From bb220b7ba3d890aecc100a2540f3d143c5eb2dc5 Mon Sep 17 00:00:00 2001
From: malice <matt@echo6.co>
Date: Fri, 22 May 2026 08:10:33 -0600
Subject: [PATCH] recon: add auth.login_url/logout_url to deployment profiles
 (extraction #2)

Additive prep for the Navi Panel.jsx login/logout cutover. Adds an `auth`
block (login_url, logout_url) to each deployment profile, placed after the
existing `services` block:

  - home.yaml        login=/outpost.goauthentik.io/start?rd=%2F
                     logout=auth.echo6.co invalidation flow, next=navi.echo6.co
  - minimal_pi.yaml  same, with TODO(matt) to confirm logout next= host
  - regional_pi.yaml same, with TODO(matt) to confirm logout next= host

No Python change. /api/config returns the whole profile dict, so these keys
flow through automatically; existing consumers ignore unknown keys, making
this backward-safe (the frontend fallback path is simply never needed once
this is live).

Next steps (separate PRs): the navi-config service (:8422) mirroring this
handler, and the Panel.jsx fix to read cfg.auth.login_url/logout_url with the
current literals as fallback.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 config/profiles/home.yaml        | 4 ++++
 config/profiles/minimal_pi.yaml  | 5 +++++
 config/profiles/regional_pi.yaml | 5 +++++
 3 files changed, 14 insertions(+)

diff --git a/config/profiles/home.yaml b/config/profiles/home.yaml
index 474ffb2..de704d9 100644
--- a/config/profiles/home.yaml
+++ b/config/profiles/home.yaml
@@ -31,6 +31,10 @@ services:
   address_book: "/api/address_book"
   valhalla: "/valhalla"
 
+auth:
+  login_url: "/outpost.goauthentik.io/start?rd=%2F"
+  logout_url: "https://auth.echo6.co/if/flow/default-invalidation-flow/?next=https://navi.echo6.co/"
+
 features:
   has_nominatim_details: true
   has_kiwix_wiki: true
diff --git a/config/profiles/minimal_pi.yaml b/config/profiles/minimal_pi.yaml
index e3ae0fd..c2fd90a 100644
--- a/config/profiles/minimal_pi.yaml
+++ b/config/profiles/minimal_pi.yaml
@@ -26,6 +26,11 @@ services:
   address_book: "/api/address_book"
   valhalla: "/valhalla"
 
+# TODO(matt): confirm logout next= host for this profile
+auth:
+  login_url: "/outpost.goauthentik.io/start?rd=%2F"
+  logout_url: "https://auth.echo6.co/if/flow/default-invalidation-flow/?next=https://navi.echo6.co/"
+
 features:
   has_nominatim_details: false
   has_kiwix_wiki: false
diff --git a/config/profiles/regional_pi.yaml b/config/profiles/regional_pi.yaml
index 8e70cd6..b6f2cad 100644
--- a/config/profiles/regional_pi.yaml
+++ b/config/profiles/regional_pi.yaml
@@ -31,6 +31,11 @@ services:
   address_book: "/api/address_book"
   valhalla: "/valhalla"
 
+# TODO(matt): confirm logout next= host for this profile
+auth:
+  login_url: "/outpost.goauthentik.io/start?rd=%2F"
+  logout_url: "https://auth.echo6.co/if/flow/default-invalidation-flow/?next=https://navi.echo6.co/"
+
 features:
   has_nominatim_details: true
   has_kiwix_wiki: false