48 lines
1.1 KiB
Markdown
48 lines
1.1 KiB
Markdown
# Authentication and Authorization Flow (API)
|
|
|
|
This document defines how authentication and authorization are enforced in the API.
|
|
|
|
Shared contract:
|
|
|
|
- [`docs/architecture/shared/AUTH_CONTRACT.md`](docs/architecture/shared/AUTH_CONTRACT.md:1)
|
|
|
|
## 1) Enforcement location (strict)
|
|
|
|
All enforcement happens in the API.
|
|
|
|
The API must:
|
|
|
|
- authenticate the actor from the session
|
|
- authorize the actor for the requested capability
|
|
- deny requests deterministically with appropriate HTTP status
|
|
|
|
## 2) Canonical request flow
|
|
|
|
```text
|
|
HTTP Request
|
|
↓
|
|
Authentication (resolve actor)
|
|
↓
|
|
Authorization (roles, permissions, scope)
|
|
↓
|
|
Controller (transport-only)
|
|
↓
|
|
Core Use Case
|
|
↓
|
|
Presenter mapping
|
|
↓
|
|
HTTP Response
|
|
```
|
|
|
|
## 3) Non-negotiable rules
|
|
|
|
1. Deny by default unless explicitly public.
|
|
2. The actor identity is derived from the session.
|
|
3. Controllers do not contain business rules.
|
|
|
|
Related:
|
|
|
|
- Authorization model: [`docs/architecture/api/AUTHORIZATION.md`](docs/architecture/api/AUTHORIZATION.md:1)
|
|
- Guards definition: [`docs/architecture/api/GUARDS.md`](docs/architecture/api/GUARDS.md:1)
|
|
|