Security

Authn/z, rate limiting and CORS policies in the Tee Time backend and docs site.

Backend

Guards: Admin routes require JWT + @RequireAudience('teetime-admin').
Rate limiting: nestjs-rate-limiter (~60 req/min default on many routes).
CORS: Allowed origins constrained to dev and PROD_UI_ORIGIN; credentials allowed.

Vite dev servers proxy /api/auth/* back to the IDP origin (via VITE_IDP_DEV_ORIGIN) so CSRF cookies remain same-origin (SameSite=Lax in dev, SameSite=None; Secure in prod).
Web clients call GET /api/auth/csrf on the IDP to receive XSRF-TOKEN.
Auth POSTs include withCredentials: true and X-XSRF-Token: <cookie> (double-submit).
Refresh supports cookie-only sessions; clients may POST /api/auth/refresh with an empty body (cookies supply session identifiers).
Mobile clients reuse the same cookie session — see the Mobile Expo cookie auth guide (docs/mobile/cookie-auth.md in the monorepo root) for setup, proxy usage, and troubleshooting.

Basic auth enforced at ingress via Traefik middleware (teetime-docs-basicauth).
Secret teetime-docs-basicauth in namespace teetime must contain users key with htpasswd entries.