fix: split LAPI auth — bouncer key for read, machine JWT for delete

LAPI does not let machine JWTs hit GET /v1/decisions even after the machine is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty"). The webapp now holds both credentials and routes each call to the right authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 23:58:20 +02:00
parent a5971403b2
commit 5d589915f7
4 changed files with 49 additions and 23 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -6,13 +6,16 @@
 # flight-radar.
 #
 # PREREQUISITES (one-time):
-#   1. Host LAPI machine registered:
-#        sudo cscli machines add crowdsec-admin --password '<PW>'
-#   2. Repo secrets set in Gitea → Settings → Secrets:
+#   1. Host LAPI machine registered (for DELETE auth):
+#        sudo cscli machines add crowdsec-admin --password '<PW>' -f -
+#   2. Host LAPI bouncer registered (for GET auth):
+#        sudo cscli bouncers add crowdsec-admin
+#   3. Repo secrets set in Gitea → Settings → Secrets:
 #        LAPI_MACHINE_ID=crowdsec-admin
 #        LAPI_MACHINE_PASSWORD=<PW>
-#   3. DNS: crowdsec.domverse-berlin.eu → host IP.
-#   4. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
+#        LAPI_BOUNCER_KEY=<bouncer key from step 2>
+#   4. DNS: crowdsec.domverse-berlin.eu → host IP.
+#   5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
 # ──────────────────────────────────────────────────────────────────────────────

 name: Deploy
@@ -39,6 +42,7 @@ jobs:
          cat > .env <<EOF
          LAPI_MACHINE_ID=${{ secrets.LAPI_MACHINE_ID }}
          LAPI_MACHINE_PASSWORD=${{ secrets.LAPI_MACHINE_PASSWORD }}
+          LAPI_BOUNCER_KEY=${{ secrets.LAPI_BOUNCER_KEY }}
          EOF
          chmod 600 .env