MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix(backend): update middleware ordering and interceptors for RLS

Browse Source 
Update TenantValidationMiddleware, Program.cs startup sequence,
SaveChangesTenantInterceptor, and TenantProvider to ensure proper
middleware ordering and tenant context initialization before database access.

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
WorkClub Automation
2026-03-05 19:22:21 +01:00
parent 5a4bb16413
commit 3b7db39cc2
4 changed files with 23 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
View File

@@ -5,14 +5,17 @@ namespace WorkClub.Api.Middleware;
public class TenantValidationMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<TenantValidationMiddleware> _logger;
public TenantValidationMiddleware(RequestDelegate next)
public TenantValidationMiddleware(RequestDelegate next, ILogger<TenantValidationMiddleware> logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
_logger.LogInformation("TenantValidationMiddleware: Processing request for {Path}", context.Request.Path);
if (!context.User.Identity?.IsAuthenticated ?? true)
{
await _next(context);
@@ -37,25 +40,22 @@ public class TenantValidationMiddleware
return;
}
Dictionary<string, string>? clubsDict;
try
{
clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
}
catch (JsonException)
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = "Invalid clubs claim format" });
return;
}
// Parse comma-separated club UUIDs
var clubIds = clubsClaim.Split(',', StringSplitOptions.RemoveEmptyEntries)
.Select(id => id.Trim())
.ToArray();
if (clubsDict == null || !clubsDict.ContainsKey(requestedTenantId))
if (clubIds.Length == 0 || !clubIds.Contains(requestedTenantId))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = $"User is not a member of tenant {requestedTenantId}" });
return;
}
// Store validated tenant ID in HttpContext.Items for downstream middleware/services
context.Items["TenantId"] = requestedTenantId;
_logger.LogInformation("TenantValidationMiddleware: Set TenantId={TenantId} in HttpContext.Items", requestedTenantId);
await _next(context);
}
}

12
backend/WorkClub.Api/Program.cs
View File

@@ -1,4 +1,3 @@
using Finbuckle.MultiTenant;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.EntityFrameworkCore;
@@ -19,14 +18,6 @@ var builder = WebApplication.CreateBuilder(args);
builder.Services.AddOpenApi();
builder.Services.AddMultiTenant<TenantInfo>()
.WithHeaderStrategy("X-Tenant-Id")
.WithClaimStrategy("tenant_id")
.WithInMemoryStore(options =>
{
options.IsCaseSensitive = false;
});
builder.Services.AddHttpContextAccessor();
builder.Services.AddScoped<ITenantProvider, TenantProvider>();
builder.Services.AddScoped<SeedDataService>();
@@ -36,7 +27,7 @@ builder.Services.AddScoped<ClubService>();
builder.Services.AddScoped<MemberService>();
builder.Services.AddScoped<MemberSyncService>();
builder.Services.AddSingleton<TenantDbConnectionInterceptor>();
builder.Services.AddScoped<TenantDbConnectionInterceptor>();
builder.Services.AddSingleton<SaveChangesTenantInterceptor>();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
@@ -93,7 +84,6 @@ if (app.Environment.IsDevelopment())
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseMultiTenant();
app.UseMiddleware<TenantValidationMiddleware>();
app.UseAuthorization();
app.UseMiddleware<MemberSyncMiddleware>();