AgileWebs/thalos-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
56510de55e
thalos-bff/docs/security/permission-enforcement-map.md
José René White Enciso 56510de55e feat(thalos-bff): add canonical session endpoints 
Why: standardize session login/refresh/logout/me behavior for web clients behind thalos security boundaries.

What: add canonical routes, cookie policy handling, grpc session calls, compatibility aliases, standardized auth errors, updated contracts, tests, and docs.

Rule: keep BFF as edge adapter over service contracts and preserve identity ownership in thalos.
2026-03-08 14:48:46 -06:00

604 B
Raw Blame History

Permission Enforcement Map

Enforcement Points

  • identity.token.issue evaluated via thalos-service policy contract before token issuance.
  • Session refresh guarded by edge session validation policy.

Guardrail

  • Permission checks happen at BFF entrypoints using thalos-service policy responses.
  • Authorization decisions are explicit and traceable at edge boundaries.
  • Auth failure payload shape is standardized as { code, message, correlationId }.
  • HTTP semantics:
    • 401: no valid session or failed session issuance/refresh.
    • 403: authenticated but denied by permission policy.