docs: replace daedalus-service basic auth with per-user DRF tokens

2026-05-22 22:59:59 -04:00
parent 7296b8c42f
commit 409da7d109
17 changed files with 364 additions and 163 deletions
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -92,14 +92,6 @@ docker compose -f /srv/mnemosyne/docker-compose.yaml \
 docker compose -f /srv/mnemosyne/docker-compose.yaml \
    run --rm app setup

-# Create the daedalus-service user (HTTP Basic auth for ingest API)
-# Pass --password from vault; idempotent if user already exists.
-docker compose -f /srv/mnemosyne/docker-compose.yaml \
-    run --rm app \
-    python manage.py ensure_service_user \
-        --username daedalus-service \
-        --password "{{ vault_mnemosyne_daedalus_service_password }}"
-
 # Seed the MCPSigningKey used to sign long-lived Pallas team JWTs.
 # --retire-other deactivates any previously-active key.  The hex
 # emitted to stdout is persisted in Mnemosyne's database and is
@@ -321,13 +313,16 @@ curl -f http://puck.incus:23181/healthz
 curl http://puck.incus:23181/metrics | head -5
 ```

-### Verify the daedalus-service account
+### Verify Daedalus auth (per-user API token)
+
+Daedalus now authenticates as a Mnemosyne user via the DRF token shown
+on `/profile/settings/`. To smoke-test from a deploy host:

 ```bash
-curl -u daedalus-service:<password> \
-    https://mnemosyne.ouranos.helu.ca/library/api/workspaces/ \
+curl -H "Authorization: Token <user-api-token>" \
+    https://mnemosyne.ouranos.helu.ca/library/api/workspaces/ws_smoke/ \
    -o /dev/null -w "%{http_code}"
-# Expect: 200
+# Expect: 200 if the workspace exists for that user, 404 otherwise.
 ```

 ### Verify MCP connectivity (from a client with a valid MCPToken)
@@ -401,6 +396,5 @@ will report as a failure.
 | `vault_daedalus_s3_read_secret` | `DAEDALUS_S3_SECRET_ACCESS_KEY` |
 | `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` |
 | `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` |
-| `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` |
 | `vault_mnemosyne_casdoor_client_id` | `CASDOOR_CLIENT_ID` |
 | `vault_mnemosyne_casdoor_client_secret` | `CASDOOR_CLIENT_SECRET` |