MasterMito/work-club-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix RLS permissions and JWT validation for admin club creation #5

Merged
MasterMito merged 18 commits from fix/rls-permission-test-failure into epic/admin_rework_second_try 2026-03-20 11:42:05 +01:00
Conversation 0 Commits 18 Files Changed 37
+29 -9
2 changed files with 29 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit a3ca12da26 - Show all commits
backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
+9 -8
View File
@@ -22,14 +22,15 @@ public class TenantValidationMiddleware
return; return;
} }
// Exempt bootstrap and admin endpoints from tenant validation // Exempt bootstrap, admin, and debug endpoints from tenant validation
if (context.Request.Path.StartsWithSegments("/api/clubs/me") || if (context.Request.Path.StartsWithSegments("/api/clubs/me") ||
context.Request.Path.StartsWithSegments("/api/admin")) context.Request.Path.StartsWithSegments("/api/admin") ||
{ context.Request.Path.StartsWithSegments("/api/debug"))
_logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path); {
await _next(context); _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
return; await _next(context);
} return;
}
if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) || if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
string.IsNullOrWhiteSpace(tenantIdHeader)) string.IsNullOrWhiteSpace(tenantIdHeader))
backend/WorkClub.Api/Program.cs
+20 -1
View File
@@ -31,6 +31,18 @@ builder.Services.AddScoped<MemberSyncService>();
builder.Services.AddScoped<TenantDbTransactionInterceptor>(); builder.Services.AddScoped<TenantDbTransactionInterceptor>();
builder.Services.AddSingleton<SaveChangesTenantInterceptor>(); builder.Services.AddSingleton<SaveChangesTenantInterceptor>();
// Add CORS to allow frontend requests
builder.Services.AddCors(options =>
{
options.AddPolicy("AllowFrontend", policy =>
{
policy.WithOrigins("http://localhost:3000")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options => .AddJwtBearer(options =>
{ {
@@ -111,6 +123,8 @@ if (app.Environment.IsDevelopment())
app.UseHttpsRedirection(); app.UseHttpsRedirection();
app.UseCors("AllowFrontend");
app.UseAuthentication(); app.UseAuthentication();
app.UseAuthorization(); app.UseAuthorization();
app.UseMiddleware<TenantValidationMiddleware>(); app.UseMiddleware<TenantValidationMiddleware>();
@@ -161,7 +175,12 @@ app.MapGet("/api/debug/claims", (HttpContext context) =>
hasAuthHeader = !string.IsNullOrEmpty(authHeader), hasAuthHeader = !string.IsNullOrEmpty(authHeader),
authHeaderPrefix = authHeader?.Substring(0, Math.Min(20, authHeader?.Length ?? 0)) authHeaderPrefix = authHeader?.Substring(0, Math.Min(20, authHeader?.Length ?? 0))
}); });
}).RequireAuthorization(); }).RequireAuthorization()
.AddEndpointFilter(async (context, next) =>
{
// Skip tenant validation for debug endpoint
return await next(context);
});
app.MapTaskEndpoints(); app.MapTaskEndpoints();
app.MapShiftEndpoints(); app.MapShiftEndpoints();