docs: update bff readme

Author: CodeSchwert

AppleSignInBackend/README.md

@@ -105,59 +105,6 @@ Ready to receive Apple Sign-in requests from Unity!
 
 ---
 
-## Deployment
-
-### Hosting Requirements
-
-The BFF must be hosted by your studio. You have flexibility in where to deploy:
-
-- **Cloud Providers**: AWS, Google Cloud, Azure, DigitalOcean
-- **Container Services**: Docker, Kubernetes, AWS ECS, Google Cloud Run
-- **Serverless**: AWS Lambda, Google Cloud Functions (with appropriate configuration)
-- **Traditional Hosting**: Any server capable of running Node.js
-
-### Deployment Steps
-
-1. **Choose a hosting provider**
-2. **Set environment variables** (never commit `.env` to source control)
-3. **Build the TypeScript** (if using TypeScript):
-   ```bash
-   npm run build
-   ```
-4. **Deploy** the application
-5. **Configure HTTPS** (required for production)
-6. **Set up monitoring** and health checks
-7. **Configure the Unity SDK** to use your BFF URL
-
-### Environment Variables (Production)
-
-```bash
-# Server
-PORT=3000
-NODE_ENV=production
-
-# Apple
-APPLE_BUNDLE_ID=com.yourstudio.yourgame
-
-# Immutable (Production)
-IMX_AUTH_API_URL=https://api.immutable.com
-IMMUTABLE_API_KEY=sk_imapik_xxx...  # From Immutable Hub
-PASSPORT_CLIENT_ID=xxx...           # From Immutable Hub
-```
-
-### Security Checklist
-
-- [ ] HTTPS enabled (required for production)
-- [ ] Environment variables stored securely (not in code)
-- [ ] API key never exposed to clients
-- [ ] CORS configured to allow only your game domains
-- [ ] Rate limiting enabled
-- [ ] Logging and monitoring configured
-- [ ] Health checks set up
-- [ ] Firewall rules configured
-
----
-
 ## Unity Configuration
 
 ### Passport Initialization
@@ -269,7 +216,7 @@ Health check endpoint for monitoring.
 
 ### Token Exchange (BYOA)
 
-The BFF uses Immutable's "Bring Your Own Auth" (BYOA) connection:
+The BFF uses BYOA connection:
 
 ```typescript
 // BFF calls IMX Engine Auth Service
@@ -367,109 +314,6 @@ SUCCESS: Apple Sign-in Complete - Returning Tokens
 
 ---
 
-## Troubleshooting
-
-### "ERROR: IMMUTABLE_API_KEY is required but not set"
-
-The API key environment variable is missing or empty.
-
-**Solution:**
-- Check your `.env` file has `IMMUTABLE_API_KEY=sk_imapik_xxx...`
-- Verify the `.env` file is in the same directory as `server.ts`
-- Get your API key from Immutable Hub if you don't have one
-
-### "ERROR: PASSPORT_CLIENT_ID is required but not set"
-
-The client ID environment variable is missing or empty.
-
-**Solution:**
-- Check your `.env` file has `PASSPORT_CLIENT_ID=xxx...`
-- Get your client ID from Immutable Hub if you don't have one
-
-### "ERROR: Client ID mismatch"
-
-The client ID in the request doesn't match the expected value.
-
-**Solution:**
-- Verify Unity SDK is using the same client ID as configured in BFF
-- Check the `.env` file has the correct `PASSPORT_CLIENT_ID`
-
-### "ERROR: Apple token verification failed"
-
-The Apple identity token could not be verified.
-
-**Possible causes:**
-- Token is expired (tokens are valid for ~10 minutes)
-- Token signature is invalid
-- Bundle ID mismatch (token audience doesn't match `APPLE_BUNDLE_ID`)
-- Network issues connecting to Apple's JWKS endpoint
-
-**Solution:**
-- Verify `APPLE_BUNDLE_ID` matches your iOS app's bundle identifier
-- Check token is not expired
-- Ensure server can reach `https://appleid.apple.com/auth/keys`
-- Check BFF logs for detailed error message
-
-### "ERROR: Token exchange API call failed"
-
-The call to IMX Engine Auth Service failed.
-
-**Possible causes:**
-- Invalid API key
-- Invalid client ID
-- Network issues
-- Wrong environment URL
-
-**Solution:**
-- Verify `IMMUTABLE_API_KEY` is correct and active
-- Verify `PASSPORT_CLIENT_ID` is correct
-- Check `IMX_AUTH_API_URL` is correct for your environment
-- Check BFF logs for detailed error response from IMX Engine
-
-### "Cannot connect to backend" (from Unity)
-
-Unity cannot reach the BFF server.
-
-**Solution:**
-- Verify BFF is running (`GET /health` returns 200)
-- Check firewall allows connections on the BFF port
-- For iOS device: Use Mac's IP address, not `localhost`
-- For iOS simulator: `localhost` should work
-- Verify CORS is configured to allow Unity's origin
-
-### "EADDRINUSE: port already in use"
-
-Another process is using the configured port.
-
-**Solution:**
-```bash
-# Kill the process using the port
-lsof -ti:3000 | xargs kill -9
-
-# Or change port in .env
-PORT=3001
-```
-
----
-
-## Project Structure
-
-```
-AppleSignInBackend/
-├── server.ts                    # TypeScript server (recommended)
-├── server.js                    # JavaScript server (legacy)
-├── tsconfig.json               # TypeScript configuration
-├── package.json                # Dependencies and scripts
-├── env.example                 # Environment template
-├── .gitignore                  # Git ignore rules
-├── README.md                   # This file
-├── SIMPLIFIED_README.md        # Quick reference
-├── TYPESCRIPT_MIGRATION.md     # TypeScript conversion notes
-└── dist/                       # Compiled TypeScript output (gitignored)
-```
-
----
-
 ## Scripts
 
