work-club-manager/backend/WorkClub.Infrastructure/Services/TenantProvider.cs

using System.Security.Claims;
using System.Text.Json;
using Finbuckle.MultiTenant;
using Finbuckle.MultiTenant.Abstractions;
using Microsoft.AspNetCore.Http;
using WorkClub.Application.Interfaces;

namespace WorkClub.Infrastructure.Services;

public class TenantProvider : ITenantProvider
{
    private readonly IMultiTenantContextAccessor<TenantInfo> _multiTenantContextAccessor;
    private readonly IHttpContextAccessor _httpContextAccessor;

    public TenantProvider(
        IMultiTenantContextAccessor<TenantInfo> multiTenantContextAccessor,
        IHttpContextAccessor httpContextAccessor)
    {
        _multiTenantContextAccessor = multiTenantContextAccessor;
        _httpContextAccessor = httpContextAccessor;
    }

    public string GetTenantId()
    {
        var tenantInfo = _multiTenantContextAccessor.MultiTenantContext?.TenantInfo;
        if (tenantInfo == null || string.IsNullOrEmpty(tenantInfo.Identifier))
        {
            throw new InvalidOperationException("Tenant context is not available");
        }
        
        return tenantInfo.Identifier;
    }

    public string GetUserRole()
    {
        var httpContext = _httpContextAccessor.HttpContext;
        if (httpContext?.User == null)
        {
            throw new InvalidOperationException("User context is not available");
        }

        var tenantId = GetTenantId();
        var clubsClaim = httpContext.User.FindFirst("clubs")?.Value;
        
        if (string.IsNullOrEmpty(clubsClaim))
        {
            throw new InvalidOperationException("User does not have clubs claim");
        }

        var clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
        if (clubsDict == null || !clubsDict.TryGetValue(tenantId, out var role))
        {
            throw new InvalidOperationException($"User is not a member of tenant {tenantId}");
        }

        return role;
    }
}