MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware

Browse Source 
- Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups)
- Implement RLS policies with SET LOCAL for tenant isolation
- Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback
- Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header
- Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor)
- Configure AppDbContext with tenant scoping and RLS support
- Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture
- Write TDD integration tests for multi-tenant isolation and RLS enforcement
- Add health check null safety for connection string

Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)
This commit is contained in:
WorkClub Automation
2026-03-03 14:32:21 +01:00
parent b9edbb8a65
commit 28964c6767
35 changed files with 4006 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
.sisyphus/evidence/task-6-final-summary.txt Normal file
View File

@@ -0,0 +1,68 @@
TASK 6: KUBERNETES KUSTOMIZE BASE MANIFESTS — COMPLETE ✓
==========================================================
DELIVERABLES:
✓ Created /infra/k8s/base/ directory structure
✓ All 11 manifest files created:
- kustomization.yaml (root orchestrator)
- backend-deployment.yaml (1 replica, port 8080, health probes)
- backend-service.yaml (ClusterIP, port 80→8080)
- frontend-deployment.yaml (1 replica, port 3000, health probe)
- frontend-service.yaml (ClusterIP, port 80→3000)
- postgres-statefulset.yaml (1 replica, 10Gi PVC, pg_isready)
- postgres-service.yaml (headless + primary service)
- keycloak-deployment.yaml (1 replica, port 8080, production mode)
- keycloak-service.yaml (ClusterIP)
- configmap.yaml (app config + postgres init script)
- ingress.yaml (path-based routing: / → frontend, /api → backend)
VERIFICATION RESULTS:
✓ kustomize build infra/k8s/base: SUCCESS (456 lines valid YAML)
✓ Resource kinds: ConfigMap, Deployment (3), Ingress, Service (5), StatefulSet
✓ Resource naming: All use consistent workclub- prefix
✓ Health probes: .NET (startup/live/ready), Frontend (/api/health), Postgres (pg_isready)
✓ Environment variables: All services reference ConfigMap/Secrets correctly
✓ Volumes: StatefulSet volumeClaimTemplate 10Gi, ConfigMap mounts for init scripts
✓ Headless service: workclub-postgres-headless with publishNotReadyAddresses: true
REQUIREMENT COVERAGE:
✓ Backend: 1 replica, port 8080, all three .NET health probes
✓ Frontend: 1 replica, port 3000, /api/health probe
✓ PostgreSQL: StatefulSet, 1 replica, port 5432, 10Gi storage, pg_isready check
✓ Keycloak: 1 replica, port 8080, KC_DB=postgres, production start command
✓ ConfigMap: log-level, cors-origins, api-base-url, keycloak-url, database config
✓ Ingress: Single domain routing with pathType: Prefix for /api
✓ Resource limits: Placeholders (100m/256Mi requests, 500m/512Mi limits)
✓ Image tags: :latest placeholder for all app images
LEARNING OUTCOMES:
✓ Documented in .sisyphus/notepads/club-work-manager/learnings.md
✓ Kustomize base+overlay pattern vs Helm
✓ K8s resource naming and labeling conventions
✓ .NET health probe semantics and timing
✓ StatefulSet + headless service pattern for Postgres
✓ PostgreSQL initialization via ConfigMap
✓ Keycloak 26.x production mode configuration
✓ Ingress path-based routing design
✓ ConfigMap strategy for non-sensitive data
✓ Resource request/limit placeholders
GIT COMMIT:
✓ Commit: a103248
✓ Message: "docs(k8s): add Task 6 Kustomize base manifests learnings"
✓ Files modified: .sisyphus/notepads/club-work-manager/learnings.md (415 insertions)
EVIDENCE FILES:
✓ .sisyphus/evidence/task-6-kustomize-base.txt (verification results)
✓ .sisyphus/evidence/task-6-resource-names.txt (resource inventory)
✓ .sisyphus/evidence/task-6-final-summary.txt (this file)
NOTES FOR NEXT TASKS:
- Base manifests ready for Task 25 (dev overlay creation)
- Image tags will be overridden per environment in overlays
- Resource limits will be environment-specific in overlays
- TLS/cert-manager deferred to production overlay
- Health check endpoints require implementation in backend/frontend code
- Secret values (passwords) must be created separately before deployment
STATUS: READY FOR DEPLOYMENT PLANNING

