AgileWebs/furniture-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8913a93252
furniture-bff/docs/security/auth-enforcement.md
José René White Enciso 8913a93252 feat(furniture-bff): harden session auth enforcement
2026-03-11 10:30:48 -06:00

1.3 KiB
Raw Blame History

Auth Enforcement

Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

Protected Endpoints

  • /api/furniture/{furnitureId}/availability
  • (GET-only endpoint in this BFF)

Anonymous Endpoints

  • /health
  • /healthz

Session Validation Contract

  • BFF requires at least one session cookie:
    • thalos_session
    • thalos_refresh
  • BFF calls Thalos session introspection endpoint:
    • GET /api/identity/session/me
  • Base address configured by:
    • ThalosAuth:BaseAddress

Error Semantics

Standard auth error payload:

{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}
  • 401: missing or invalid session
  • 403: permission denied by identity service
  • 503: identity service unavailable or timeout during session introspection (identity_unavailable|identity_timeout)

Correlation

  • Incoming/outgoing correlation header: x-correlation-id
  • Correlation ID is forwarded to Thalos session validation call.

CORS and Cookie Propagation

  • When FurnitureBff:AllowedOrigins is explicit (non-*), the BFF enables credentials so browser session cookies are forwarded.
  • Wildcard origins remain unsupported for credentialed browser calls by design.