# Poyee App Password Reset Public Route Design

## Goal

Permit unauthenticated requests to the password reset endpoint on the DEV
`dev.ahxpm.com` ingress route:

`/py-app/api/account/password/reset`

All other account API requests remain subject to the existing OIDC middleware.

## Current Routing

The manifest `k3s-INFRA/DEV/traefik-rules/poyee-app/IngressRoute.yaml` defines:

- A public route with `poyee-app-v2-strip` and `poyee-app-cors-header`.
- A fallback `/py-app/` route that also invokes `ahx-oidc.authn-app`.

The Jenkins deployment configuration identifies these `k3s-INFRA/DEV/traefik-rules`
manifests as the route source applied to the `ahxpm` namespace.

## Design

Append the following exact path matcher to the existing public route's OR
expression:

```text
Path(`/py-app/api/account/password/reset`)
```

The endpoint will retain the existing strip-prefix and CORS behavior while it
will no longer reach `ahx-oidc.authn-app`. Exact matching deliberately excludes
other `/py-app/api/account/` endpoints from public access.

## Alternatives Considered

1. Add the exact matcher to the existing public route. This is recommended
   because it is minimal and reuses the established public-route middleware.
2. Add a separate public route for password reset. This is behaviorally valid
   but duplicates the same service and middleware configuration.
3. Add an account-level `PathPrefix` public matcher. This is rejected because
   it would remove authentication from endpoints outside password reset.

## Validation

After editing the local manifest:

- Review the diff to ensure only the exact password reset path was added.
- Parse the YAML locally to detect formatting or syntax errors.
- Do not apply or deploy the manifest without separate explicit authorization.