José René White Enciso f040a524bd feat(pos-transactions): enforce bff session auth

Why: protect pos transaction endpoints with thalos session validation.

What: add edge auth guard call to thalos session/me, preserve anonymous health endpoints, and add auth enforcement docs.

Rule: keep identity ownership in thalos and standardize edge auth behavior.

2026-03-08 15:07:38 -06:00

975 B

Raw Blame History

Auth Enforcement

Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

Protected Endpoints

/api/pos/transactions/summary
/api/pos/transactions/payments

Anonymous Endpoints

/health
/healthz

Session Validation Contract

BFF requires at least one session cookie:
- thalos_session
- thalos_refresh
BFF calls Thalos session introspection endpoint:
- GET /api/identity/session/me
Base address configured by:
- ThalosAuth:BaseAddress

Error Semantics

Standard auth error payload:

{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}

401: missing or invalid session
403: permission denied by identity service

Correlation

Incoming/outgoing correlation header: x-correlation-id
Correlation ID is forwarded to Thalos session validation call.

975 B Raw Blame History

Auth Enforcement

Scope

Protected Endpoints

Anonymous Endpoints

Session Validation Contract

Error Semantics

Correlation

975 B

Raw Blame History