197
.sisyphus/evidence/task-8-green-phase-attempt2.txt Normal file
View File

File diff suppressed because one or more lines are too long

1131
.sisyphus/evidence/task-8-green-phase-success.txt Normal file
View File

File diff suppressed because one or more lines are too long

119
.sisyphus/evidence/task-8-green-phase.txt Normal file
View File

@@ -0,0 +1,119 @@
Der Buildvorgang wurde am 03.03.2026 14:23:14 gestartet.
1>Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" auf Knoten "1", Restore Ziel(e).
1>_GetAllRestoreProjectPathItems:
Wiederherzustellende Projekte werden ermittelt...
1>Das Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1) erstellt "/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj" (2:4) auf Knoten "1", _GenerateProjectRestoreGraph Ziel(e).
2>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
1>Das Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1) erstellt "/Users/mastermito/Dev/opencode/backend/WorkClub.Application/WorkClub.Application.csproj" (4:6) auf Knoten "4", _GenerateProjectRestoreGraph Ziel(e).
4>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
2>AddPrunePackageReferences:
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0
1>Das Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1) erstellt "/Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/WorkClub.Infrastructure.csproj" (5:5) auf Knoten "3", _GenerateProjectRestoreGraph Ziel(e).
5>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
4>AddPrunePackageReferences:
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref
1>Das Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1) erstellt "/Users/mastermito/Dev/opencode/backend/WorkClub.Domain/WorkClub.Domain.csproj" (3:6) auf Knoten "2", _GenerateProjectRestoreGraph Ziel(e).
3>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
4>AddPrunePackageReferences:
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0
3>AddPrunePackageReferences:
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
5>AddPrunePackageReferences:
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0
2>AddPrunePackageReferences:
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0/data/PackageOverrides.txt
3>AddPrunePackageReferences:
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0
2>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.AspNetCore.App.Ref
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.AspNetCore.App.Ref/10.0.0
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.AspNetCore.App.Ref/10.0.0/data/PackageOverrides.txt
4>AddPrunePackageReferences:
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0/data/PackageOverrides.txt
5>AddPrunePackageReferences:
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0/data/PackageOverrides.txt
3>AddPrunePackageReferences:
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0/data/PackageOverrides.txt
4>Die Erstellung von Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Application/WorkClub.Application.csproj" ist abgeschlossen (_GenerateProjectRestoreGraph Ziel(e)).
5>Die Erstellung von Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/WorkClub.Infrastructure.csproj" ist abgeschlossen (_GenerateProjectRestoreGraph Ziel(e)).
3>Die Erstellung von Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Domain/WorkClub.Domain.csproj" ist abgeschlossen (_GenerateProjectRestoreGraph Ziel(e)).
2>Die Erstellung von Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj" ist abgeschlossen (_GenerateProjectRestoreGraph Ziel(e)).
1>Das Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1) erstellt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (1:6) auf Knoten "1", _GenerateProjectRestoreGraph Ziel(e).
1>AddPrunePackageReferences:
Loading prune package data from PrunePackageData folder
Failed to load prune package data from PrunePackageData folder, loading from targeting packs instead
Looking for targeting packs in /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref
Pack directories found: /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0
Found package overrides file /usr/local/share/dotnet/packs/Microsoft.NETCore.App.Ref/10.0.0/data/PackageOverrides.txt
1>Die Erstellung von Projekt "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" ist abgeschlossen (_GenerateProjectRestoreGraph Ziel(e)).
1>Restore:
Bei der Überprüfung der X.509-Zertifikatkette wird das Fallbackzertifikatpaket bei „/usr/local/share/dotnet/sdk/10.0.100/trustedroots/codesignctl.pem“ verwendet.
Bei der Überprüfung der X.509-Zertifikatkette wird das Fallbackzertifikatpaket bei „/usr/local/share/dotnet/sdk/10.0.100/trustedroots/timestampctl.pem“ verwendet.
Die Assetdatei wurde nicht geändert. Das Schreiben der Assetdatei wird übersprungen. Pfad: /Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/obj/project.assets.json
Die Assetdatei wurde nicht geändert. Das Schreiben der Assetdatei wird übersprungen. Pfad: /Users/mastermito/Dev/opencode/backend/WorkClub.Domain/obj/project.assets.json
"/Users/mastermito/Dev/opencode/backend/WorkClub.Infrastructure/WorkClub.Infrastructure.csproj" wiederhergestellt (in 32 ms.).
"/Users/mastermito/Dev/opencode/backend/WorkClub.Domain/WorkClub.Domain.csproj" wiederhergestellt (in 32 ms.).
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Application/WorkClub.Application.csproj : warning NU1603: WorkClub.Application hängt von Finbuckle.MultiTenant (>= 8.2.0) ab, aber Finbuckle.MultiTenant 8.2.0 wurde nicht gefunden. Finbuckle.MultiTenant 9.0.0 wurde stattdessen aufgelöst. [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
Die Assetdatei wurde nicht geändert. Das Schreiben der Assetdatei wird übersprungen. Pfad: /Users/mastermito/Dev/opencode/backend/WorkClub.Application/obj/project.assets.json
"/Users/mastermito/Dev/opencode/backend/WorkClub.Application/WorkClub.Application.csproj" wiederhergestellt (in 46 ms.).
Pakete für "/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj" werden wiederhergestellt...
Pakete für "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" werden wiederhergestellt...
CACHE https://api.nuget.org/v3-flatcontainer/aspnetcore.healthchecks.npgsql/index.json
CACHE https://api.nuget.org/v3-flatcontainer/finbuckle.multitenant/index.json
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : error NU1102: Das Paket "AspNetCore.HealthChecks.NpgSql" der Version (>= 10.0.0) wurde nicht gefunden.
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : error NU1102: - 24 Version(en) gefunden in "nuget.org" [ Nächste Version: 9.0.0 ]
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj : error NU1102: Das Paket "AspNetCore.HealthChecks.NpgSql" der Version (>= 10.0.0) wurde nicht gefunden. [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj : error NU1102: - 24 Version(en) gefunden in "nuget.org" [ Nächste Version: 9.0.0 ] [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
CACHE https://api.nuget.org/v3/vulnerabilities/index.json
CACHE https://api.nuget.org/v3-vulnerabilities/2026.02.28.05.40.06/vulnerability.base.json
CACHE https://api.nuget.org/v3-vulnerabilities/2026.02.28.05.40.06/2026.03.02.23.40.14/vulnerability.update.json
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
1>/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
Die Assetdatei wurde nicht geändert. Das Schreiben der Assetdatei wird übersprungen. Pfad: /Users/mastermito/Dev/opencode/backend/WorkClub.Api/obj/project.assets.json
Die MSBuild-Datei "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/obj/WorkClub.Tests.Integration.csproj.nuget.g.props" wird generiert.
Die Assetdatei wird auf den Datenträger geschrieben. Pfad: /Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/obj/project.assets.json
Fehler beim Wiederherstellen von "/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj" (in 227 ms.).
Fehler beim Wiederherstellen von "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (in 233 ms.).
Verwendete NuGet-Konfigurationsdateien:
/Users/mastermito/.nuget/NuGet/NuGet.Config
Verwendete Feeds:
https://api.nuget.org/v3/index.json
3 von 5 Projekten sind für die Wiederherstellung auf dem neuesten Stand.
1>Die Erstellung des Projekts "/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" ist abgeschlossen, Restore Ziel(e) -- FEHLER.
Fehler beim Buildvorgang.
"/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (Restore Ziel) (1) ->
(Restore Ziel) ->
/Users/mastermito/Dev/opencode/backend/WorkClub.Application/WorkClub.Application.csproj : warning NU1603: WorkClub.Application hängt von Finbuckle.MultiTenant (>= 8.2.0) ab, aber Finbuckle.MultiTenant 8.2.0 wurde nicht gefunden. Finbuckle.MultiTenant 9.0.0 wurde stattdessen aufgelöst. [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-8xfc-gm6g-vgpv.
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-m44j-cfrm-g8qc.
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : warning NU1902: Das Paket "BouncyCastle.Cryptography" 2.2.1 weist eine bekannte Moderat Schweregrad-Sicherheitsanfälligkeit auf, https://github.com/advisories/GHSA-v435-xc8x-wvr9.
"/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj" (Restore Ziel) (1) ->
(Restore Ziel) ->
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : error NU1102: Das Paket "AspNetCore.HealthChecks.NpgSql" der Version (>= 10.0.0) wurde nicht gefunden.
/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj : error NU1102: - 24 Version(en) gefunden in "nuget.org" [ Nächste Version: 9.0.0 ]
/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj : error NU1102: Das Paket "AspNetCore.HealthChecks.NpgSql" der Version (>= 10.0.0) wurde nicht gefunden. [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
/Users/mastermito/Dev/opencode/backend/WorkClub.Api/WorkClub.Api.csproj : error NU1102: - 24 Version(en) gefunden in "nuget.org" [ Nächste Version: 9.0.0 ] [/Users/mastermito/Dev/opencode/backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj]
4 Warnung(en)
2 Fehler
Verstrichene Zeit 00:00:00.99

252
.sisyphus/evidence/task-8-red-phase.txt Normal file
View File

File diff suppressed because one or more lines are too long

113
.sisyphus/notepads/club-work-manager/learnings.md
View File

@@ -1416,3 +1416,116 @@ Total: 5 files, 171 lines of test infrastructure code
- **Authorization Tests**: ✅ Code is valid, cannot execute (Infrastructure errors)
- **Health Checks Configuration**: ✅ Syntax correct, cannot test (app won't start)
---
## Task 12 Continuation: Resolving Pre-existing Build Errors (2026-03-03)
### Issue Discovery
When attempting to run the smoke test for Task 12, encountered build errors in `WorkClub.Api/Program.cs`:
```
error CS0246: Der Typ- oder Namespacename "TenantInfo" wurde nicht gefunden
error CS1061: "IServiceCollection" enthält keine Definition für "AddMultiTenant"
error CS1061: "WebApplication" enthält keine Definition für "UseMultiTenant"
```
### Root Cause Analysis
1. **Missing Package Reference**:
- `WorkClub.Api.csproj` had `Finbuckle.MultiTenant.AspNetCore` (version 10.0.3)
- Missing `Finbuckle.MultiTenant` base package (required for `TenantInfo` type)
- Infrastructure project had both packages, API project incomplete
2. **Package Dependency Chain**:
- `Finbuckle.MultiTenant.AspNetCore` depends on `Finbuckle.MultiTenant`
- But transitive dependency not resolved automatically in .NET 10
- Explicit reference required for types used directly in code
### Resolution
**Added missing package**:
```bash
cd backend/WorkClub.Api
dotnet add package Finbuckle.MultiTenant --version 10.0.3
```
**WorkClub.Api.csproj now includes**:
```xml
<PackageReference Include="Finbuckle.MultiTenant" Version="10.0.3" />
<PackageReference Include="Finbuckle.MultiTenant.AspNetCore" Version="10.0.3" />
```
### Pre-existing vs Task-Specific Issues
**NOT caused by Task 12**:
- Program.cs was created in earlier tasks (Tasks 7-11)
- Multi-tenancy configuration added before package dependencies verified
- Task 12 only creates test infrastructure (no Program.cs modifications)
**Discovered during Task 12**:
- Smoke test execution requires full API project build
- Build errors prevented test verification
- Fixed proactively to unblock smoke test
### Dependency Resolution Pattern
**Lesson learned**: When using types from NuGet packages directly in code:
1. Check if type is in transitive dependency (may not auto-resolve)
2. Add explicit `<PackageReference>` for packages you directly use
3. Verify build after adding multi-tenant or complex package chains
**Finbuckle.MultiTenant package structure**:
- `Finbuckle.MultiTenant` → Core types (TenantInfo, ITenant, etc.)
- `Finbuckle.MultiTenant.AspNetCore` → ASP.NET Core extensions (AddMultiTenant, UseMultiTenant)
- Both required for typical ASP.NET Core integration
### Build Verification After Fix
**Command**: `dotnet build WorkClub.Api/WorkClub.Api.csproj`
**Result**: ✅ SUCCESS
- All projects compile successfully
- TenantInfo type resolved
- AddMultiTenant extension method found
- UseMultiTenant extension method found
- Only warnings: EF Core version conflicts (10.0.0 vs 10.0.3) → non-breaking
**Warnings present** (acceptable):
```
warning MSB3277: Konflikte zwischen verschiedenen Versionen von "Microsoft.EntityFrameworkCore.Relational"
```
- Infrastructure uses EF Core 10.0.3 (from Npgsql.EntityFrameworkCore.PostgreSQL)
- API has transitive dependency on 10.0.0
- Build system resolves to 10.0.3 (higher version wins)
- No breaking changes between 10.0.0 and 10.0.3
### Impact on Task 12 Status
**Before fix**:
- Test infrastructure code: ✅ Complete (5 files, 171 lines)
- Smoke test: ❌ Cannot run (API build fails)
- Task 12 deliverable: Blocked
**After fix**:
- Test infrastructure code: ✅ Complete
- API project build: ✅ Success
- Smoke test: Ready to execute
- Task 12 deliverable: Unblocked
### Gotchas for Future Tasks
1. **Don't assume transitive dependencies**: Always add explicit `<PackageReference>` for types you use
2. **Multi-tenant packages need both**: Base + AspNetCore packages for full functionality
3. **Test early**: Build errors surface faster when running tests immediately after implementation
4. **Version alignment**: Use same version across package family (e.g., all Finbuckle packages at 10.0.3)
### Evidence
- Build output before fix: Pre-existing errors in Program.cs (TenantInfo, AddMultiTenant, UseMultiTenant)
- Package addition: `Finbuckle.MultiTenant` 10.0.3 added to WorkClub.Api.csproj
- Build output after fix: Successful compilation, only version conflict warnings
---

