AgileWebs/waiter-floor-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c92a3334bc
waiter-floor-bff/src/Waiter.Floor.Bff.Rest/Program.cs
José René White Enciso b507a3bd65 feat(waiter-floor): enforce bff session auth 
Why: protect waiter business endpoints with thalos session validation.

What: add edge auth guard call to thalos session/me, preserve anonymous health endpoints, and add auth enforcement docs.

Rule: keep identity ownership in thalos and standardize edge auth behavior.
2026-03-08 15:07:38 -06:00

157 lines
5.3 KiB
C#
Raw Blame History

using System.Net;
using Microsoft.Extensions.Primitives;
using Waiter.Floor.Bff.Application.Adapters;
using Waiter.Floor.Bff.Application.Handlers;
using Waiter.Floor.Bff.Contracts.Requests;
const string CorrelationHeaderName = "x-correlation-id";
const string SessionAccessCookieName = "thalos_session";
const string SessionRefreshCookieName = "thalos_refresh";
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddSingleton<IWaiterServiceClient, DefaultWaiterServiceClient>();
builder.Services.AddSingleton<IGetWaiterAssignmentsHandler, GetWaiterAssignmentsHandler>();
builder.Services.AddSingleton<ISubmitFloorOrderHandler, SubmitFloorOrderHandler>();
builder.Services.AddHttpClient("ThalosAuth");
var app = builder.Build();
app.Use(async (context, next) =>
{
var correlationId = ResolveCorrelationId(context);
context.Items[CorrelationHeaderName] = correlationId;
context.Request.Headers[CorrelationHeaderName] = correlationId;
context.Response.Headers[CorrelationHeaderName] = correlationId;
await next();
});
app.MapGet("/api/waiter/floor/assignments", async (
string contextId,
HttpContext context,
IHttpClientFactory httpClientFactory,
IConfiguration configuration,
IGetWaiterAssignmentsHandler handler,
CancellationToken ct) =>
{
var authError = await EnforceSessionAsync(context, httpClientFactory, configuration, ct);
if (authError is not null)
{
return authError;
}
var request = new GetWaiterAssignmentsRequest(contextId);
return Results.Ok(await handler.HandleAsync(request, ct));
});
app.MapPost("/api/waiter/floor/orders", async (
SubmitFloorOrderRequest request,
HttpContext context,
IHttpClientFactory httpClientFactory,
IConfiguration configuration,
ISubmitFloorOrderHandler handler,
CancellationToken ct) =>
{
var authError = await EnforceSessionAsync(context, httpClientFactory, configuration, ct);
if (authError is not null)
{
return authError;
}
return Results.Ok(await handler.HandleAsync(request, ct));
});
app.MapGet("/health", () => Results.Ok(new { status = "ok", service = "waiter-floor-bff" }));
app.MapGet("/healthz", () => Results.Ok(new { status = "ok", service = "waiter-floor-bff" }));
app.Run();
string ResolveCorrelationId(HttpContext context)
{
if (context.Items.TryGetValue(CorrelationHeaderName, out var itemValue) &&
itemValue is string itemCorrelationId &&
!string.IsNullOrWhiteSpace(itemCorrelationId))
{
return itemCorrelationId;
}
if (context.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) &&
!StringValues.IsNullOrEmpty(headerValue))
{
return headerValue.ToString();
}
return context.TraceIdentifier;
}
async Task<IResult?> EnforceSessionAsync(
HttpContext context,
IHttpClientFactory httpClientFactory,
IConfiguration configuration,
CancellationToken ct)
{
var correlationId = ResolveCorrelationId(context);
if (!context.Request.Cookies.ContainsKey(SessionAccessCookieName) &&
!context.Request.Cookies.ContainsKey(SessionRefreshCookieName))
{
return ErrorResponse(StatusCodes.Status401Unauthorized, "session_missing", "No active session.", correlationId);
}
var thalosBaseAddress = configuration["ThalosAuth:BaseAddress"] ?? "http://thalos-bff:8080";
using var request = new HttpRequestMessage(
HttpMethod.Get,
$"{thalosBaseAddress.TrimEnd('/')}/api/identity/session/me");
request.Headers.TryAddWithoutValidation(CorrelationHeaderName, correlationId);
var cookieHeader = BuildForwardCookieHeader(context);
if (!string.IsNullOrWhiteSpace(cookieHeader))
{
request.Headers.TryAddWithoutValidation("Cookie", cookieHeader);
}
using var response = await httpClientFactory.CreateClient("ThalosAuth").SendAsync(request, ct);
if (response.StatusCode == HttpStatusCode.Forbidden)
{
return ErrorResponse(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
}
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
return ErrorResponse(StatusCodes.Status401Unauthorized, "unauthorized", "Unauthorized request.", correlationId);
}
if (!response.IsSuccessStatusCode)
{
return ErrorResponse(StatusCodes.Status401Unauthorized, "session_invalid", "Session validation failed.", correlationId);
}
return null;
}
static string BuildForwardCookieHeader(HttpContext context)
{
var cookies = new List<string>();
if (context.Request.Cookies.TryGetValue(SessionAccessCookieName, out var accessCookie) &&
!string.IsNullOrWhiteSpace(accessCookie))
{
cookies.Add($"{SessionAccessCookieName}={accessCookie}");
}
if (context.Request.Cookies.TryGetValue(SessionRefreshCookieName, out var refreshCookie) &&
!string.IsNullOrWhiteSpace(refreshCookie))
{
cookies.Add($"{SessionRefreshCookieName}={refreshCookie}");
}
return string.Join("; ", cookies);
}
static IResult ErrorResponse(int statusCode, string code, string message, string correlationId)
{
return Results.Json(new AuthErrorResponse(code, message, correlationId), statusCode: statusCode);
}
sealed record AuthErrorResponse(string Code, string Message, string CorrelationId);
Reference in New Issue View Git Blame Copy Permalink