groombook/web
13
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(GRO-2089): correct Authentik customer credential source in §5.25 pre-conditions
CI / Test (pull_request) Successful in 22s
Details
CI / Lint & Typecheck (pull_request) Successful in 28s
Details
CI / Build & Push Docker Image (pull_request) Successful in 15s
Details

Browse Source 
The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition
incorrectly stated that the Authentik customer password comes from
seed-uat-passwords:customer-password. That Secret holds the *Better Auth*
email+password credential — a different identity store. The actual Authentik
uat-customer password lives in authentik-uat-users-credentials:uat_customer_password,
provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password].

UAT testers were using the Better Auth value at the Authentik OIDC step and
getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct
Secret value, signing in via SSO, and POST /api/portal/session-from-auth all
succeed (returns 201 with valid portal session).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
2026-06-02 14:40:01 +00:00
parent fdff0977ad
commit affb697708
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
UAT_PLAYBOOK.md
+6 -1
View File
@@ -354,7 +354,12 @@ These cases cover the `CustomerPortal` initialisation path that bridges an Authe
**Pre-conditions:**
- UAT is configured with Authentik SSO and the `seed-uat-passwords` Secret in `groombook-uat` provides the seeded customer credentials (`uat-seed-password-source` memory).
- UAT is configured with Authentik SSO. The seeded customer **Authentik** password lives in the `authentik-uat-users-credentials` Secret in the `groombook-uat` namespace (key `uat_customer_password`) — **NOT** in `seed-uat-passwords:customer-password` (that Secret holds the *Better Auth* email+password credential, a separate identity store; see GRO-2089). Pull the Authentik password at the start of every run:
```bash
CUSTOMER_AUTHENTIK=$(kubectl get secret authentik-uat-users-credentials -n groombook-uat \
-o jsonpath='{.data.uat_customer_password}' | base64 -d)
```
The Authentik user is provisioned by Terraform (`infra/terraform/users.tf`); the `lifecycle.ignore_changes = [password]` block means the password is set on initial creation and never auto-rotated, so the value held in the live Secret is the one Authentik itself has. If Authentik rejects it, the user was re-provisioned out-of-band via the Authentik admin UI and the Secret has drifted from the live identity — fix the Secret (or the admin-set password) and re-run.
- `POST /api/portal/session-from-auth` from [GRO-1866](https://paperclip.farhoodlabs.com/GRO/issues/GRO-1866) is deployed on UAT.
- Clear cookies and localStorage between cases unless otherwise noted.