61
backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs Normal file
View File

@@ -0,0 +1,61 @@
using System.Text.Json;
namespace WorkClub.Api.Middleware;
public class TenantValidationMiddleware
{
private readonly RequestDelegate _next;
public TenantValidationMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
if (!context.User.Identity?.IsAuthenticated ?? true)
{
await _next(context);
return;
}
if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
string.IsNullOrWhiteSpace(tenantIdHeader))
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
await context.Response.WriteAsJsonAsync(new { error = "X-Tenant-Id header is required" });
return;
}
var requestedTenantId = tenantIdHeader.ToString();
var clubsClaim = context.User.FindFirst("clubs")?.Value;
if (string.IsNullOrEmpty(clubsClaim))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = "User does not have clubs claim" });
return;
}
Dictionary<string, string>? clubsDict;
try
{
clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
}
catch (JsonException)
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = "Invalid clubs claim format" });
return;
}
if (clubsDict == null || !clubsDict.ContainsKey(requestedTenantId))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = $"User is not a member of tenant {requestedTenantId}" });
return;
}
await _next(context);
}
}

12
backend/WorkClub.Api/Program.cs
View File

@@ -51,8 +51,16 @@ builder.Services.AddAuthorizationBuilder()
builder.Services.AddDbContext<AppDbContext>(options =>
options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection")));
builder.Services.AddHealthChecks()
.AddNpgSql(builder.Configuration.GetConnectionString("DefaultConnection")!);
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
if (!string.IsNullOrEmpty(connectionString))
{
builder.Services.AddHealthChecks()
.AddNpgSql(connectionString);
}
else
{
builder.Services.AddHealthChecks();
}
var app = builder.Build();

5
backend/WorkClub.Api/WorkClub.Api.csproj
View File

@@ -13,6 +13,11 @@
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0" />
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0" />
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.3" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.3">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="10.0.3" />
</ItemGroup>
<ItemGroup>

2
backend/WorkClub.Application/WorkClub.Application.csproj
View File

@@ -5,7 +5,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="Finbuckle.MultiTenant" Version="8.2.0" />
<PackageReference Include="Finbuckle.MultiTenant" Version="10.0.3" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
</ItemGroup>

2
backend/WorkClub.Domain/Entities/Shift.cs
View File

@@ -16,5 +16,5 @@ public class Shift : ITenantEntity
public required Guid CreatedById { get; set; }
public required DateTimeOffset CreatedAt { get; set; }
public required DateTimeOffset UpdatedAt { get; set; }
public byte[]? RowVersion { get; set; }
public uint RowVersion { get; set; }
}

2
backend/WorkClub.Domain/Entities/WorkItem.cs
View File

@@ -16,7 +16,7 @@ public class WorkItem : ITenantEntity
public DateTimeOffset? DueDate { get; set; }
public required DateTimeOffset CreatedAt { get; set; }
public required DateTimeOffset UpdatedAt { get; set; }
public byte[]? RowVersion { get; set; }
public uint RowVersion { get; set; }
public bool CanTransitionTo(WorkItemStatus newStatus) => (Status, newStatus) switch
{

24
backend/WorkClub.Infrastructure/Data/AppDbContext.cs Normal file
View File

@@ -0,0 +1,24 @@
using Microsoft.EntityFrameworkCore;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data;
public class AppDbContext : DbContext
{
public AppDbContext(DbContextOptions<AppDbContext> options) : base(options)
{
}
public DbSet<Club> Clubs => Set<Club>();
public DbSet<Member> Members => Set<Member>();
public DbSet<WorkItem> WorkItems => Set<WorkItem>();
public DbSet<Shift> Shifts => Set<Shift>();
public DbSet<ShiftSignup> ShiftSignups => Set<ShiftSignup>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.ApplyConfigurationsFromAssembly(typeof(AppDbContext).Assembly);
}
}

39
backend/WorkClub.Infrastructure/Data/Configurations/ClubConfiguration.cs Normal file
View File

@@ -0,0 +1,39 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data.Configurations;
public class ClubConfiguration : IEntityTypeConfiguration<Club>
{
public void Configure(EntityTypeBuilder<Club> builder)
{
builder.ToTable("clubs");
builder.HasKey(c => c.Id);
builder.Property(c => c.TenantId)
.IsRequired()
.HasMaxLength(200);
builder.Property(c => c.Name)
.IsRequired()
.HasMaxLength(200);
builder.Property(c => c.Description)
.HasMaxLength(2000);
builder.Property(c => c.SportType)
.IsRequired()
.HasConversion<int>();
builder.Property(c => c.CreatedAt)
.IsRequired();
builder.Property(c => c.UpdatedAt)
.IsRequired();
builder.HasIndex(c => c.TenantId)
.HasDatabaseName("ix_clubs_tenant_id");
}
}

53
backend/WorkClub.Infrastructure/Data/Configurations/MemberConfiguration.cs Normal file
View File

@@ -0,0 +1,53 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data.Configurations;
public class MemberConfiguration : IEntityTypeConfiguration<Member>
{
public void Configure(EntityTypeBuilder<Member> builder)
{
builder.ToTable("members");
builder.HasKey(m => m.Id);
builder.Property(m => m.TenantId)
.IsRequired()
.HasMaxLength(200);
builder.Property(m => m.ExternalUserId)
.IsRequired()
.HasMaxLength(200);
builder.Property(m => m.DisplayName)
.IsRequired()
.HasMaxLength(200);
builder.Property(m => m.Email)
.IsRequired()
.HasMaxLength(200);
builder.Property(m => m.Role)
.IsRequired()
.HasConversion<int>();
builder.Property(m => m.ClubId)
.IsRequired();
builder.Property(m => m.CreatedAt)
.IsRequired();
builder.Property(m => m.UpdatedAt)
.IsRequired();
builder.HasIndex(m => m.TenantId)
.HasDatabaseName("ix_members_tenant_id");
builder.HasIndex(m => m.ClubId)
.HasDatabaseName("ix_members_club_id");
builder.HasIndex(m => new { m.TenantId, m.ExternalUserId })
.HasDatabaseName("ix_members_tenant_external_user");
}
}

67
backend/WorkClub.Infrastructure/Data/Configurations/ShiftConfiguration.cs Normal file
View File

@@ -0,0 +1,67 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data.Configurations;
public class ShiftConfiguration : IEntityTypeConfiguration<Shift>
{
public void Configure(EntityTypeBuilder<Shift> builder)
{
builder.ToTable("shifts");
builder.HasKey(s => s.Id);
builder.Property(s => s.TenantId)
.IsRequired()
.HasMaxLength(200);
builder.Property(s => s.Title)
.IsRequired()
.HasMaxLength(200);
builder.Property(s => s.Description)
.HasMaxLength(2000);
builder.Property(s => s.Location)
.HasMaxLength(500);
builder.Property(s => s.StartTime)
.IsRequired();
builder.Property(s => s.EndTime)
.IsRequired();
builder.Property(s => s.Capacity)
.IsRequired()
.HasDefaultValue(1);
builder.Property(s => s.ClubId)
.IsRequired();
builder.Property(s => s.CreatedById)
.IsRequired();
builder.Property(s => s.CreatedAt)
.IsRequired();
builder.Property(s => s.UpdatedAt)
.IsRequired();
builder.Property(s => s.RowVersion)
.IsRowVersion()
.HasColumnName("xmin")
.HasColumnType("xid")
.ValueGeneratedOnAddOrUpdate();
builder.HasIndex(s => s.TenantId)
.HasDatabaseName("ix_shifts_tenant_id");
builder.HasIndex(s => s.ClubId)
.HasDatabaseName("ix_shifts_club_id");
builder.HasIndex(s => s.StartTime)
.HasDatabaseName("ix_shifts_start_time");
}
}

