1.2 KiB
1.2 KiB
Auth Enforcement
Scope
This BFF enforces authenticated access on business endpoints using Thalos session validation.
Protected Endpoints
/api/waiter/floor/assignments/api/waiter/floor/orders
Anonymous Endpoints
/health/healthz
Session Validation Contract
- BFF requires at least one session cookie:
thalos_sessionthalos_refresh
- BFF calls Thalos session introspection endpoint:
GET /api/identity/session/me
- Base address configured by:
ThalosAuth:BaseAddress
Error Semantics
Standard auth error payload:
{
"code": "unauthorized|forbidden|session_missing|session_invalid",
"message": "human-readable message",
"correlationId": "request correlation id"
}
401: missing or invalid session403: permission denied by identity service503: identity service unavailable or timeout (identity_unavailable|identity_timeout)
Correlation
- Incoming/outgoing correlation header:
x-correlation-id - Correlation ID is forwarded to Thalos session validation call.
Validation Rule
- Successful session introspection must also include
isAuthenticated=truein Thalos response payload.