fix(ory,lasuite): harden session security and fix logout + WebSocket routing

- Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry.
2026-03-03 18:07:08 +00:00
parent 897013bcb7
commit 7ffddcafcd
9 changed files with 63 additions and 16 deletions
--- a/base/devtools/vault-secrets.yaml
+++ b/base/devtools/vault-secrets.yaml
@@ -21,7 +21,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/gitea
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: StatefulSet
      name: gitea
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -53,7 +53,7 @@ data:
      # Real-time collaboration WebSocket (y-provider / Hocuspocus).
      [[routes.paths]]
      prefix    = "/collaboration/ws/"
-      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:4444"
+      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:443"
      websocket = true

    [[routes]]
--- a/base/lasuite/docs-values.yaml
+++ b/base/lasuite/docs-values.yaml
@@ -118,11 +118,18 @@ backend:
      secretKeyRef:
        name: docs-django-secret
        key: DJANGO_SECRET_KEY
-    DJANGO_CONFIGURATION:        Production
-    ALLOWED_HOSTS:               docs.DOMAIN_SUFFIX
-    DJANGO_ALLOWED_HOSTS:        docs.DOMAIN_SUFFIX
-    DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
-    LOGIN_REDIRECT_URL:          /
+    DJANGO_CONFIGURATION:             Production
+    ALLOWED_HOSTS:                    docs.DOMAIN_SUFFIX
+    DJANGO_ALLOWED_HOSTS:             docs.DOMAIN_SUFFIX
+    DJANGO_CSRF_TRUSTED_ORIGINS:      https://docs.DOMAIN_SUFFIX
+    LOGIN_REDIRECT_URL:               /
+    LOGOUT_REDIRECT_URL:              /
+    FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
+    # Low cache timeout so theme changes propagate without pod restarts.
+    THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    # Lockout window: disabled identity cannot re-auth within 1h of expiry.
+    SESSION_COOKIE_AGE: "3600"

    # ── Y-Provider ────────────────────────────────────────────────────────────
    # Shared secret for backend ↔ y-provider auth.
@@ -132,12 +139,31 @@ backend:
        key: secret
    COLLABORATION_SERVER_URL:    http://docs-y-provider.lasuite.svc.cluster.local:4444

+  themeCustomization:
+    enabled: true
+    # La Gaufre v2: point at our self-hosted integration service.
+    # DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
+    file_content:
+      header:
+        logo: {}
+        icon:
+          src: "/assets/icon-docs.svg"
+          style:
+            width: "32px"
+            height: "auto"
+          alt: ""
+          withTitle: true
+      waffle:
+        apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
+        widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
+        label: "O Estúdio"
+        closeLabel: "Fechar"
+        newWindowLabelSuffix: " · nova janela"
+
 frontend:
  envVars:
    NEXT_PUBLIC_API_URL:              https://docs.DOMAIN_SUFFIX
    NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
-    # La Gaufre app launcher — served from our self-hosted integration service.
-    GAUFREJS_URL:                     https://integration.DOMAIN_SUFFIX/api/v1/gaufre.js

 yProvider:
  envVars:
--- a/base/lasuite/integration-deployment.yaml
+++ b/base/lasuite/integration-deployment.yaml
@@ -21,7 +21,7 @@ data:
    {
      "services": [
        {
-          "name": "Documentos",
+          "name": "Docs",
          "url": "https://docs.DOMAIN_SUFFIX",
          "logo": "https://integration.DOMAIN_SUFFIX/logos/docs.svg"
        },
--- a/base/lasuite/oidc-clients.yaml
+++ b/base/lasuite/oidc-clients.yaml
@@ -20,6 +20,8 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-docs
  skipConsent: true
@@ -120,6 +122,8 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-people
  skipConsent: true
--- a/base/lasuite/people-values.yaml
+++ b/base/lasuite/people-values.yaml
@@ -125,8 +125,11 @@ backend:
    ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
    DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
    DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
-    # Redirect to frontend SPA root after successful OIDC login.
+    # Redirect to frontend SPA root after successful OIDC login/logout.
    LOGIN_REDIRECT_URL:        /
+    LOGOUT_REDIRECT_URL:       /
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    SESSION_COOKIE_AGE: "3600"

 # celeryWorker and celeryBeat intentionally have no envVars here.
 # The desk chart template automatically injects backend.envVars into all
--- a/base/lasuite/vault-secrets.yaml
+++ b/base/lasuite/vault-secrets.yaml
@@ -44,7 +44,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hive
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: hive
@@ -91,7 +92,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/people
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: people-backend
@@ -140,7 +142,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/docs
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: docs-backend
--- a/base/ory/hydra-values.yaml
+++ b/base/ory/hydra-values.yaml
@@ -15,6 +15,14 @@ hydra:
      logout: https://auth.DOMAIN_SUFFIX/logout
      error: https://auth.DOMAIN_SUFFIX/error

+    ttl:
+      # Short access tokens — API-level auth window is tight.
+      access_token: 5m
+      id_token: 5m
+      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
+      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
+      refresh_token: 720h
+
    serve:
      cookies:
        same_site_mode: Lax
--- a/base/ory/vault-secrets.yaml
+++ b/base/ory/vault-secrets.yaml
@@ -73,7 +73,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/kratos
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: kratos
@@ -123,7 +124,8 @@ spec:
  vaultAuthRef: vso-auth
  mount: database
  path: static-creds/hydra
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
  rolloutRestartTargets:
    - kind: Deployment
      name: hydra