 ```bash
@@ -480,85 +324,4 @@ npm run dev            # Development with hot-reload
 
 # Build utilities
 npm run dev:build      # Watch mode - compile on changes
-
-# JavaScript (legacy)
-npm run start:js       # Run JavaScript directly
 ```
-
----
-
-## Security Best Practices
-
-### API Key Protection
-
-- ✅ Store API key in environment variables
-- ✅ Never commit API key to source control
-- ✅ Rotate API keys regularly
-- ✅ Use different keys for sandbox and production
-- ❌ Never expose API key to client applications
-- ❌ Never log API key values
-
-### Network Security
-
-- ✅ Use HTTPS in production (required)
-- ✅ Configure CORS to allow only your game domains
-- ✅ Implement rate limiting
-- ✅ Add request size limits
-- ✅ Use secure headers (helmet.js)
-
-### Monitoring & Logging
-
-- ✅ Set up health check monitoring
-- ✅ Log all authentication attempts
-- ✅ Alert on repeated failures
-- ✅ Monitor for unusual patterns
-- ❌ Don't log sensitive tokens (except for debugging)
-
-### Maintenance
-
-- ✅ Keep dependencies updated
-- ✅ Monitor for security advisories
-- ✅ Have a backup/failover plan
-- ✅ Document deployment procedures
-- ✅ Test token exchange regularly
-
----
-
-## Production Deployment Checklist
-
-- [ ] Environment variables configured
-- [ ] HTTPS enabled
-- [ ] CORS configured for production domains
-- [ ] Rate limiting enabled
-- [ ] Health checks configured
-- [ ] Monitoring and alerting set up
-- [ ] Logging configured
-- [ ] Backup and failover plan documented
-- [ ] API keys rotated and secured
-- [ ] Unity SDK configured with production BFF URL
-- [ ] End-to-end testing completed
-- [ ] Security review completed
-
----
-
-## Related Documentation
-
-- **Apple Sign-in Overview**: `docs/Apple_Signin.md`
-- **Unity SDK Setup**: See main documentation for Unity integration
-- **Test Script Example**: `sample/Assets/Scripts/Passport/AppleSignInTest/AppleSignInTestScript.cs`
-
----
-
-## Support
-
-For issues or questions:
-1. Check the troubleshooting section above
-2. Review the logs for detailed error messages
-3. Refer to `docs/Apple_Signin.md` for complete documentation
-4. Contact Immutable support if issues persist
-
----
-
-## License
-
-MIT