38
backend/WorkClub.Infrastructure/Data/Configurations/ShiftSignupConfiguration.cs Normal file
View File

@@ -0,0 +1,38 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data.Configurations;
public class ShiftSignupConfiguration : IEntityTypeConfiguration<ShiftSignup>
{
public void Configure(EntityTypeBuilder<ShiftSignup> builder)
{
builder.ToTable("shift_signups");
builder.HasKey(ss => ss.Id);
builder.Property(ss => ss.TenantId)
.IsRequired()
.HasMaxLength(200);
builder.Property(ss => ss.ShiftId)
.IsRequired();
builder.Property(ss => ss.MemberId)
.IsRequired();
builder.Property(ss => ss.SignedUpAt)
.IsRequired();
builder.HasIndex(ss => ss.TenantId)
.HasDatabaseName("ix_shift_signups_tenant_id");
builder.HasIndex(ss => ss.ShiftId)
.HasDatabaseName("ix_shift_signups_shift_id");
builder.HasIndex(ss => new { ss.ShiftId, ss.MemberId })
.IsUnique()
.HasDatabaseName("ix_shift_signups_shift_member");
}
}

65
backend/WorkClub.Infrastructure/Data/Configurations/WorkItemConfiguration.cs Normal file
View File

@@ -0,0 +1,65 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using WorkClub.Domain.Entities;
namespace WorkClub.Infrastructure.Data.Configurations;
public class WorkItemConfiguration : IEntityTypeConfiguration<WorkItem>
{
public void Configure(EntityTypeBuilder<WorkItem> builder)
{
builder.ToTable("work_items");
builder.HasKey(w => w.Id);
builder.Property(w => w.TenantId)
.IsRequired()
.HasMaxLength(200);
builder.Property(w => w.Title)
.IsRequired()
.HasMaxLength(200);
builder.Property(w => w.Description)
.HasMaxLength(2000);
builder.Property(w => w.Status)
.IsRequired()
.HasConversion<int>();
builder.Property(w => w.AssigneeId);
builder.Property(w => w.CreatedById)
.IsRequired();
builder.Property(w => w.ClubId)
.IsRequired();
builder.Property(w => w.DueDate);
builder.Property(w => w.CreatedAt)
.IsRequired();
builder.Property(w => w.UpdatedAt)
.IsRequired();
builder.Property(w => w.RowVersion)
.IsRowVersion()
.HasColumnName("xmin")
.HasColumnType("xid")
.ValueGeneratedOnAddOrUpdate();
builder.HasIndex(w => w.TenantId)
.HasDatabaseName("ix_work_items_tenant_id");
builder.HasIndex(w => w.ClubId)
.HasDatabaseName("ix_work_items_club_id");
builder.HasIndex(w => w.Status)
.HasDatabaseName("ix_work_items_status");
builder.HasIndex(w => w.AssigneeId)
.HasDatabaseName("ix_work_items_assignee_id");
}
}

70
backend/WorkClub.Infrastructure/Data/Interceptors/SaveChangesTenantInterceptor.cs Normal file
View File

@@ -0,0 +1,70 @@
using Finbuckle.MultiTenant;
using Finbuckle.MultiTenant.Abstractions;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using Microsoft.Extensions.Logging;
using WorkClub.Domain.Interfaces;
namespace WorkClub.Infrastructure.Data.Interceptors;
public class SaveChangesTenantInterceptor : SaveChangesInterceptor
{
private readonly IMultiTenantContextAccessor _tenantAccessor;
private readonly ILogger<SaveChangesTenantInterceptor> _logger;
public SaveChangesTenantInterceptor(
IMultiTenantContextAccessor tenantAccessor,
ILogger<SaveChangesTenantInterceptor> logger)
{
_tenantAccessor = tenantAccessor;
_logger = logger;
}
public override ValueTask<InterceptionResult<int>> SavingChangesAsync(
DbContextEventData eventData,
InterceptionResult<int> result,
CancellationToken cancellationToken = default)
{
SetTenantIdForNewEntities(eventData.Context);
return base.SavingChangesAsync(eventData, result, cancellationToken);
}
public override InterceptionResult<int> SavingChanges(
DbContextEventData eventData,
InterceptionResult<int> result)
{
SetTenantIdForNewEntities(eventData.Context);
return base.SavingChanges(eventData, result);
}
private void SetTenantIdForNewEntities(DbContext? context)
{
if (context == null) return;
var tenantId = _tenantAccessor.MultiTenantContext?.TenantInfo?.Identifier;
if (string.IsNullOrWhiteSpace(tenantId))
{
_logger.LogWarning("No tenant context available for SaveChanges");
return;
}
var addedEntries = context.ChangeTracker
.Entries()
.Where(e => e.State == EntityState.Added && e.Entity is ITenantEntity)
.ToList();
foreach (var entry in addedEntries)
{
if (entry.Entity is ITenantEntity tenantEntity)
{
if (string.IsNullOrWhiteSpace(tenantEntity.TenantId))
{
tenantEntity.TenantId = tenantId;
_logger.LogDebug("Set TenantId for entity {EntityType}: {TenantId}",
entry.Entity.GetType().Name, tenantId);
}
}
}
}
}

88
backend/WorkClub.Infrastructure/Data/Interceptors/TenantDbConnectionInterceptor.cs Normal file
View File

@@ -0,0 +1,88 @@
using System.Data.Common;
using Finbuckle.MultiTenant;
using Finbuckle.MultiTenant.Abstractions;
using Microsoft.EntityFrameworkCore.Diagnostics;
using Microsoft.Extensions.Logging;
using Npgsql;
namespace WorkClub.Infrastructure.Data.Interceptors;
public class TenantDbConnectionInterceptor : DbConnectionInterceptor
{
private readonly IMultiTenantContextAccessor _tenantAccessor;
private readonly ILogger<TenantDbConnectionInterceptor> _logger;
public TenantDbConnectionInterceptor(
IMultiTenantContextAccessor tenantAccessor,
ILogger<TenantDbConnectionInterceptor> logger)
{
_tenantAccessor = tenantAccessor;
_logger = logger;
}
public override async ValueTask<InterceptionResult> ConnectionOpeningAsync(
DbConnection connection,
ConnectionEventData eventData,
InterceptionResult result,
CancellationToken cancellationToken = default)
{
await base.ConnectionOpeningAsync(connection, eventData, result, cancellationToken);
var tenantId = _tenantAccessor.MultiTenantContext?.TenantInfo?.Identifier;
if (string.IsNullOrWhiteSpace(tenantId))
{
_logger.LogWarning("No tenant context available for database connection");
return result;
}
if (connection is NpgsqlConnection npgsqlConnection)
{
await using var command = npgsqlConnection.CreateCommand();
command.CommandText = $"SET LOCAL app.current_tenant_id = '{tenantId}'";
try
{
await command.ExecuteNonQueryAsync(cancellationToken);
_logger.LogDebug("Set tenant context for database connection: {TenantId}", tenantId);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to set tenant context for connection");
throw;
}
}
return result;
}
public override void ConnectionOpened(DbConnection connection, ConnectionEndEventData eventData)
{
base.ConnectionOpened(connection, eventData);
var tenantId = _tenantAccessor.MultiTenantContext?.TenantInfo?.Identifier;
if (string.IsNullOrWhiteSpace(tenantId))
{
_logger.LogWarning("No tenant context available for database connection");
return;
}
if (connection is NpgsqlConnection npgsqlConnection)
{
using var command = npgsqlConnection.CreateCommand();
command.CommandText = $"SET LOCAL app.current_tenant_id = '{tenantId}'";
try
{
command.ExecuteNonQuery();
_logger.LogDebug("Set tenant context for database connection: {TenantId}", tenantId);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to set tenant context for connection");
throw;
}
}
}
}

285
backend/WorkClub.Infrastructure/Migrations/20260303132952_InitialCreate.Designer.cs generated Normal file
View File

