diff --git a/docs/architecture.md b/docs/architecture.md index 6486f5a..bae4238 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -11,6 +11,46 @@ Seamless Auth API is an Express and TypeScript authentication service backed by - Models: Sequelize models for users, credentials, sessions, system config, auth events, organizations, TOTP credentials, and OAuth identities. - Postgres: source of truth for users, credentials, sessions, config, and audit records. +## Deployment Topology + +This API is one component in a small system. It speaks a single Bearer/JSON contract and never +sets or reads browser cookies. Browser apps do not call it directly in the recommended setup; +a trusted server adapter sits in between. + +```mermaid +flowchart LR + browser["Browser
(@seamless-auth/react)"] + adapter["Trusted server adapter
(@seamless-auth/express / core)"] + api["This API
(seamless-auth-api)"] + db[("Postgres")] + + browser -- "cookies
credentials: include" --> adapter + adapter -- "Bearer + service token
JSON, no cookies" --> api + adapter -- "JWKS verify
/.well-known/jwks.json" --> api + api --> db +``` + +**Trusted server adapter.** A server-side component (not the browser) that holds token custody +and bridges the two auth styles. In the SeamlessAuth ecosystem this is +`@seamless-auth/express` / `@seamless-auth/core`, but any backend you control can play the role. +It is "trusted" because it runs in your infrastructure, holds the session cookies +(`seamless-access`, `seamless-refresh`, `seamless-ephemeral`) on the browser side, and is the +only party that presents this API's service token. Its responsibilities: + +- Terminate the browser's cookie-based session and translate it into an `Authorization: Bearer` + header for this API. +- Attach the service token (`x-seamless-service-token`) and forwarded client IP + (`x-seamless-client-ip`) on calls that require them. +- Verify access-token signatures against this API's JWKS (`/.well-known/jwks.json`, RS256). + +Direct browser-to-API integration is possible (see the "Direct HTTP APIs (advanced)" path in the +README) but unsupported for cookie-based browser sessions, because this API issues tokens only in +JSON bodies and expects the caller to hold them securely. Keeping token custody in the adapter is +the recommended path. + +For the full dependency and contract-coupling map across sibling repositories, see +[ecosystem.md](./ecosystem.md). + ## Request Flow 1. Express receives a request and applies global middleware.