Auth Enforcement

Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

Protected Endpoints

/api/pos/transactions/summary
/api/pos/transactions/recent-payments
/api/pos/transactions/{transactionId}
/api/pos/transactions/payments

Anonymous Endpoints

/health
/healthz

Session Validation Contract

BFF requires at least one session cookie:
- thalos_session
- thalos_refresh
BFF calls Thalos session introspection endpoint:
- GET /api/identity/session/me
Base address configured by:
- ThalosAuth:BaseAddress

Error Semantics

Standard auth error payload:

{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}

401: missing or invalid session
403: permission denied by identity service
503: identity service unavailable or timeout (identity_unavailable|identity_timeout)

Correlation

Incoming/outgoing correlation header: x-correlation-id
Correlation ID is forwarded to Thalos session validation call.

Validation Rule

Successful session introspection must also include isAuthenticated=true in Thalos response payload.

1.2 KiB Raw Permalink Blame History

Auth Enforcement

Scope

Protected Endpoints

Anonymous Endpoints

Session Validation Contract

Error Semantics

Correlation

Validation Rule

1.2 KiB

Raw Permalink Blame History