# Demo Auth Routing Validation

## Scope

Validate centralized auth routing and per-host API routing for demo stacks.

## Prerequisites

- Caddy is running on the VPS.
- Demo stacks are running in Portainer.
- DNS records point to the VPS for all demo hosts.

## Caddy Validation

```bash
caddy validate --config /etc/caddy/Caddyfile
```

```bash
sudo systemctl reload caddy
```

## Host Health Checks

Run from any machine that can resolve public demo hosts:

```bash
curl -i https://auth.dream-views.com/health
curl -i https://furniture-display-demo.dream-views.com/
curl -i https://furniture-admin-demo.dream-views.com/
curl -i https://kitchen-ops-demo.dream-views.com/
curl -i https://waiter-floor-demo.dream-views.com/
curl -i https://customer-orders-demo.dream-views.com/
curl -i https://pos-transactions-demo.dream-views.com/
curl -i https://restaurant-admin-demo.dream-views.com/
```

## Identity Route Checks

```bash
curl -i https://furniture-display-demo.dream-views.com/api/identity/session/me
curl -i https://kitchen-ops-demo.dream-views.com/api/identity/session/me
curl -i https://restaurant-admin-demo.dream-views.com/api/identity/session/me
```

Expected outcomes:
- `200` when an authenticated session cookie is present.
- `401` when no session cookie is present.
- No `404` on identity paths.

## Domain API Route Checks

```bash
curl -i "https://furniture-display-demo.dream-views.com/api/furniture/demo-context/availability"
curl -i "https://kitchen-ops-demo.dream-views.com/api/kitchen/ops/board?contextId=demo-context"
curl -i "https://waiter-floor-demo.dream-views.com/api/waiter/floor/assignments?contextId=demo-context"
curl -i "https://customer-orders-demo.dream-views.com/api/customer/orders/status?contextId=demo-context"
curl -i "https://pos-transactions-demo.dream-views.com/api/pos/transactions/summary?contextId=demo-context"
curl -i "https://restaurant-admin-demo.dream-views.com/api/restaurant/admin/config?contextId=demo-context"
```

Expected outcomes:
- Routed to the corresponding domain BFF.
- No cross-domain path leakage.

## Callback Journey Check

1. Open one demo web host.
2. Start Google login.
3. Complete callback on `auth.dream-views.com`.
4. Confirm return to same-origin route defined by `THALOS_DEFAULT_RETURN_URL`.

Expected outcomes:
- Callback does not redirect to external origins.
- Session-enabled API calls succeed after login.

## Regression Guard

- Re-run smoke scripts for `greenfield/demo/furniture` and `greenfield/demo/restaurant` after routing changes.
- Re-check all web containers can still load runtime config values.