furniture-bff/docs/security/auth-enforcement.md

Auth Enforcement

Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

Protected Endpoints

• /api/furniture/{furnitureId}/availability
• (GET-only endpoint in this BFF)

Anonymous Endpoints

• /health
• /healthz

Session Validation Contract

• BFF requires at least one session cookie:
  • thalos_session
  • thalos_refresh
• BFF calls Thalos session introspection endpoint:
  • GET /api/identity/session/me
• Base address configured by:
  • ThalosAuth:BaseAddress

Error Semantics

Standard auth error payload:

{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}

• 401: missing or invalid session
• 403: permission denied by identity service
• 503: identity service unavailable or timeout during session introspection (identity_unavailable|identity_timeout)

Correlation

• Incoming/outgoing correlation header: x-correlation-id
• Correlation ID is forwarded to Thalos session validation call.

CORS and Cookie Propagation

• When FurnitureBff:AllowedOrigins is explicit (non-*), the BFF enables credentials so browser session cookies are forwarded.
• Wildcard origins remain unsupported for credentialed browser calls by design.