@@ -0,0 +1,285 @@
// <auto-generated />
using System;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Migrations;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using WorkClub.Infrastructure.Data;
#nullable disable
namespace WorkClub.Infrastructure.Migrations
{
[DbContext(typeof(AppDbContext))]
[Migration("20260303132952_InitialCreate")]
partial class InitialCreate
{
/// <inheritdoc />
protected override void BuildTargetModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasAnnotation("ProductVersion", "10.0.3")
.HasAnnotation("Relational:MaxIdentifierLength", 63);
NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
modelBuilder.Entity("WorkClub.Domain.Entities.Club", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<string>("Name")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<int>("SportType")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_clubs_tenant_id");
b.ToTable("clubs", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.Member", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("DisplayName")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("ExternalUserId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<int>("Role")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_members_club_id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_members_tenant_id");
b.HasIndex("TenantId", "ExternalUserId")
.HasDatabaseName("ix_members_tenant_external_user");
b.ToTable("members", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.Shift", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<int>("Capacity")
.ValueGeneratedOnAdd()
.HasColumnType("integer")
.HasDefaultValue(1);
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("CreatedById")
.HasColumnType("uuid");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<DateTimeOffset>("EndTime")
.HasColumnType("timestamp with time zone");
b.Property<string>("Location")
.HasMaxLength(500)
.HasColumnType("character varying(500)");
b.Property<uint>("RowVersion")
.IsConcurrencyToken()
.ValueGeneratedOnAddOrUpdate()
.HasColumnType("xid")
.HasColumnName("xmin");
b.Property<DateTimeOffset>("StartTime")
.HasColumnType("timestamp with time zone");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Title")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_shifts_club_id");
b.HasIndex("StartTime")
.HasDatabaseName("ix_shifts_start_time");
b.HasIndex("TenantId")
.HasDatabaseName("ix_shifts_tenant_id");
b.ToTable("shifts", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.ShiftSignup", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid>("MemberId")
.HasColumnType("uuid");
b.Property<Guid>("ShiftId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("SignedUpAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.HasKey("Id");
b.HasIndex("ShiftId")
.HasDatabaseName("ix_shift_signups_shift_id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_shift_signups_tenant_id");
b.HasIndex("ShiftId", "MemberId")
.IsUnique()
.HasDatabaseName("ix_shift_signups_shift_member");
b.ToTable("shift_signups", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.WorkItem", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid?>("AssigneeId")
.HasColumnType("uuid");
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("CreatedById")
.HasColumnType("uuid");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<DateTimeOffset?>("DueDate")
.HasColumnType("timestamp with time zone");
b.Property<uint>("RowVersion")
.IsConcurrencyToken()
.ValueGeneratedOnAddOrUpdate()
.HasColumnType("xid")
.HasColumnName("xmin");
b.Property<int>("Status")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Title")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("AssigneeId")
.HasDatabaseName("ix_work_items_assignee_id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_work_items_club_id");
b.HasIndex("Status")
.HasDatabaseName("ix_work_items_status");
b.HasIndex("TenantId")
.HasDatabaseName("ix_work_items_tenant_id");
b.ToTable("work_items", (string)null);
});
#pragma warning restore 612, 618
}
}
}

201
backend/WorkClub.Infrastructure/Migrations/20260303132952_InitialCreate.cs Normal file
View File

@@ -0,0 +1,201 @@
using System;
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace WorkClub.Infrastructure.Migrations
{
/// <inheritdoc />
public partial class InitialCreate : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.CreateTable(
name: "clubs",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
TenantId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Name = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
SportType = table.Column<int>(type: "integer", nullable: false),
Description = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
UpdatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_clubs", x => x.Id);
});
migrationBuilder.CreateTable(
name: "members",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
TenantId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
ExternalUserId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
DisplayName = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Email = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Role = table.Column<int>(type: "integer", nullable: false),
ClubId = table.Column<Guid>(type: "uuid", nullable: false),
CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
UpdatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_members", x => x.Id);
});
migrationBuilder.CreateTable(
name: "shift_signups",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
TenantId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
ShiftId = table.Column<Guid>(type: "uuid", nullable: false),
MemberId = table.Column<Guid>(type: "uuid", nullable: false),
SignedUpAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_shift_signups", x => x.Id);
});
migrationBuilder.CreateTable(
name: "shifts",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
TenantId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Title = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Description = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
Location = table.Column<string>(type: "character varying(500)", maxLength: 500, nullable: true),
StartTime = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
EndTime = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
Capacity = table.Column<int>(type: "integer", nullable: false, defaultValue: 1),
ClubId = table.Column<Guid>(type: "uuid", nullable: false),
CreatedById = table.Column<Guid>(type: "uuid", nullable: false),
CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
UpdatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
xmin = table.Column<uint>(type: "xid", rowVersion: true, nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_shifts", x => x.Id);
});
migrationBuilder.CreateTable(
name: "work_items",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
TenantId = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Title = table.Column<string>(type: "character varying(200)", maxLength: 200, nullable: false),
Description = table.Column<string>(type: "character varying(2000)", maxLength: 2000, nullable: true),
Status = table.Column<int>(type: "integer", nullable: false),
AssigneeId = table.Column<Guid>(type: "uuid", nullable: true),
CreatedById = table.Column<Guid>(type: "uuid", nullable: false),
ClubId = table.Column<Guid>(type: "uuid", nullable: false),
DueDate = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true),
CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
UpdatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
xmin = table.Column<uint>(type: "xid", rowVersion: true, nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_work_items", x => x.Id);
});
migrationBuilder.CreateIndex(
name: "ix_clubs_tenant_id",
table: "clubs",
column: "TenantId");
migrationBuilder.CreateIndex(
name: "ix_members_club_id",
table: "members",
column: "ClubId");
migrationBuilder.CreateIndex(
name: "ix_members_tenant_external_user",
table: "members",
columns: new[] { "TenantId", "ExternalUserId" });
migrationBuilder.CreateIndex(
name: "ix_members_tenant_id",
table: "members",
column: "TenantId");
migrationBuilder.CreateIndex(
name: "ix_shift_signups_shift_id",
table: "shift_signups",
column: "ShiftId");
migrationBuilder.CreateIndex(
name: "ix_shift_signups_shift_member",
table: "shift_signups",
columns: new[] { "ShiftId", "MemberId" },
unique: true);
migrationBuilder.CreateIndex(
name: "ix_shift_signups_tenant_id",
table: "shift_signups",
column: "TenantId");
migrationBuilder.CreateIndex(
name: "ix_shifts_club_id",
table: "shifts",
column: "ClubId");
migrationBuilder.CreateIndex(
name: "ix_shifts_start_time",
table: "shifts",
column: "StartTime");
migrationBuilder.CreateIndex(
name: "ix_shifts_tenant_id",
table: "shifts",
column: "TenantId");
migrationBuilder.CreateIndex(
name: "ix_work_items_assignee_id",
table: "work_items",
column: "AssigneeId");
migrationBuilder.CreateIndex(
name: "ix_work_items_club_id",
table: "work_items",
column: "ClubId");
migrationBuilder.CreateIndex(
name: "ix_work_items_status",
table: "work_items",
column: "Status");
migrationBuilder.CreateIndex(
name: "ix_work_items_tenant_id",
table: "work_items",
column: "TenantId");
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropTable(
name: "clubs");
migrationBuilder.DropTable(
name: "members");
migrationBuilder.DropTable(
name: "shift_signups");
migrationBuilder.DropTable(
name: "shifts");
migrationBuilder.DropTable(
name: "work_items");
}
}
}

282
backend/WorkClub.Infrastructure/Migrations/AppDbContextModelSnapshot.cs Normal file
View File

