From affb697708442a44d4912966e7a16dc70f646aff Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Tue, 2 Jun 2026 14:40:01 +0000 Subject: [PATCH] =?UTF-8?q?fix(GRO-2089):=20correct=20Authentik=20customer?= =?UTF-8?q?=20credential=20source=20in=20=C2=A75.25=20pre-conditions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition incorrectly stated that the Authentik customer password comes from seed-uat-passwords:customer-password. That Secret holds the *Better Auth* email+password credential — a different identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password]. UAT testers were using the Better Auth value at the Authentik OIDC step and getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct Secret value, signing in via SSO, and POST /api/portal/session-from-auth all succeed (returns 201 with valid portal session). Co-Authored-By: Paperclip --- UAT_PLAYBOOK.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md index 2a2faae..fb51993 100644 --- a/UAT_PLAYBOOK.md +++ b/UAT_PLAYBOOK.md @@ -354,7 +354,12 @@ These cases cover the `CustomerPortal` initialisation path that bridges an Authe **Pre-conditions:** -- UAT is configured with Authentik SSO and the `seed-uat-passwords` Secret in `groombook-uat` provides the seeded customer credentials (`uat-seed-password-source` memory). +- UAT is configured with Authentik SSO. The seeded customer **Authentik** password lives in the `authentik-uat-users-credentials` Secret in the `groombook-uat` namespace (key `uat_customer_password`) — **NOT** in `seed-uat-passwords:customer-password` (that Secret holds the *Better Auth* email+password credential, a separate identity store; see GRO-2089). Pull the Authentik password at the start of every run: + ```bash + CUSTOMER_AUTHENTIK=$(kubectl get secret authentik-uat-users-credentials -n groombook-uat \ + -o jsonpath='{.data.uat_customer_password}' | base64 -d) + ``` + The Authentik user is provisioned by Terraform (`infra/terraform/users.tf`); the `lifecycle.ignore_changes = [password]` block means the password is set on initial creation and never auto-rotated, so the value held in the live Secret is the one Authentik itself has. If Authentik rejects it, the user was re-provisioned out-of-band via the Authentik admin UI and the Secret has drifted from the live identity — fix the Secret (or the admin-set password) and re-run. - `POST /api/portal/session-from-auth` from [GRO-1866](https://paperclip.farhoodlabs.com/GRO/issues/GRO-1866) is deployed on UAT. - Clear cookies and localStorage between cases unless otherwise noted. -- 2.52.0