fix: split LAPI auth — bouncer key for read, machine JWT for delete

LAPI does not let machine JWTs hit GET /v1/decisions even after the machine is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty"). The webapp now holds both credentials and routes each call to the right authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 23:58:20 +02:00
parent a5971403b2
commit 5d589915f7
4 changed files with 49 additions and 23 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,7 @@ services:
      - LAPI_URL=http://host.docker.internal:8080
      - LAPI_MACHINE_ID=${LAPI_MACHINE_ID}
      - LAPI_MACHINE_PASSWORD=${LAPI_MACHINE_PASSWORD}
+      - LAPI_BOUNCER_KEY=${LAPI_BOUNCER_KEY}
      - TRUSTED_PROXY_HOPS=1
    labels:
      - "traefik.enable=true"