@@ -0,0 +1,282 @@
// <auto-generated />
using System;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using WorkClub.Infrastructure.Data;
#nullable disable
namespace WorkClub.Infrastructure.Migrations
{
[DbContext(typeof(AppDbContext))]
partial class AppDbContextModelSnapshot : ModelSnapshot
{
protected override void BuildModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasAnnotation("ProductVersion", "10.0.3")
.HasAnnotation("Relational:MaxIdentifierLength", 63);
NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
modelBuilder.Entity("WorkClub.Domain.Entities.Club", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<string>("Name")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<int>("SportType")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_clubs_tenant_id");
b.ToTable("clubs", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.Member", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("DisplayName")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("ExternalUserId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<int>("Role")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_members_club_id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_members_tenant_id");
b.HasIndex("TenantId", "ExternalUserId")
.HasDatabaseName("ix_members_tenant_external_user");
b.ToTable("members", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.Shift", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<int>("Capacity")
.ValueGeneratedOnAdd()
.HasColumnType("integer")
.HasDefaultValue(1);
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("CreatedById")
.HasColumnType("uuid");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<DateTimeOffset>("EndTime")
.HasColumnType("timestamp with time zone");
b.Property<string>("Location")
.HasMaxLength(500)
.HasColumnType("character varying(500)");
b.Property<uint>("RowVersion")
.IsConcurrencyToken()
.ValueGeneratedOnAddOrUpdate()
.HasColumnType("xid")
.HasColumnName("xmin");
b.Property<DateTimeOffset>("StartTime")
.HasColumnType("timestamp with time zone");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Title")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_shifts_club_id");
b.HasIndex("StartTime")
.HasDatabaseName("ix_shifts_start_time");
b.HasIndex("TenantId")
.HasDatabaseName("ix_shifts_tenant_id");
b.ToTable("shifts", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.ShiftSignup", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid>("MemberId")
.HasColumnType("uuid");
b.Property<Guid>("ShiftId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("SignedUpAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.HasKey("Id");
b.HasIndex("ShiftId")
.HasDatabaseName("ix_shift_signups_shift_id");
b.HasIndex("TenantId")
.HasDatabaseName("ix_shift_signups_tenant_id");
b.HasIndex("ShiftId", "MemberId")
.IsUnique()
.HasDatabaseName("ix_shift_signups_shift_member");
b.ToTable("shift_signups", (string)null);
});
modelBuilder.Entity("WorkClub.Domain.Entities.WorkItem", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<Guid?>("AssigneeId")
.HasColumnType("uuid");
b.Property<Guid>("ClubId")
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("CreatedById")
.HasColumnType("uuid");
b.Property<string>("Description")
.HasMaxLength(2000)
.HasColumnType("character varying(2000)");
b.Property<DateTimeOffset?>("DueDate")
.HasColumnType("timestamp with time zone");
b.Property<uint>("RowVersion")
.IsConcurrencyToken()
.ValueGeneratedOnAddOrUpdate()
.HasColumnType("xid")
.HasColumnName("xmin");
b.Property<int>("Status")
.HasColumnType("integer");
b.Property<string>("TenantId")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<string>("Title")
.IsRequired()
.HasMaxLength(200)
.HasColumnType("character varying(200)");
b.Property<DateTimeOffset>("UpdatedAt")
.HasColumnType("timestamp with time zone");
b.HasKey("Id");
b.HasIndex("AssigneeId")
.HasDatabaseName("ix_work_items_assignee_id");
b.HasIndex("ClubId")
.HasDatabaseName("ix_work_items_club_id");
b.HasIndex("Status")
.HasDatabaseName("ix_work_items_status");
b.HasIndex("TenantId")
.HasDatabaseName("ix_work_items_tenant_id");
b.ToTable("work_items", (string)null);
});
#pragma warning restore 612, 618
}
}
}

53
backend/WorkClub.Infrastructure/Migrations/add-rls-policies.sql Normal file
View File

@@ -0,0 +1,53 @@
-- Enable Row-Level Security on all tenant-scoped tables
ALTER TABLE clubs ENABLE ROW LEVEL SECURITY;
ALTER TABLE members ENABLE ROW LEVEL SECURITY;
ALTER TABLE work_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE shifts ENABLE ROW LEVEL SECURITY;
ALTER TABLE shift_signups ENABLE ROW LEVEL SECURITY;
-- Create tenant_isolation policies for tables with direct tenant_id column
CREATE POLICY tenant_isolation ON clubs
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON members
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON work_items
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON shifts
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
-- Special policy for shift_signups (no direct tenant_id, uses subquery via shifts)
CREATE POLICY tenant_isolation ON shift_signups
FOR ALL
USING ("ShiftId" IN (SELECT "Id" FROM shifts WHERE "TenantId" = current_setting('app.current_tenant_id', true)::text));
-- Create bypass_rls_policy for app_admin role
CREATE POLICY bypass_rls_policy ON clubs
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON members
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON work_items
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shifts
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shift_signups
FOR ALL TO app_admin
USING (true);

58
backend/WorkClub.Infrastructure/Services/TenantProvider.cs Normal file
View File

@@ -0,0 +1,58 @@
using System.Security.Claims;
using System.Text.Json;
using Finbuckle.MultiTenant;
using Finbuckle.MultiTenant.Abstractions;
using Microsoft.AspNetCore.Http;
using WorkClub.Application.Interfaces;
namespace WorkClub.Infrastructure.Services;
public class TenantProvider : ITenantProvider
{
private readonly IMultiTenantContextAccessor<TenantInfo> _multiTenantContextAccessor;
private readonly IHttpContextAccessor _httpContextAccessor;
public TenantProvider(
IMultiTenantContextAccessor<TenantInfo> multiTenantContextAccessor,
IHttpContextAccessor httpContextAccessor)
{
_multiTenantContextAccessor = multiTenantContextAccessor;
_httpContextAccessor = httpContextAccessor;
}
public string GetTenantId()
{
var tenantInfo = _multiTenantContextAccessor.MultiTenantContext?.TenantInfo;
if (tenantInfo == null || string.IsNullOrEmpty(tenantInfo.Identifier))
{
throw new InvalidOperationException("Tenant context is not available");
}
return tenantInfo.Identifier;
}
public string GetUserRole()
{
var httpContext = _httpContextAccessor.HttpContext;
if (httpContext?.User == null)
{
throw new InvalidOperationException("User context is not available");
}
var tenantId = GetTenantId();
var clubsClaim = httpContext.User.FindFirst("clubs")?.Value;
if (string.IsNullOrEmpty(clubsClaim))
{
throw new InvalidOperationException("User does not have clubs claim");
}
var clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
if (clubsDict == null || !clubsDict.TryGetValue(tenantId, out var role))
{
throw new InvalidOperationException($"User is not a member of tenant {tenantId}");
}
return role;
}
}

11
backend/WorkClub.Infrastructure/WorkClub.Infrastructure.csproj
View File

@@ -2,9 +2,16 @@
<ItemGroup>
<ProjectReference Include="..\WorkClub.Domain\WorkClub.Domain.csproj" />
<ProjectReference Include="..\WorkClub.Application\WorkClub.Application.csproj" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Finbuckle.MultiTenant" Version="10.0.3" />
<PackageReference Include="Finbuckle.MultiTenant.AspNetCore" Version="10.0.3" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.3">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
</ItemGroup>
@@ -14,4 +21,8 @@
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<FrameworkReference Include="Microsoft.AspNetCore.App" />
</ItemGroup>
</Project>

138
backend/WorkClub.Tests.Integration/Data/MigrationTests.cs Normal file
View File

@@ -0,0 +1,138 @@
using Dapper;
using Microsoft.EntityFrameworkCore;
using Npgsql;
using Testcontainers.PostgreSql;
using WorkClub.Infrastructure.Data;
namespace WorkClub.Tests.Integration.Data;
public class MigrationTests : IAsyncLifetime
{
private PostgreSqlContainer? _container;
private string? _connectionString;
public async Task InitializeAsync()
{
_container = new PostgreSqlBuilder()
.WithImage("postgres:16-alpine")
.Build();
await _container.StartAsync();
_connectionString = _container.GetConnectionString();
}
public async Task DisposeAsync()
{
if (_container != null)
{
await _container.DisposeAsync();
}
}
[Fact]
public async Task Migration_AppliesSuccessfully_CreatesAllTables()
{
// Arrange
var options = new DbContextOptionsBuilder<AppDbContext>()
.UseNpgsql(_connectionString)
.Options;
// Act
await using var context = new AppDbContext(options);
await context.Database.MigrateAsync();
// Assert - verify all expected tables exist
await using var connection = new NpgsqlConnection(_connectionString);
var tables = (await connection.QueryAsync<string>(
@"SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'public'
ORDER BY table_name")).ToList();
Assert.Contains("clubs", tables);
Assert.Contains("members", tables);
Assert.Contains("work_items", tables);
Assert.Contains("shifts", tables);
Assert.Contains("shift_signups", tables);
}
[Fact]
public async Task Migration_CreatesCorrectIndexes()
{
// Arrange
var options = new DbContextOptionsBuilder<AppDbContext>()
.UseNpgsql(_connectionString)
.Options;
// Act
await using var context = new AppDbContext(options);
await context.Database.MigrateAsync();
// Assert - verify critical indexes exist
await using var connection = new NpgsqlConnection(_connectionString);
var indexes = (await connection.QueryAsync<string>(
@"SELECT indexname
FROM pg_indexes
WHERE schemaname = 'public'
ORDER BY indexname")).ToList();
// TenantId indexes
Assert.Contains(indexes, i => i.Contains("tenant_id"));
// ClubId indexes
Assert.Contains(indexes, i => i.Contains("club_id"));
// Status indexes for WorkItem
Assert.Contains(indexes, i => i.Contains("status"));
}
[Fact]
public async Task Migration_EnablesRowLevelSecurity()
{
// Arrange
var options = new DbContextOptionsBuilder<AppDbContext>()
.UseNpgsql(_connectionString)
.Options;
// Act
await using var context = new AppDbContext(options);
await context.Database.MigrateAsync();
// Assert - verify RLS is enabled on tenant tables
await using var connection = new NpgsqlConnection(_connectionString);
var rlsEnabled = await connection.QueryAsync<(string TableName, bool RlsEnabled)>(
@"SELECT relname AS TableName, relrowsecurity AS RlsEnabled
FROM pg_class
WHERE relnamespace = 'public'::regnamespace
AND relname IN ('clubs', 'members', 'work_items', 'shifts', 'shift_signups')");
foreach (var (tableName, enabled) in rlsEnabled)
{
Assert.True(enabled, $"RLS should be enabled on {tableName}");
}
}
[Fact]
public async Task Migration_CreatesTenantIsolationPolicy()
{
// Arrange
var options = new DbContextOptionsBuilder<AppDbContext>()
.UseNpgsql(_connectionString)
.Options;
// Act
await using var context = new AppDbContext(options);
await context.Database.MigrateAsync();
// Assert - verify tenant_isolation policies exist
await using var connection = new NpgsqlConnection(_connectionString);
var policies = (await connection.QueryAsync<string>(
@"SELECT policyname
FROM pg_policies
WHERE schemaname = 'public'
AND policyname = 'tenant_isolation'")).ToList();
// Should have tenant_isolation policy on all tenant tables
Assert.True(policies.Count >= 5, "Should have at least 5 tenant_isolation policies");
}
}

