From 083999c84c333b588426ea7c5e640f179611dc00 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Mon, 30 Mar 2026 08:21:19 -0300
Subject: [PATCH] comms: harden matrix auth ingress routes for MAS

---
 services/comms/matrix-ingress.yaml | 50 ++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/services/comms/matrix-ingress.yaml b/services/comms/matrix-ingress.yaml
index cf3d1987..2f635917 100644
--- a/services/comms/matrix-ingress.yaml
+++ b/services/comms/matrix-ingress.yaml
@@ -7,6 +7,7 @@ metadata:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.priority: "120"
     cert-manager.io/cluster-issuer: letsencrypt
 spec:
   ingressClassName: traefik
@@ -43,6 +44,13 @@ spec:
                 name: matrix-authentication-service
                 port:
                   number: 8080
+          - path: /_matrix/client/r0/login
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
           - path: /_matrix/client/v3/logout
             pathType: Exact
             backend:
@@ -57,6 +65,41 @@ spec:
                 name: matrix-authentication-service
                 port:
                   number: 8080
+          - path: /account
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /authorize
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /.well-known/openid-configuration
+            pathType: Exact
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /.well-known/oauth-authorization-server
+            pathType: Exact
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
           - path: /_matrix
             pathType: Prefix
             backend:
@@ -102,6 +145,13 @@ spec:
                 name: matrix-authentication-service
                 port:
                   number: 8080
+          - path: /_matrix/client/r0/login
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
           - path: /_matrix/client/v3/logout
             pathType: Exact
             backend: