52 lines
1.4 KiB
Markdown
52 lines
1.4 KiB
Markdown
# Authentication and Authorization (Shared Contract)
|
|
|
|
This document defines the shared, cross-app contract for authentication and authorization.
|
|
|
|
It does not define Next.js routing details or NestJS guard wiring.
|
|
|
|
App-specific documents:
|
|
|
|
- API enforcement: [`docs/architecture/api/AUTH_FLOW.md`](docs/architecture/api/AUTH_FLOW.md:1)
|
|
- Website UX flow: [`docs/architecture/website/WEBSITE_AUTH_FLOW.md`](docs/architecture/website/WEBSITE_AUTH_FLOW.md:1)
|
|
|
|
## 1) Core principle (non-negotiable)
|
|
|
|
The API is the single source of truth for:
|
|
|
|
- who the actor is
|
|
- what the actor is allowed to do
|
|
|
|
The website may improve UX. It does not enforce security.
|
|
|
|
## 2) Authentication (strict)
|
|
|
|
Authentication answers:
|
|
|
|
- who is this actor
|
|
|
|
Rules:
|
|
|
|
- the actor identity is derived from the authenticated session
|
|
- the client must never be allowed to claim an identity
|
|
|
|
## 3) Authorization (strict)
|
|
|
|
Authorization answers:
|
|
|
|
- is this actor allowed to perform this action
|
|
|
|
Rules:
|
|
|
|
- authorization is enforced in the API
|
|
- the website may hide or disable UI, but cannot enforce correctness
|
|
|
|
See: [`docs/architecture/api/AUTHORIZATION.md`](docs/architecture/api/AUTHORIZATION.md:1)
|
|
|
|
## 4) Shared terminology (hard)
|
|
|
|
- Guard: API enforcement mechanism
|
|
- Blocker: website UX prevention mechanism
|
|
|
|
Shared contract: [`docs/architecture/shared/BLOCKERS_AND_GUARDS.md`](docs/architecture/shared/BLOCKERS_AND_GUARDS.md:1)
|
|
|