4 changed files with 10 additions and 76 deletions
--- a/docs/runbooks/containerization.md
+++ b/docs/runbooks/containerization.md
@ -23,8 +23,6 @@ docker run --rm -p 8080:8080 --name waiter-floor-bff agilewebs/waiter-floor-bff:
 ## Runtime Notes

 - Exposes REST edge endpoints for waiter assignment and order submission flows.
- Requires `ThalosAuth__BaseAddress` to resolve Thalos session introspection endpoint.
- Returns standardized auth failures (`401|403|503`) with `x-correlation-id` propagation.

 ## Health Endpoint Consistency

--- a/docs/security/auth-enforcement.md
+++ b/docs/security/auth-enforcement.md
@ -38,13 +38,8 @@ Standard auth error payload:

 - `401`: missing or invalid session
 - `403`: permission denied by identity service
- `503`: identity service unavailable or timeout (`identity_unavailable|identity_timeout`)

 ## Correlation

 - Incoming/outgoing correlation header: `x-correlation-id`
 - Correlation ID is forwarded to Thalos session validation call.
-
-## Validation Rule
-
- Successful session introspection must also include `isAuthenticated=true` in Thalos response payload.
--- a/src/Waiter.Floor.Bff.Rest/Program.cs
+++ b/src/Waiter.Floor.Bff.Rest/Program.cs
@ -3,7 +3,6 @@ using Microsoft.Extensions.Primitives;
 using Waiter.Floor.Bff.Application.Adapters;
 using Waiter.Floor.Bff.Application.Handlers;
 using Waiter.Floor.Bff.Contracts.Requests;
-using Waiter.Floor.Bff.Rest.Security;

 const string CorrelationHeaderName = "x-correlation-id";
 const string SessionAccessCookieName = "thalos_session";
@ -110,30 +109,8 @@ async Task<IResult?> EnforceSessionAsync(
        request.Headers.TryAddWithoutValidation("Cookie", cookieHeader);
    }

-    HttpResponseMessage response;
-    try
-    {
-        response = await httpClientFactory.CreateClient("ThalosAuth").SendAsync(request, ct);
-    }
-    catch (HttpRequestException)
-    {
-        return ErrorResponse(
-            StatusCodes.Status503ServiceUnavailable,
-            "identity_unavailable",
-            "Identity service is temporarily unavailable.",
-            correlationId);
-    }
-    catch (TaskCanceledException)
-    {
-        return ErrorResponse(
-            StatusCodes.Status503ServiceUnavailable,
-            "identity_timeout",
-            "Identity service did not respond in time.",
-            correlationId);
-    }
+    using var response = await httpClientFactory.CreateClient("ThalosAuth").SendAsync(request, ct);

-    using (response)
-    {
    if (response.StatusCode == HttpStatusCode.Forbidden)
    {
        return ErrorResponse(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
@ -149,13 +126,6 @@ async Task<IResult?> EnforceSessionAsync(
        return ErrorResponse(StatusCodes.Status401Unauthorized, "session_invalid", "Session validation failed.", correlationId);
    }

-        var payload = await response.Content.ReadAsStringAsync(ct);
-        if (!SessionMePayloadParser.IsAuthenticated(payload))
-        {
-            return ErrorResponse(StatusCodes.Status401Unauthorized, "session_invalid", "Session validation failed.", correlationId);
-        }
-    }
-
    return null;
 }

--- a/src/Waiter.Floor.Bff.Rest/Security/SessionMePayloadParser.cs
+++ b/src/Waiter.Floor.Bff.Rest/Security/SessionMePayloadParser.cs
@ -1,29 +0,0 @@
-using System.Text.Json;
-
-namespace Waiter.Floor.Bff.Rest.Security;
-
-public static class SessionMePayloadParser
-{
-    public static bool IsAuthenticated(string payload)
-    {
-        if (string.IsNullOrWhiteSpace(payload))
-        {
-            return false;
-        }
-
-        try
-        {
-            using var document = JsonDocument.Parse(payload);
-            if (!document.RootElement.TryGetProperty("isAuthenticated", out var value))
-            {
-                return false;
-            }
-
-            return value.ValueKind == JsonValueKind.True;
-        }
-        catch (JsonException)
-        {
-            return false;
-        }
-    }
-}