backend/WorkClub.Infrastructure/Services/TenantProvider.cs

using System.Security.Claims;
using System.Text.Json;
using Finbuckle.MultiTenant;
using Finbuckle.MultiTenant.Abstractions;
using Microsoft.AspNetCore.Http;
using WorkClub.Application.Interfaces;

namespace WorkClub.Infrastructure.Services;

public class TenantProvider : ITenantProvider
{
    private readonly IMultiTenantContextAccessor _multiTenantContextAccessor;
    private readonly IHttpContextAccessor _httpContextAccessor;

    public TenantProvider(
        IMultiTenantContextAccessor multiTenantContextAccessor,
        IHttpContextAccessor httpContextAccessor)
    {
        _multiTenantContextAccessor = multiTenantContextAccessor;
        _httpContextAccessor = httpContextAccessor;
    }

    public string GetTenantId()
    {
        var tenantInfo = _multiTenantContextAccessor.MultiTenantContext?.TenantInfo;
        if (tenantInfo == null || string.IsNullOrEmpty(tenantInfo.Identifier))
        {
            throw new InvalidOperationException("Tenant context is not available");
        }

        return tenantInfo.Identifier;
    }

    public string GetUserRole()
    {
        var httpContext = _httpContextAccessor.HttpContext;
        if (httpContext?.User == null)
        {
            throw new InvalidOperationException("User context is not available");
        }

        var tenantId = GetTenantId();
        var clubsClaim = httpContext.User.FindFirst("clubs")?.Value;

        if (string.IsNullOrEmpty(clubsClaim))
        {
            throw new InvalidOperationException("User does not have clubs claim");
        }

        var clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
        if (clubsDict == null || !clubsDict.TryGetValue(tenantId, out var role))
        {
            throw new InvalidOperationException($"User is not a member of tenant {tenantId}");
        }

        return role;
    }
}
feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure) 2026-03-03 14:32:21 +01:00			`using System.Security.Claims;`
			`using System.Text.Json;`
			`using Finbuckle.MultiTenant;`
			`using Finbuckle.MultiTenant.Abstractions;`
			`using Microsoft.AspNetCore.Http;`
			`using WorkClub.Application.Interfaces;`

			`namespace WorkClub.Infrastructure.Services;`

			`public class TenantProvider : ITenantProvider`
			`{`
fix(backend): simplify Finbuckle namespace imports and register DB interceptors - Use consolidated Finbuckle.MultiTenant namespace instead of separate imports - Switch TenantProvider to use untyped IMultiTenantContextAccessor (Finbuckle 9.x pattern) - Register TenantDbConnectionInterceptor and SaveChangesTenantInterceptor as singletons - Add interceptors to DbContext configuration for RLS tenant context support - Update evidence files for Task 7 and Task 8 verification 2026-03-03 18:52:35 +01:00			`private readonly IMultiTenantContextAccessor _multiTenantContextAccessor;`
feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure) 2026-03-03 14:32:21 +01:00			`private readonly IHttpContextAccessor _httpContextAccessor;`

			`public TenantProvider(`
fix(backend): simplify Finbuckle namespace imports and register DB interceptors - Use consolidated Finbuckle.MultiTenant namespace instead of separate imports - Switch TenantProvider to use untyped IMultiTenantContextAccessor (Finbuckle 9.x pattern) - Register TenantDbConnectionInterceptor and SaveChangesTenantInterceptor as singletons - Add interceptors to DbContext configuration for RLS tenant context support - Update evidence files for Task 7 and Task 8 verification 2026-03-03 18:52:35 +01:00			`IMultiTenantContextAccessor multiTenantContextAccessor,`
feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure) 2026-03-03 14:32:21 +01:00			`IHttpContextAccessor httpContextAccessor)`
			`{`
			`_multiTenantContextAccessor = multiTenantContextAccessor;`
			`_httpContextAccessor = httpContextAccessor;`
			`}`

			`public string GetTenantId()`
			`{`
			`var tenantInfo = _multiTenantContextAccessor.MultiTenantContext?.TenantInfo;`
			`if (tenantInfo == null \|\| string.IsNullOrEmpty(tenantInfo.Identifier))`
			`{`
			`throw new InvalidOperationException("Tenant context is not available");`
			`}`
style(backend): apply dotnet format whitespace normalization - Applied dotnet format to 24 files in backend/ - Corrects spacing, indentation, and formatting consistency - No functional changes to code logic Ultraworked with Sisyphus <https://github.com/code-yeongyu/oh-my-opencode> Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> 2026-03-05 11:07:19 +01:00
feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure) 2026-03-03 14:32:21 +01:00			`return tenantInfo.Identifier;`
			`}`

			`public string GetUserRole()`
			`{`
			`var httpContext = _httpContextAccessor.HttpContext;`
			`if (httpContext?.User == null)`
			`{`
			`throw new InvalidOperationException("User context is not available");`
			`}`

			`var tenantId = GetTenantId();`
			`var clubsClaim = httpContext.User.FindFirst("clubs")?.Value;`
style(backend): apply dotnet format whitespace normalization - Applied dotnet format to 24 files in backend/ - Corrects spacing, indentation, and formatting consistency - No functional changes to code logic Ultraworked with Sisyphus <https://github.com/code-yeongyu/oh-my-opencode> Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> 2026-03-05 11:07:19 +01:00
feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware - Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure) 2026-03-03 14:32:21 +01:00			`if (string.IsNullOrEmpty(clubsClaim))`
			`{`
			`throw new InvalidOperationException("User does not have clubs claim");`
			`}`

			`var clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);`
			`if (clubsDict == null \|\| !clubsDict.TryGetValue(tenantId, out var role))`
			`{`
			`throw new InvalidOperationException($"User is not a member of tenant {tenantId}");`
			`}`

			`return role;`
			`}`
			`}`