requests to the password reset endpoint on the DEV
|
|
|
-`dev.ahxpm.com` ingress route:
|
|
|
-
|
|
|
-`/py-app/api/account/password/reset`
|
|
|
-
|
|
|
-All other account API requests remain subject to the existing OIDC middleware.
|
|
|
-
|
|
|
-## Current Routing
|
|
|
-
|
|
|
-The manifest `k3s-INFRA/DEV/traefik-rules/poyee-app/IngressRoute.yaml` defines:
|
|
|
-
|
|
|
-- A public route with `poyee-app-v2-strip` and `poyee-app-cors-header`.
|
|
|
-- A fallback `/py-app/` route that also invokes `ahx-oidc.authn-app`.
|
|
|
-
|
|
|
-The Jenkins deployment configuration identifies these `k3s-INFRA/DEV/traefik-rules`
|
|
|
-manifests as the route source applied to the `ahxpm` namespace.
|
|
|
-
|
|
|
-## Design
|
|
|
-
|
|
|
-Append the following exact path matcher to the existing public route's OR
|
|
|
-expression:
|
|
|
-
|
|
|
-```text
|
|
|
-Path(`/py-app/api/account/password/reset`)
|
|
|
-```
|
|
|
-
|
|
|
-The endpoint will retain the existing strip-prefix and CORS behavior while it
|
|
|
-will no longer reach `ahx-oidc.authn-app`. Exact matching deliberately excludes
|
|
|
-other `/py-app/api/account/` endpoints from public access.
|
|
|
-
|
|
|
-## Alternatives Considered
|
|
|
-
|
|
|
-1. Add the exact matcher to the existing public route. This is recommended
|
|
|
- because it is minimal and reuses the established public-route middleware.
|
|
|
-2. Add a separate public route for password reset. This is behaviorally valid
|
|
|
- but duplicates the same service and middleware configuration.
|
|
|
-3. Add an account-level `PathPrefix` public matcher. This is rejected because
|
|
|
- it would remove authentication from endpoints outside password reset.
|
|
|
-
|
|
|
-## Validation
|
|
|
-
|
|
|
-After editing the local manifest:
|
|
|
-
|
|
|
-- Review the diff to ensure only the exact password reset path was added.
|
|
|
-- Parse the YAML locally to detect formatting or syntax errors.
|
|
|
-- Do not apply or deploy the manifest without separate explicit authorization.
|
