groombook/web
13
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-2089): correct Authentik customer credential source in UAT_PLAYBOOK §5.25 #41

Closed
Flea Flicker wants to merge 1 commits from flea/gro-2089-fix-authentik-credential-source into main
pull from: flea/gro-2089-fix-authentik-credential-source
merge into: groombook:main
Conversation 0 Commits 1 Files Changed 1
+6 -1
Flea Flicker commented 2026-06-02 14:40:49 +00:00
Member
Copy Link
Copy Source

Updates UAT_PLAYBOOK.md §5.25 (Customer Portal — Better Auth SSO Bridge) pre-conditions to point UAT testers at the correct Authentik credential source.

Root cause: the previous §5.25 pre-condition said the Authentik customer password lives in seed-uat-passwords:customer-password. That Secret holds the Better Auth email+password credential — a separate identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password].

Impact: UAT testers (incl. GRO-2026) were pulling the Better Auth value and typing it into the Authentik OIDC login, which rejected it as invalid. This unblocks GRO-2026 verification and any future run of TC-WEB-5.25.* / TC-WEB-5.27.*.

Verified 2026-06-02 against uat.groombook.dev: signing in with the correct Secret value yields Authentik 302 → /api/auth/get-session 200 (userId be0d112b-…) → /api/portal/session-from-auth 201 (clientId c0000001-…, clientName UAT Customer).

No code or infra change. Documentation only. The two Secrets remain intentionally separate (Better Auth and Authentik are different identity stores); only the playbook's pointer was wrong.

Updated UAT_PLAYBOOK §5.25 (Pre-conditions bullet).

Refs GRO-2089.

Updates UAT_PLAYBOOK.md §5.25 (Customer Portal — Better Auth SSO Bridge) pre-conditions to point UAT testers at the correct Authentik credential source. **Root cause:** the previous §5.25 pre-condition said the Authentik customer password lives in seed-uat-passwords:customer-password. That Secret holds the **Better Auth** email+password credential — a separate identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password]. **Impact:** UAT testers (incl. GRO-2026) were pulling the Better Auth value and typing it into the Authentik OIDC login, which rejected it as invalid. This unblocks GRO-2026 verification and any future run of TC-WEB-5.25.* / TC-WEB-5.27.*. **Verified 2026-06-02 against uat.groombook.dev:** signing in with the correct Secret value yields Authentik 302 → /api/auth/get-session 200 (userId be0d112b-…) → /api/portal/session-from-auth 201 (clientId c0000001-…, clientName UAT Customer). **No code or infra change.** Documentation only. The two Secrets remain intentionally separate (Better Auth and Authentik are different identity stores); only the playbook's pointer was wrong. **Updated UAT_PLAYBOOK §5.25** (Pre-conditions bullet). Refs GRO-2089.
Flea Flicker added 1 commit 2026-06-02 14:40:49 +00:00
fix(GRO-2089): correct Authentik customer credential source in §5.25 pre-conditions
CI / Test (pull_request) Successful in 22s
Details
CI / Lint & Typecheck (pull_request) Successful in 28s
Details
CI / Build & Push Docker Image (pull_request) Successful in 15s
Details
affb697708 
The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition
incorrectly stated that the Authentik customer password comes from
seed-uat-passwords:customer-password. That Secret holds the *Better Auth*
email+password credential — a different identity store. The actual Authentik
uat-customer password lives in authentik-uat-users-credentials:uat_customer_password,
provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password].

UAT testers were using the Better Auth value at the Authentik OIDC step and
getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct
Secret value, signing in via SSO, and POST /api/portal/session-from-auth all
succeed (returns 201 with valid portal session).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker closed this pull request 2026-06-02 14:41:16 +00:00
Some checks are pending
CI / Test (pull_request) Successful in 22s
Details
CI / Lint & Typecheck (pull_request) Successful in 28s
Details
CI / Build & Push Docker Image (pull_request) Successful in 15s
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/web#41
Delete Branch "flea/gro-2089-fix-authentik-credential-source"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?