2026-05-26-poyee-app-password-reset-public-route-design.md 1.7 KB
Poyee App Password Reset Public Route Design
Goal
Permit unauthenticated requests to the password reset endpoint on the DEV
dev.ahxpm.com ingress route:
/py-app/api/account/password/reset
All other account API requests remain subject to the existing OIDC middleware.
Current Routing
The manifest k3s-INFRA/DEV/traefik-rules/poyee-app/IngressRoute.yaml defines:
- A public route with
poyee-app-v2-stripandpoyee-app-cors-header. - A fallback
/py-app/route that also invokesahx-oidc.authn-app.
The Jenkins deployment configuration identifies these k3s-INFRA/DEV/traefik-rules
manifests as the route source applied to the ahxpm namespace.
Design
Append the following exact path matcher to the existing public route's OR expression:
Path(`/py-app/api/account/password/reset`)
The endpoint will retain the existing strip-prefix and CORS behavior while it
will no longer reach ahx-oidc.authn-app. Exact matching deliberately excludes
other /py-app/api/account/ endpoints from public access.
Alternatives Considered
- Add the exact matcher to the existing public route. This is recommended because it is minimal and reuses the established public-route middleware.
- Add a separate public route for password reset. This is behaviorally valid but duplicates the same service and middleware configuration.
- Add an account-level
PathPrefixpublic matcher. This is rejected because it would remove authentication from endpoints outside password reset.
Validation
After editing the local manifest:
- Review the diff to ensure only the exact password reset path was added.
- Parse the YAML locally to detect formatting or syntax errors.
- Do not apply or deploy the manifest without separate explicit authorization.