José René White Enciso 00e858b7ea feat(furniture): enforce bff session auth

Why: protect business endpoint access with thalos-backed session checks.

What: add edge auth guard call to thalos session/me, preserve anonymous health endpoints, and add auth enforcement docs.

Rule: keep identity ownership in thalos and standardize edge auth behavior.

2026-03-08 15:07:38 -06:00

988 B

Raw Blame History

Auth Enforcement

Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

Protected Endpoints

/api/furniture/{furnitureId}/availability
(GET-only endpoint in this BFF)

Anonymous Endpoints

/health
/healthz

Session Validation Contract

BFF requires at least one session cookie:
- thalos_session
- thalos_refresh
BFF calls Thalos session introspection endpoint:
- GET /api/identity/session/me
Base address configured by:
- ThalosAuth:BaseAddress

Error Semantics

Standard auth error payload:

{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}

401: missing or invalid session
403: permission denied by identity service

Correlation

Incoming/outgoing correlation header: x-correlation-id
Correlation ID is forwarded to Thalos session validation call.

988 B Raw Blame History

Auth Enforcement

Scope

Protected Endpoints

Anonymous Endpoints

Session Validation Contract

Error Semantics

Correlation

988 B

Raw Blame History