54 lines
1.3 KiB
Markdown
54 lines
1.3 KiB
Markdown
# Auth Enforcement
|
|
|
|
## Scope
|
|
|
|
This BFF enforces authenticated access on business endpoints using Thalos session validation.
|
|
|
|
## Protected Endpoints
|
|
|
|
- `/api/kitchen/ops/board`
|
|
- `/api/kitchen/ops/work-items/claim`
|
|
- `/api/kitchen/ops/work-items/release`
|
|
- `/api/kitchen/ops/work-items/transition`
|
|
- `/api/kitchen/ops/board/priority`
|
|
|
|
## Anonymous Endpoints
|
|
|
|
- `/health`
|
|
- `/healthz`
|
|
|
|
## Session Validation Contract
|
|
|
|
- BFF requires at least one session cookie:
|
|
- `thalos_session`
|
|
- `thalos_refresh`
|
|
- BFF calls Thalos session introspection endpoint:
|
|
- `GET /api/identity/session/me`
|
|
- Base address configured by:
|
|
- `ThalosAuth:BaseAddress`
|
|
|
|
## Error Semantics
|
|
|
|
Standard auth error payload:
|
|
|
|
```json
|
|
{
|
|
"code": "unauthorized|forbidden|session_missing|session_invalid",
|
|
"message": "human-readable message",
|
|
"correlationId": "request correlation id"
|
|
}
|
|
```
|
|
|
|
- `401`: missing or invalid session
|
|
- `403`: permission denied by identity service
|
|
- `503`: identity service unavailable or timeout (`identity_unavailable|identity_timeout`)
|
|
|
|
## Correlation
|
|
|
|
- Incoming/outgoing correlation header: `x-correlation-id`
|
|
- Correlation ID is forwarded to Thalos session validation call.
|
|
|
|
## Validation Rule
|
|
|
|
- Successful session introspection must also include `isAuthenticated=true` in Thalos response payload.
|