AgileWebs/thalos-bff

José René White Enciso 56510de55e feat(thalos-bff): add canonical session endpoints

Why: standardize session login/refresh/logout/me behavior for web clients behind thalos security boundaries.

What: add canonical routes, cookie policy handling, grpc session calls, compatibility aliases, standardized auth errors, updated contracts, tests, and docs.

Rule: keep BFF as edge adapter over service contracts and preserve identity ownership in thalos.

2026-03-08 14:48:46 -06:00

1022 B

Raw Blame History

Identity Edge API

Active External Protocol

REST is the active external protocol for this BFF deployment.
Internal service calls default to gRPC-adapted contracts.

Entrypoints

Canonical session endpoints:
- POST /api/identity/session/login
- POST /api/identity/session/refresh
- POST /api/identity/session/logout
- GET /api/identity/session/me
Compatibility endpoint:
- POST /api/identity/token
- POST /api/identity/login
- POST /api/identity/token/refresh
- POST /api/identity/logout

Boundary Notes

Endpoint handlers perform edge validation and permission checks.
Session login and refresh call canonical thalos-service session gRPC operations.
Session cookies are managed at the BFF edge (thalos_session, thalos_refresh) with env-driven secure flag.
Token issuance and policy evaluation contracts remain available for compatibility calls.
Business orchestration remains in thalos-service.
Identity abstractions remain owned by Thalos repositories.