MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware

Browse Source 
- Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups)
- Implement RLS policies with SET LOCAL for tenant isolation
- Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback
- Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header
- Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor)
- Configure AppDbContext with tenant scoping and RLS support
- Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture
- Write TDD integration tests for multi-tenant isolation and RLS enforcement
- Add health check null safety for connection string

Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)
This commit is contained in:
WorkClub Automation
2026-03-03 14:32:21 +01:00
parent b9edbb8a65
commit 28964c6767
35 changed files with 4006 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
backend/WorkClub.Infrastructure/Migrations/add-rls-policies.sql Normal file
View File

@@ -0,0 +1,53 @@
-- Enable Row-Level Security on all tenant-scoped tables
ALTER TABLE clubs ENABLE ROW LEVEL SECURITY;
ALTER TABLE members ENABLE ROW LEVEL SECURITY;
ALTER TABLE work_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE shifts ENABLE ROW LEVEL SECURITY;
ALTER TABLE shift_signups ENABLE ROW LEVEL SECURITY;
-- Create tenant_isolation policies for tables with direct tenant_id column
CREATE POLICY tenant_isolation ON clubs
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON members
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON work_items
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
CREATE POLICY tenant_isolation ON shifts
FOR ALL
USING ("TenantId" = current_setting('app.current_tenant_id', true)::text);
-- Special policy for shift_signups (no direct tenant_id, uses subquery via shifts)
CREATE POLICY tenant_isolation ON shift_signups
FOR ALL
USING ("ShiftId" IN (SELECT "Id" FROM shifts WHERE "TenantId" = current_setting('app.current_tenant_id', true)::text));
-- Create bypass_rls_policy for app_admin role
CREATE POLICY bypass_rls_policy ON clubs
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON members
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON work_items
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shifts
FOR ALL TO app_admin
USING (true);
CREATE POLICY bypass_rls_policy ON shift_signups
FOR ALL TO app_admin
USING (true);