feat: add tenant + auth backend endpoints (Phase 1A)

Tenant management: - POST /api/tenants — create tenant (creator becomes owner) - GET /api/tenants — list tenants for authenticated user - GET /api/tenants/:id — tenant details with access check - POST /api/tenants/:id/invite — invite user by email (owner/admin) - DELETE /api/tenants/:id/members/:uid — remove member - GET /api/tenants/:id/members — list members New packages: - internal/services/tenant_service.go — CRUD on tenants + user_tenants - internal/handlers/tenant_handler.go — HTTP handlers with auth checks - internal/auth/tenant_resolver.go — X-Tenant-ID header middleware, defaults to user's first tenant for scoped routes Authorization: owners/admins can invite and remove members. Cannot remove the last owner. Users can remove themselves. TenantResolver applies to resource routes (cases, deadlines, etc.) but not tenant management routes.
2026-03-25 13:27:39 +01:00
parent 8049ea3c63
commit 0b6bab8512
7 changed files with 808 additions and 6 deletions
--- a/backend/internal/models/tenant.go
+++ b/backend/internal/models/tenant.go
@@ -22,3 +22,9 @@ type UserTenant struct {
 	Role      string    `db:"role" json:"role"`
 	CreatedAt time.Time `db:"created_at" json:"created_at"`
 }
+
+// TenantWithRole is a Tenant joined with the user's role in that tenant.
+type TenantWithRole struct {
+	Tenant
+	Role string `db:"role" json:"role"`
+}