feat(auth): add workspace scope middleware and context

Introduces current-workspace context helpers plus a WorkspaceScope
middleware that validates X-Workspace-ID against workspace memberships,
defaulting to the actor's primary workspace. Prepares monitoring paths
to resolve quota/access-state per request workspace instead of per tenant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-24 22:18:54 +08:00
parent 4174aafcbc
commit ffe4d335aa
4 changed files with 180 additions and 0 deletions
+24
View File
@@ -10,6 +10,7 @@ type Actor struct {
}
type actorKey struct{}
type currentWorkspaceIDKey struct{}
func WithActor(ctx context.Context, actor Actor) context.Context {
return context.WithValue(ctx, actorKey{}, actor)
@@ -27,3 +28,26 @@ func MustActor(ctx context.Context) Actor {
}
return actor
}
func WithCurrentWorkspaceID(ctx context.Context, workspaceID int64) context.Context {
return context.WithValue(ctx, currentWorkspaceIDKey{}, workspaceID)
}
func CurrentWorkspaceIDFromCtx(ctx context.Context) (int64, bool) {
workspaceID, ok := ctx.Value(currentWorkspaceIDKey{}).(int64)
if !ok || workspaceID <= 0 {
return 0, false
}
return workspaceID, true
}
func CurrentWorkspaceID(ctx context.Context) int64 {
if workspaceID, ok := CurrentWorkspaceIDFromCtx(ctx); ok {
return workspaceID
}
actor, ok := ActorFromCtx(ctx)
if !ok {
return 0
}
return actor.PrimaryWorkspaceID
}
@@ -47,3 +47,31 @@ func TestActorCarriesPrimaryWorkspaceID(t *testing.T) {
assert.True(t, ok)
assert.Equal(t, int64(30), actor.PrimaryWorkspaceID)
}
func TestCurrentWorkspaceIDFallsBackToPrimaryWorkspace(t *testing.T) {
ctx := WithActor(context.Background(), Actor{
UserID: 10,
TenantID: 20,
PrimaryWorkspaceID: 30,
Role: "member",
})
assert.Equal(t, int64(30), CurrentWorkspaceID(ctx))
_, ok := CurrentWorkspaceIDFromCtx(ctx)
assert.False(t, ok)
}
func TestCurrentWorkspaceIDUsesScopedWorkspace(t *testing.T) {
ctx := WithActor(context.Background(), Actor{
UserID: 10,
TenantID: 20,
PrimaryWorkspaceID: 30,
Role: "member",
})
ctx = WithCurrentWorkspaceID(ctx, 40)
got, ok := CurrentWorkspaceIDFromCtx(ctx)
assert.True(t, ok)
assert.Equal(t, int64(40), got)
assert.Equal(t, int64(40), CurrentWorkspaceID(ctx))
}
@@ -76,3 +76,48 @@ func TestTenantIDFromCtx_RoundTrip(t *testing.T) {
func TestTenantIDFromCtx_Missing(t *testing.T) {
assert.Equal(t, int64(0), TenantIDFromCtx(context.Background()))
}
func TestWorkspaceScopeDefaultsToActorPrimaryWorkspace(t *testing.T) {
r := gin.New()
r.Use(func(c *gin.Context) {
actor := auth.Actor{UserID: 1, TenantID: 10, PrimaryWorkspaceID: 30, Role: "editor"}
c.Request = c.Request.WithContext(auth.WithActor(c.Request.Context(), actor))
c.Next()
})
r.Use(WorkspaceScope(nil))
var gotWorkspaceID int64
r.GET("/test", func(c *gin.Context) {
gotWorkspaceID = auth.CurrentWorkspaceID(c.Request.Context())
c.Status(http.StatusOK)
})
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodGet, "/test", nil)
r.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, int64(30), gotWorkspaceID)
}
func TestRequestedWorkspaceIDDefaultsToPrimary(t *testing.T) {
got, err := requestedWorkspaceID("", 42)
assert.NoError(t, err)
assert.Equal(t, int64(42), got)
}
func TestRequestedWorkspaceIDParsesHeader(t *testing.T) {
got, err := requestedWorkspaceID("84", 42)
assert.NoError(t, err)
assert.Equal(t, int64(84), got)
}
func TestRequestedWorkspaceIDRejectsInvalidHeader(t *testing.T) {
_, err := requestedWorkspaceID("nope", 42)
assert.Error(t, err)
}
func TestRequestedWorkspaceIDRejectsNonPositiveHeader(t *testing.T) {
_, err := requestedWorkspaceID("0", 42)
assert.Error(t, err)
}
@@ -0,0 +1,83 @@
package middleware
import (
"context"
"errors"
"fmt"
"strconv"
"strings"
"github.com/gin-gonic/gin"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgxpool"
"github.com/geo-platform/tenant-api/internal/shared/auth"
"github.com/geo-platform/tenant-api/internal/shared/response"
)
const WorkspaceIDHeader = "X-Workspace-ID"
func WorkspaceScope(pool *pgxpool.Pool) gin.HandlerFunc {
return func(c *gin.Context) {
actor, ok := auth.ActorFromCtx(c.Request.Context())
if !ok || actor.TenantID == 0 || actor.UserID == 0 || actor.PrimaryWorkspaceID == 0 {
response.Error(c, response.ErrUnauthorized(40105, "workspace_scope_missing", "workspace context is required"))
c.Abort()
return
}
workspaceID, err := requestedWorkspaceID(c.GetHeader(WorkspaceIDHeader), actor.PrimaryWorkspaceID)
if err != nil {
response.Error(c, response.ErrBadRequest(40032, "invalid_workspace_id", "workspace id must be a positive number"))
c.Abort()
return
}
if workspaceID != actor.PrimaryWorkspaceID {
if pool == nil {
response.Error(c, response.ErrInternal(50012, "workspace_scope_unavailable", "workspace scope validation is unavailable"))
c.Abort()
return
}
if err := validateWorkspaceMembership(c.Request.Context(), pool, actor.TenantID, workspaceID, actor.UserID); err != nil {
if errors.Is(err, pgx.ErrNoRows) {
response.Error(c, response.ErrForbidden(40312, "workspace_forbidden", "workspace is not available for current user"))
} else {
response.Error(c, response.ErrInternal(50012, "workspace_scope_lookup_failed", "failed to validate workspace scope"))
}
c.Abort()
return
}
}
c.Request = c.Request.WithContext(auth.WithCurrentWorkspaceID(c.Request.Context(), workspaceID))
c.Next()
}
}
func requestedWorkspaceID(raw string, fallback int64) (int64, error) {
trimmed := strings.TrimSpace(raw)
if trimmed == "" {
return fallback, nil
}
workspaceID, err := strconv.ParseInt(trimmed, 10, 64)
if err != nil {
return 0, err
}
if workspaceID <= 0 {
return 0, fmt.Errorf("workspace id must be positive")
}
return workspaceID, nil
}
func validateWorkspaceMembership(ctx context.Context, pool *pgxpool.Pool, tenantID, workspaceID, userID int64) error {
var exists int
return pool.QueryRow(ctx, `
SELECT 1
FROM workspace_memberships
WHERE tenant_id = $1
AND workspace_id = $2
AND user_id = $3
LIMIT 1
`, tenantID, workspaceID, userID).Scan(&exists)
}