deployments/docs/superpowers/specs/2026-05-26-poyee-app-password-reset-public-route-design.md

Poyee App Password Reset Public Route Design

Goal

Permit unauthenticated requests to the password reset endpoint on the DEV dev.ahxpm.com ingress route:

/py-app/api/account/password/reset

All other account API requests remain subject to the existing OIDC middleware.

Current Routing

The manifest k3s-INFRA/DEV/traefik-rules/poyee-app/IngressRoute.yaml defines:

• A public route with poyee-app-v2-strip and poyee-app-cors-header.
• A fallback /py-app/ route that also invokes ahx-oidc.authn-app.

The Jenkins deployment configuration identifies these k3s-INFRA/DEV/traefik-rules manifests as the route source applied to the ahxpm namespace.

Design

Append the following exact path matcher to the existing public route's OR expression:

Path(`/py-app/api/account/password/reset`)

The endpoint will retain the existing strip-prefix and CORS behavior while it will no longer reach ahx-oidc.authn-app. Exact matching deliberately excludes other /py-app/api/account/ endpoints from public access.

Alternatives Considered

1. Add the exact matcher to the existing public route. This is recommended because it is minimal and reuses the established public-route middleware.
2. Add a separate public route for password reset. This is behaviorally valid but duplicates the same service and middleware configuration.
3. Add an account-level PathPrefix public matcher. This is rejected because it would remove authentication from endpoints outside password reset.

Validation

After editing the local manifest:

• Review the diff to ensure only the exact password reset path was added.
• Parse the YAML locally to detect formatting or syntax errors.
• Do not apply or deploy the manifest without separate explicit authorization.