admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): delete the Kratos identity on account deletion
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details

Browse Source 
Account deletion removed all local data but left the Ory Kratos
identity intact — an orphaned identity that can still authenticate.
Close the gap:

- kratos.Client gains the admin API: NewClient(publicURL, adminURL)
  and DeleteIdentity (DELETE /admin/identities/{id}; a 404 is treated
  as success so a retry after a partial failure is idempotent).
- AuthService.DeleteAccount deletes the Kratos identity FIRST; if that
  call fails it aborts before touching local data, so the operation is
  retryable rather than partially applied.
- KRATOS_ADMIN_URL config (default http://kratos:4434) + router wiring.
- kratos NetworkPolicy split: the api pods may now reach the admin API
  :4434 (Traefik still reaches only the public API :4433).
- kratos CORS: allow_credentials + OPTIONS so the web browser flows
  (ory_kratos_session cookie) work; origins stay an explicit allowlist.
- Regression tests: identity teardown happens, and a Kratos failure
  aborts the deletion instead of orphaning local data.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-05-18 21:55:33 -05:00
parent 81578f6e27
commit 3d3ba84df0
7 changed files with 150 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy-k3s/manifests/kratos/configmap.yaml
+5 -1
View File
@@ -31,9 +31,13 @@ data:
- https://myhoneydue.com
- https://app.myhoneydue.com
- https://admin.myhoneydue.com
allowed_methods: [GET, POST, PUT, PATCH, DELETE]
allowed_methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
allowed_headers: [Authorization, Content-Type, X-Session-Token, Cookie]
exposed_headers: [Content-Type, Set-Cookie]
# Required: the web clients call Kratos browser flows with
# credentials (the ory_kratos_session cookie). Safe here because
# allowed_origins is an explicit list, never a wildcard.
allow_credentials: true
admin:
base_url: http://kratos.honeydue.svc.cluster.local:4434/
deploy-k3s/manifests/kratos/kratos.yaml
+12 -3
View File
@@ -127,9 +127,10 @@ spec:
port: 4434
targetPort: 4434
---
# Ingress to Kratos: Traefik (the auth.myhoneydue.com IngressRoute) and the
# honeyDue api pods (session whoami) may reach the public API :4433. The
# admin API :4434 takes no cluster ingress — it is reachable only in-pod.
# Ingress to Kratos. Traefik (the auth.myhoneydue.com IngressRoute) reaches
# only the public API :4433. The honeyDue api pods reach the public API :4433
# (session whoami) AND the admin API :4434 (identity deletion on account
# close). The admin API :4434 takes no other cluster ingress.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -142,16 +143,24 @@ spec:
policyTypes:
- Ingress
ingress:
# Traefik ingress controller -> public API only.
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 4433
protocol: TCP
# honeyDue api pods -> public API (whoami) + admin API (identity deletion).
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: api
ports:
- port: 4433
protocol: TCP
- port: 4434
protocol: TCP
---
# Kratos egress: DNS, the Neon Postgres database, SMTP, and HTTPS to the
# OIDC providers (Apple/Google token + JWKS endpoints).