From 18be0fb18385d233c1b509f6b6d5cb1724a4aece Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Thu, 5 Mar 2026 21:32:34 +0100
Subject: [PATCH] fix: exempt /api/clubs/me from tenant validation

- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app)
- Resolves frontend chicken-and-egg problem for club discovery

Verified:
- /api/clubs/me returns 200 OK without X-Tenant-Id header
- /api/tasks still requires X-Tenant-Id (400 Bad Request)
- Other endpoints unaffected
---
 backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs     | 2 +-
 .../WorkClub.Api/Middleware/TenantValidationMiddleware.cs | 8 ++++++++
 docker-compose.yml                                        | 4 +++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs b/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
index e12f203..c6a9b48 100644
--- a/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
+++ b/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
@@ -11,7 +11,7 @@ public static class ClubEndpoints
         var group = app.MapGroup("/api/clubs");
 
         group.MapGet("/me", GetMyClubs)
-            .RequireAuthorization("RequireMember")
+            .RequireAuthorization("RequireViewer")
             .WithName("GetMyClubs");
 
         group.MapGet("/current", GetCurrentClub)
diff --git a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
index 6d5a07c..c347ec2 100644
--- a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
+++ b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
@@ -22,6 +22,14 @@ public class TenantValidationMiddleware
             return;
         }
 
+        // Exempt /api/clubs/me from tenant validation - this is the bootstrap endpoint
+        if (context.Request.Path.StartsWithSegments("/api/clubs/me"))
+        {
+            _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
+            await _next(context);
+            return;
+        }
+
         if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
             string.IsNullOrWhiteSpace(tenantIdHeader))
         {
diff --git a/docker-compose.yml b/docker-compose.yml
index 1872982..1fd21dc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,12 +79,14 @@ services:
       context: ./frontend
       dockerfile: Dockerfile.dev
     container_name: workclub_frontend
+    extra_hosts:
+      - "localhost:host-gateway"
     environment:
       NEXT_PUBLIC_API_URL: "http://localhost:5001"
       API_INTERNAL_URL: "http://dotnet-api:8080"
       NEXTAUTH_URL: "http://localhost:3000"
       NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
-      KEYCLOAK_CLIENT_ID: "workclub-api"
+      KEYCLOAK_CLIENT_ID: "workclub-app"
       KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
       KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
     ports: