MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
3313bd0fbaffda27e92b12b4d4277bad664973ba
work-club-manager/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
WorkClub Automation 18be0fb183 fix: exempt /api/clubs/me from tenant validation 
- Add path exemption in TenantValidationMiddleware for /api/clubs/me
- Change authorization policy from RequireMember to RequireViewer
- Fix KEYCLOAK_CLIENT_ID in docker-compose.yml (workclub-app)
- Resolves frontend chicken-and-egg problem for club discovery

Verified:
- /api/clubs/me returns 200 OK without X-Tenant-Id header
- /api/tasks still requires X-Tenant-Id (400 Bad Request)
- Other endpoints unaffected
2026-03-05 21:32:34 +01:00

70 lines
2.6 KiB
C#
Raw Blame History

using System.Text.Json;
namespace WorkClub.Api.Middleware;
public class TenantValidationMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<TenantValidationMiddleware> _logger;
public TenantValidationMiddleware(RequestDelegate next, ILogger<TenantValidationMiddleware> logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
_logger.LogInformation("TenantValidationMiddleware: Processing request for {Path}", context.Request.Path);
if (!context.User.Identity?.IsAuthenticated ?? true)
{
await _next(context);
return;
}
// Exempt /api/clubs/me from tenant validation - this is the bootstrap endpoint
if (context.Request.Path.StartsWithSegments("/api/clubs/me"))
{
_logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
await _next(context);
return;
}
if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
string.IsNullOrWhiteSpace(tenantIdHeader))
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
await context.Response.WriteAsJsonAsync(new { error = "X-Tenant-Id header is required" });
return;
}
var requestedTenantId = tenantIdHeader.ToString();
var clubsClaim = context.User.FindFirst("clubs")?.Value;
if (string.IsNullOrEmpty(clubsClaim))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = "User does not have clubs claim" });
return;
}
// Parse comma-separated club UUIDs
var clubIds = clubsClaim.Split(',', StringSplitOptions.RemoveEmptyEntries)
.Select(id => id.Trim())
.ToArray();
if (clubIds.Length == 0 || !clubIds.Contains(requestedTenantId))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
await context.Response.WriteAsJsonAsync(new { error = $"User is not a member of tenant {requestedTenantId}" });
return;
}
// Store validated tenant ID in HttpContext.Items for downstream middleware/services
context.Items["TenantId"] = requestedTenantId;
_logger.LogInformation("TenantValidationMiddleware: Set TenantId={TenantId} in HttpContext.Items", requestedTenantId);
await _next(context);
}
}
Reference in New Issue View Git Blame Copy Permalink