52 lines
1.3 KiB
Markdown
52 lines
1.3 KiB
Markdown
# Auth Enforcement
|
|
|
|
## Scope
|
|
|
|
This BFF enforces authenticated access on business endpoints using Thalos session validation.
|
|
|
|
## Protected Endpoints
|
|
|
|
- `/api/furniture/{furnitureId}/availability`
|
|
- `(GET-only endpoint in this BFF)`
|
|
|
|
## Anonymous Endpoints
|
|
|
|
- `/health`
|
|
- `/healthz`
|
|
|
|
## Session Validation Contract
|
|
|
|
- BFF requires at least one session cookie:
|
|
- `thalos_session`
|
|
- `thalos_refresh`
|
|
- BFF calls Thalos session introspection endpoint:
|
|
- `GET /api/identity/session/me`
|
|
- Base address configured by:
|
|
- `ThalosAuth:BaseAddress`
|
|
|
|
## Error Semantics
|
|
|
|
Standard auth error payload:
|
|
|
|
```json
|
|
{
|
|
"code": "unauthorized|forbidden|session_missing|session_invalid",
|
|
"message": "human-readable message",
|
|
"correlationId": "request correlation id"
|
|
}
|
|
```
|
|
|
|
- `401`: missing or invalid session
|
|
- `403`: permission denied by identity service
|
|
- `503`: identity service unavailable or timeout during session introspection (`identity_unavailable|identity_timeout`)
|
|
|
|
## Correlation
|
|
|
|
- Incoming/outgoing correlation header: `x-correlation-id`
|
|
- Correlation ID is forwarded to Thalos session validation call.
|
|
|
|
## CORS and Cookie Propagation
|
|
|
|
- When `FurnitureBff:AllowedOrigins` is explicit (non-`*`), the BFF enables credentials so browser session cookies are forwarded.
|
|
- Wildcard origins remain unsupported for credentialed browser calls by design.
|