restaurant-admin-bff/docs/security/auth-enforcement.md

# Auth Enforcement

## Scope

This BFF enforces authenticated access on business endpoints using Thalos session validation.

## Protected Endpoints

- `/api/restaurant/admin/config`
- `/api/restaurant/admin/service-window`

## Anonymous Endpoints

- `/health`
- `/healthz`

## Session Validation Contract

- BFF requires at least one session cookie:
  - `thalos_session`
  - `thalos_refresh`
- BFF calls Thalos session introspection endpoint:
  - `GET /api/identity/session/me`
- Base address configured by:
  - `ThalosAuth:BaseAddress`

## Error Semantics

Standard auth error payload:

```json
{
  "code": "unauthorized|forbidden|session_missing|session_invalid",
  "message": "human-readable message",
  "correlationId": "request correlation id"
}
```

- `401`: missing or invalid session
- `403`: permission denied by identity service

## Correlation

- Incoming/outgoing correlation header: `x-correlation-id`
- Correlation ID is forwarded to Thalos session validation call.