Bug: Production 404 — authenticate_user! redirects to GET /auth/keycloak which OmniAuth rejects #150

New issue

Closed

opened 2026-06-07 03:55:12 +00:00 by ldraney · 0 comments

ldraney commented

2026-06-07 03:55:12 +00:00

Owner

Type

Bug

Lineage

Standalone — discovered when production returned 404 for all authenticated routes. Regression from PR #134 (Keycloak OmniAuth login).

Repo

ldraney/landscaping-assistant

What Broke

Every protected route in production returns 404. authenticate_user! redirects unauthenticated users to GET /auth/keycloak, but OmniAuth 2.x only accepts POST on the request phase. The GET request has no matching route handler.

Repro Steps

Deploy with KEYCLOAK_URL set (production)
Visit any protected route without a session (e.g. /today)
authenticate_user! fires, redirects to GET /auth/keycloak
Observe: 404 — OmniAuth has no GET handler for request phase

Expected Behavior

Unauthenticated users see a login page with a POST button that initiates the Keycloak OAuth flow.

Environment

Cluster/namespace: prod / landscaping-assistant
Service version/commit: 7fb76b5 (current main)
Related alerts: none — no health checks or uptime monitoring configured (see #149)

Acceptance Criteria

Unauthenticated users see a login page at /login
Login page has a POST form to /auth/keycloak
All test redirect expectations updated
No regression in authenticated flows

project-landscaping-assistant
ldraney/landscaping-assistant #134 — PR that introduced the broken redirect
ldraney/landscaping-assistant #135 — PR that fixed tests but not the controller
ldraney/landscaping-assistant #149 — follow-up spike for smoke tests and observability

### Type Bug ### Lineage Standalone — discovered when production returned 404 for all authenticated routes. Regression from PR #134 (Keycloak OmniAuth login). ### Repo `ldraney/landscaping-assistant` ### What Broke Every protected route in production returns 404. `authenticate_user!` redirects unauthenticated users to `GET /auth/keycloak`, but OmniAuth 2.x only accepts POST on the request phase. The GET request has no matching route handler. ### Repro Steps 1. Deploy with `KEYCLOAK_URL` set (production) 2. Visit any protected route without a session (e.g. `/today`) 3. `authenticate_user!` fires, redirects to `GET /auth/keycloak` 4. Observe: 404 — OmniAuth has no GET handler for request phase ### Expected Behavior Unauthenticated users see a login page with a POST button that initiates the Keycloak OAuth flow. ### Environment - Cluster/namespace: prod / landscaping-assistant - Service version/commit: `7fb76b5` (current main) - Related alerts: none — no health checks or uptime monitoring configured (see #149) ### Acceptance Criteria - [ ] Unauthenticated users see a login page at `/login` - [ ] Login page has a POST form to `/auth/keycloak` - [ ] All test redirect expectations updated - [ ] No regression in authenticated flows ### Related - `project-landscaping-assistant` - `ldraney/landscaping-assistant #134` — PR that introduced the broken redirect - `ldraney/landscaping-assistant #135` — PR that fixed tests but not the controller - `ldraney/landscaping-assistant #149` — follow-up spike for smoke tests and observability