studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ory,lasuite): harden session security and fix logout + WebSocket routing

Browse Source 
- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-03 18:07:08 +00:00
parent 897013bcb7
commit 7ffddcafcd
9 changed files with 63 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
base/ory/hydra-values.yaml
View File

@@ -15,6 +15,14 @@ hydra:
logout: https://auth.DOMAIN_SUFFIX/logout
error: https://auth.DOMAIN_SUFFIX/error
ttl:
# Short access tokens — API-level auth window is tight.
access_token: 5m
id_token: 5m
# Refresh tokens last 30 days; Kratos session carries silent re-auth.
# Revoking a Kratos session (sunbeam user disable) prevents refresh.
refresh_token: 720h
serve:
cookies:
same_site_mode: Lax

6
base/ory/vault-secrets.yaml
View File

@@ -73,7 +73,8 @@ spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/kratos
refreshAfter: 1h
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: kratos
@@ -123,7 +124,8 @@ spec:
vaultAuthRef: vso-auth
mount: database
path: static-creds/hydra
refreshAfter: 1h
allowStaticCreds: true
refreshAfter: 5m
rolloutRestartTargets:
- kind: Deployment
name: hydra