fix: split LAPI auth — bouncer key for read, machine JWT for delete

LAPI does not let machine JWTs hit GET /v1/decisions even after the machine
is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key
does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty").

The webapp now holds both credentials and routes each call to the right
authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

app/app.py

@@ -2,7 +2,6 @@ import os
 import time
 import ipaddress
 import logging
-from functools import wraps
 
 import requests
 from flask import Flask, render_template, request, jsonify, abort
@@ -10,9 +9,14 @@ from flask import Flask, render_template, request, jsonify, abort
 LAPI_URL = os.environ["LAPI_URL"].rstrip("/")
 MACHINE_ID = os.environ["LAPI_MACHINE_ID"]
 MACHINE_PW = os.environ["LAPI_MACHINE_PASSWORD"]
+BOUNCER_KEY = os.environ["LAPI_BOUNCER_KEY"]
 TRUSTED_HOPS = int(os.environ.get("TRUSTED_PROXY_HOPS", "1"))
 REQ_TIMEOUT = 5
 
+# LAPI splits read vs write:
+#   GET  /v1/decisions  → bouncer X-Api-Key
+#   DELETE /v1/decisions → machine Bearer JWT (from /v1/watchers/login)
+
 app = Flask(__name__)
 logging.basicConfig(level=logging.INFO)
 log = app.logger
@@ -27,10 +31,7 @@ def _login():
         timeout=REQ_TIMEOUT,
     )
     r.raise_for_status()
-    data = r.json()
-    _token["jwt"] = data["code"] if "code" in data and isinstance(data["code"], str) else data.get("token")
-    if not _token["jwt"]:
-        _token["jwt"] = data.get("code") or data.get("token")
+    _token["jwt"] = r.json()["token"]
     _token["exp"] = time.time() + 60 * 13
     return _token["jwt"]
 
@@ -41,7 +42,13 @@ def _jwt():
     return _token["jwt"]
 
 
-def _lapi(method, path, **kw):
+def _bouncer(method, path, **kw):
+    headers = kw.pop("headers", {})
+    headers["X-Api-Key"] = BOUNCER_KEY
+    return requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw)
+
+
+def _machine(method, path, **kw):
     headers = kw.pop("headers", {})
     headers["Authorization"] = f"Bearer {_jwt()}"
     r = requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw)
@@ -88,7 +95,7 @@ def list_decisions():
         if not valid_ip(q):
             return render_template("_decisions.html", error="invalid IP", decisions=[]), 400
         params["ip"] = q
-    r = _lapi("GET", "/v1/decisions", params=params)
+    r = _bouncer("GET", "/v1/decisions", params=params)
     if r.status_code != 200:
         return render_template("_decisions.html", error=f"LAPI {r.status_code}: {r.text[:200]}", decisions=[]), 502
     decisions = r.json() or []
@@ -102,11 +109,11 @@ def unban():
     if decision_id:
         if not decision_id.isdigit():
             return "invalid id", 400
-        r = _lapi("DELETE", f"/v1/decisions/{decision_id}")
+        r = _machine("DELETE", f"/v1/decisions/{decision_id}")
     elif ip:
         if not valid_ip(ip):
             return "invalid IP", 400
-        r = _lapi("DELETE", "/v1/decisions", params={"ip": ip})
+        r = _machine("DELETE", "/v1/decisions", params={"ip": ip})
     else:
         return "need id or ip", 400
     if r.status_code not in (200, 204):
@@ -118,7 +125,7 @@ def unban():
 @app.post("/unban-me")
 def unban_me():
     ip = caller_ip()
-    r = _lapi("DELETE", "/v1/decisions", params={"ip": ip})
+    r = _machine("DELETE", "/v1/decisions", params={"ip": ip})
     if r.status_code not in (200, 204):
         return f"LAPI {r.status_code}: {r.text[:200]}", 502
     log.info("unban-me by=%s", ip)
@@ -128,7 +135,7 @@ def unban_me():
 @app.get("/healthz")
 def healthz():
     try:
-        r = _lapi("GET", "/v1/decisions", params={"limit": 1})
+        r = _bouncer("GET", "/v1/decisions", params={"limit": 1})
         return jsonify(ok=r.status_code == 200, lapi_status=r.status_code), 200 if r.status_code == 200 else 503
     except Exception as e:
         return jsonify(ok=False, error=str(e)), 503