197
backend/WorkClub.Tests.Integration/Data/RlsTests.cs Normal file
View File

@@ -0,0 +1,197 @@
using Dapper;
using Microsoft.EntityFrameworkCore;
using Npgsql;
using Testcontainers.PostgreSql;
using WorkClub.Domain.Entities;
using WorkClub.Infrastructure.Data;
namespace WorkClub.Tests.Integration.Data;
public class RlsTests : IAsyncLifetime
{
private PostgreSqlContainer? _container;
private string? _connectionString;
private string? _adminConnectionString;
public async Task InitializeAsync()
{
_container = new PostgreSqlBuilder()
.WithImage("postgres:16-alpine")
.WithDatabase("workclub")
.WithUsername("app_user")
.WithPassword("apppass")
.Build();
await _container.StartAsync();
_connectionString = _container.GetConnectionString();
_adminConnectionString = _connectionString.Replace("app_user", "app_admin")
.Replace("apppass", "adminpass");
await using var adminConn = new NpgsqlConnection(_adminConnectionString);
await adminConn.ExecuteAsync("CREATE ROLE app_admin WITH LOGIN PASSWORD 'adminpass' SUPERUSER");
await adminConn.ExecuteAsync("GRANT ALL PRIVILEGES ON DATABASE workclub TO app_admin");
}
public async Task DisposeAsync()
{
if (_container != null)
{
await _container.DisposeAsync();
}
}
[Fact]
public async Task RLS_BlocksAccess_WithoutTenantContext()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync();
var clubs = (await connection.QueryAsync<Club>(
"SELECT * FROM clubs")).ToList();
Assert.Empty(clubs);
}
[Fact]
public async Task RLS_AllowsAccess_WithCorrectTenantContext()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync();
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
var clubs = (await connection.QueryAsync<Club>(
"SELECT * FROM clubs WHERE tenant_id = 'tenant-1'")).ToList();
Assert.NotEmpty(clubs);
Assert.All(clubs, c => Assert.Equal("tenant-1", c.TenantId));
}
[Fact]
public async Task RLS_IsolatesData_AcrossTenants()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync();
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
var tenant1Clubs = (await connection.QueryAsync<Club>(
"SELECT * FROM clubs")).ToList();
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-2'");
var tenant2Clubs = (await connection.QueryAsync<Club>(
"SELECT * FROM clubs")).ToList();
Assert.NotEmpty(tenant1Clubs);
Assert.NotEmpty(tenant2Clubs);
Assert.All(tenant1Clubs, c => Assert.Equal("tenant-1", c.TenantId));
Assert.All(tenant2Clubs, c => Assert.Equal("tenant-2", c.TenantId));
var tenant1Ids = tenant1Clubs.Select(c => c.Id).ToHashSet();
var tenant2Ids = tenant2Clubs.Select(c => c.Id).ToHashSet();
Assert.Empty(tenant1Ids.Intersect(tenant2Ids));
}
[Fact]
public async Task RLS_CountsCorrectly_PerTenant()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync();
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
var tenant1Count = await connection.ExecuteScalarAsync<int>(
"SELECT COUNT(*) FROM work_items");
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-2'");
var tenant2Count = await connection.ExecuteScalarAsync<int>(
"SELECT COUNT(*) FROM work_items");
Assert.Equal(5, tenant1Count);
Assert.Equal(3, tenant2Count);
}
[Fact]
public async Task RLS_AllowsBypass_ForAdminRole()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_adminConnectionString);
await connection.OpenAsync();
var allClubs = (await connection.QueryAsync<Club>(
"SELECT * FROM clubs")).ToList();
Assert.True(allClubs.Count >= 2);
Assert.Contains(allClubs, c => c.TenantId == "tenant-1");
Assert.Contains(allClubs, c => c.TenantId == "tenant-2");
}
[Fact]
public async Task RLS_HandlesShiftSignups_WithSubquery()
{
await SeedTestDataAsync();
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync();
await connection.ExecuteAsync("SET LOCAL app.current_tenant_id = 'tenant-1'");
var signups = (await connection.QueryAsync<ShiftSignup>(
"SELECT * FROM shift_signups")).ToList();
Assert.NotEmpty(signups);
Assert.All(signups, s => Assert.Equal("tenant-1", s.TenantId));
}
private async Task SeedTestDataAsync()
{
var options = new DbContextOptionsBuilder<AppDbContext>()
.UseNpgsql(_connectionString)
.Options;
await using var context = new AppDbContext(options);
await context.Database.MigrateAsync();
await using var adminConn = new NpgsqlConnection(_adminConnectionString);
await adminConn.OpenAsync();
var club1Id = Guid.NewGuid();
var club2Id = Guid.NewGuid();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id1, 'tenant-1', 'Club 1', 0, NOW(), NOW()),
(@Id2, 'tenant-2', 'Club 2', 1, NOW(), NOW())",
new { Id1 = club1Id, Id2 = club2Id });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'tenant-1', 'Task ' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
FROM generate_series(1, 5) i",
new { ClubId = club1Id });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'tenant-2', 'Task ' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
FROM generate_series(1, 3) i",
new { ClubId = club2Id });
var shift1Id = Guid.NewGuid();
await adminConn.ExecuteAsync(@"
INSERT INTO shifts (id, tenant_id, title, start_time, end_time, club_id, created_by_id, created_at, updated_at)
VALUES (@Id, 'tenant-1', 'Shift 1', NOW(), NOW() + interval '2 hours', @ClubId, gen_random_uuid(), NOW(), NOW())",
new { Id = shift1Id, ClubId = club1Id });
await adminConn.ExecuteAsync(@"
INSERT INTO shift_signups (id, tenant_id, shift_id, member_id, signed_up_at)
VALUES (gen_random_uuid(), 'tenant-1', @ShiftId, gen_random_uuid(), NOW())",
new { ShiftId = shift1Id });
}
}

69
backend/WorkClub.Tests.Integration/Infrastructure/CustomWebApplicationFactory.cs Normal file
View File

@@ -0,0 +1,69 @@
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc.Testing;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Testcontainers.PostgreSql;
using WorkClub.Infrastructure.Data;
namespace WorkClub.Tests.Integration.Infrastructure;
public class CustomWebApplicationFactory<TProgram> : WebApplicationFactory<TProgram> where TProgram : class
{
private readonly PostgreSqlContainer _postgresContainer = new PostgreSqlBuilder()
.WithImage("postgres:16-alpine")
.WithDatabase("workclub_test")
.WithUsername("test")
.WithPassword("test")
.Build();
protected override void ConfigureWebHost(IWebHostBuilder builder)
{
// Start container (async wait)
_postgresContainer.StartAsync().GetAwaiter().GetResult();
builder.ConfigureAppConfiguration((context, config) =>
{
// Override connection string for tests
config.AddInMemoryCollection(new Dictionary<string, string?>
{
["ConnectionStrings:DefaultConnection"] = _postgresContainer.GetConnectionString()
});
});
builder.ConfigureServices(services =>
{
// Remove existing DbContext registration
var descriptor = services.SingleOrDefault(d => d.ServiceType == typeof(DbContextOptions<AppDbContext>));
if (descriptor != null)
{
services.Remove(descriptor);
}
// Add Testcontainers DbContext
services.AddDbContext<AppDbContext>(options =>
options.UseNpgsql(_postgresContainer.GetConnectionString()));
// Replace authentication with TestAuthHandler
services.RemoveAll<IAuthenticationSchemeProvider>();
services.AddAuthentication(defaultScheme: "Test")
.AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("Test", options => { });
// Build service provider and ensure database created
var sp = services.BuildServiceProvider();
using var scope = sp.CreateScope();
var db = scope.ServiceProvider.GetRequiredService<AppDbContext>();
db.Database.EnsureCreated();
});
builder.UseEnvironment("Test");
}
public override async ValueTask DisposeAsync()
{
await _postgresContainer.DisposeAsync();
await base.DisposeAsync();
}
}

19
backend/WorkClub.Tests.Integration/Infrastructure/DatabaseFixture.cs Normal file
View File

@@ -0,0 +1,19 @@
namespace WorkClub.Tests.Integration.Infrastructure;
[CollectionDefinition("Database collection")]
public class DatabaseCollection : ICollectionFixture<DatabaseFixture>
{
}
public class DatabaseFixture : IAsyncLifetime
{
public Task InitializeAsync()
{
return Task.CompletedTask;
}
public Task DisposeAsync()
{
return Task.CompletedTask;
}
}

35
backend/WorkClub.Tests.Integration/Infrastructure/IntegrationTestBase.cs Normal file
View File

@@ -0,0 +1,35 @@
using System.Text.Json;
namespace WorkClub.Tests.Integration.Infrastructure;
public abstract class IntegrationTestBase : IClassFixture<CustomWebApplicationFactory<Program>>, IAsyncLifetime
{
protected readonly HttpClient Client;
protected readonly CustomWebApplicationFactory<Program> Factory;
protected IntegrationTestBase(CustomWebApplicationFactory<Program> factory)
{
Factory = factory;
Client = factory.CreateClient();
}
protected void AuthenticateAs(string email, Dictionary<string, string> clubs)
{
var clubsJson = JsonSerializer.Serialize(clubs);
Client.DefaultRequestHeaders.Remove("X-Test-Clubs");
Client.DefaultRequestHeaders.Add("X-Test-Clubs", clubsJson);
Client.DefaultRequestHeaders.Remove("X-Test-Email");
Client.DefaultRequestHeaders.Add("X-Test-Email", email);
}
protected void SetTenant(string tenantId)
{
Client.DefaultRequestHeaders.Remove("X-Tenant-Id");
Client.DefaultRequestHeaders.Add("X-Tenant-Id", tenantId);
}
public virtual Task InitializeAsync() => Task.CompletedTask;
public virtual Task DisposeAsync() => Task.CompletedTask;
}

42
backend/WorkClub.Tests.Integration/Infrastructure/TestAuthHandler.cs Normal file
View File

@@ -0,0 +1,42 @@
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Text.Json;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace WorkClub.Tests.Integration.Infrastructure;
public class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public TestAuthHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder)
: base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var clubsClaim = Context.Request.Headers["X-Test-Clubs"].ToString();
var emailClaim = Context.Request.Headers["X-Test-Email"].ToString();
var claims = new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, "test-user"),
new Claim(ClaimTypes.Email, string.IsNullOrEmpty(emailClaim) ? "test@test.com" : emailClaim),
};
if (!string.IsNullOrEmpty(clubsClaim))
{
claims.Add(new Claim("clubs", clubsClaim));
}
var identity = new ClaimsIdentity(claims, "Test");
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, "Test");
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}

194
backend/WorkClub.Tests.Integration/Middleware/TenantValidationTests.cs Normal file
View File

@@ -0,0 +1,194 @@
using System.IdentityModel.Tokens.Jwt;
using System.Net;
using System.Net.Http.Headers;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc.Testing;
using Microsoft.AspNetCore.TestHost;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using Xunit;
namespace WorkClub.Tests.Integration.Middleware;
public class TenantValidationTests : IClassFixture<CustomWebApplicationFactory>
{
private readonly CustomWebApplicationFactory _factory;
private readonly HttpClient _client;
public TenantValidationTests(CustomWebApplicationFactory factory)
{
_factory = factory;
_client = factory.CreateClient();
}
[Fact]
public async Task Request_WithValidTenantId_Returns200()
{
// Arrange: Create JWT with clubs claim containing club-1
var clubs = new Dictionary<string, string>
{
{ "club-1", "admin" }
};
var token = CreateTestJwt(clubs);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
_client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-1");
// Act: Make request to test endpoint
var response = await _client.GetAsync("/api/test");
// Assert: Request should succeed
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
[Fact]
public async Task Request_WithNonMemberTenantId_Returns403()
{
// Arrange: Create JWT with clubs claim (only club-1, not club-2)
var clubs = new Dictionary<string, string>
{
{ "club-1", "admin" }
};
var token = CreateTestJwt(clubs);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
_client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-2"); // User not member of club-2
// Act
var response = await _client.GetAsync("/api/test");
// Assert: Cross-tenant access should be denied
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
}
[Fact]
public async Task Request_WithoutTenantIdHeader_Returns400()
{
// Arrange: Create valid JWT but no X-Tenant-Id header
var clubs = new Dictionary<string, string>
{
{ "club-1", "admin" }
};
var token = CreateTestJwt(clubs);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
// No X-Tenant-Id header
// Act
var response = await _client.GetAsync("/api/test");
// Assert: Missing header should return bad request
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
[Fact]
public async Task Request_WithoutAuthentication_Returns401()
{
// Arrange: No authorization header
_client.DefaultRequestHeaders.Add("X-Tenant-Id", "club-1");
// Act
var response = await _client.GetAsync("/api/test");
// Assert: Unauthenticated request should be denied
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
private static string CreateTestJwt(Dictionary<string, string> clubs)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("test-secret-key-for-jwt-signing-must-be-at-least-32-chars"));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, "test-user-id"),
new Claim(ClaimTypes.Name, "test@test.com"),
new Claim("clubs", JsonSerializer.Serialize(clubs)) // JSON object claim
};
var token = new JwtSecurityToken(
issuer: "test-issuer",
audience: "test-audience",
claims: claims,
expires: DateTime.UtcNow.AddHours(1),
signingCredentials: creds
);
return new JwtSecurityTokenHandler().WriteToken(token);
}
}
/// <summary>
/// Custom WebApplicationFactory for integration testing with test authentication.
/// </summary>
public class CustomWebApplicationFactory : WebApplicationFactory<Program>
{
protected override void ConfigureWebHost(IWebHostBuilder builder)
{
builder.ConfigureTestServices(services =>
{
services.AddAuthentication("TestScheme")
.AddScheme<AuthenticationSchemeOptions, TestAuthHandler>("TestScheme", options => { });
services.AddAuthorization();
});
builder.UseEnvironment("Testing");
}
}
/// <summary>
/// Test authentication handler that validates JWT tokens without Keycloak.
/// </summary>
public class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public TestAuthHandler(
Microsoft.Extensions.Options.IOptionsMonitor<AuthenticationSchemeOptions> options,
Microsoft.Extensions.Logging.ILoggerFactory logger,
System.Text.Encodings.Web.UrlEncoder encoder)
: base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var authHeader = Request.Headers.Authorization.ToString();
if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Bearer "))
{
return Task.FromResult(AuthenticateResult.NoResult());
}
var token = authHeader.Substring("Bearer ".Length).Trim();
try
{
var handler = new JwtSecurityTokenHandler();
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("test-secret-key-for-jwt-signing-must-be-at-least-32-chars"));
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "test-issuer",
ValidAudience = "test-audience",
IssuerSigningKey = key
};
var principal = handler.ValidateToken(token, validationParameters, out _);
var ticket = new AuthenticationTicket(principal, "TestScheme");
return Task.FromResult(AuthenticateResult.Success(ticket));
}
catch (Exception ex)
{
return Task.FromResult(AuthenticateResult.Fail(ex.Message));
}
}
}

18
backend/WorkClub.Tests.Integration/SmokeTests.cs Normal file
View File

@@ -0,0 +1,18 @@
using System.Net;
using WorkClub.Tests.Integration.Infrastructure;
namespace WorkClub.Tests.Integration;
public class SmokeTests : IntegrationTestBase
{
public SmokeTests(CustomWebApplicationFactory<Program> factory) : base(factory)
{
}
[Fact]
public async Task HealthCheck_ReturnsOk()
{
var response = await Client.GetAsync("/health/live");
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}

1
backend/WorkClub.Tests.Integration/WorkClub.Tests.Integration.csproj
View File

@@ -9,6 +9,7 @@
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Dapper" Version="2.1.66" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
<PackageReference Include="Testcontainers.PostgreSql" Version="3.7.0" />