feat: HL tenant setup + email domain auto-assignment
- Create pre-configured Hogan Lovells tenant with demo flag and auto_assign_domains: ["hoganlovells.com"] - Add POST /api/tenants/auto-assign endpoint: checks email domain against tenant settings, auto-assigns user as associate if match - Add AutoAssignByDomain to TenantService - Update registration flow: after signup, check auto-assign before showing tenant creation form. Skip tenant creation if auto-assigned. - Add DemoBanner component shown when tenant.settings.demo is true - Extend GET /api/me to return is_demo flag from tenant settings
This commit is contained in:
@@ -356,6 +356,71 @@ func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request)
|
||||
jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
|
||||
}
|
||||
|
||||
// AutoAssign handles POST /api/tenants/auto-assign — checks if the user's email domain
|
||||
// matches any tenant's auto_assign_domains and assigns them if so.
|
||||
func (h *TenantHandler) AutoAssign(w http.ResponseWriter, r *http.Request) {
|
||||
userID, ok := auth.UserFromContext(r.Context())
|
||||
if !ok {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
var req struct {
|
||||
Email string `json:"email"`
|
||||
}
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
jsonError(w, "invalid request body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if req.Email == "" {
|
||||
jsonError(w, "email is required", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Extract domain from email
|
||||
parts := splitEmail(req.Email)
|
||||
if parts == "" {
|
||||
jsonError(w, "invalid email format", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
result, err := h.svc.AutoAssignByDomain(r.Context(), userID, parts)
|
||||
if err != nil {
|
||||
slog.Error("auto-assign failed", "error", err)
|
||||
jsonError(w, "internal error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if result == nil {
|
||||
jsonResponse(w, map[string]any{"assigned": false}, http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
jsonResponse(w, map[string]any{
|
||||
"assigned": true,
|
||||
"tenant_id": result.ID,
|
||||
"name": result.Name,
|
||||
"slug": result.Slug,
|
||||
"role": result.Role,
|
||||
"settings": result.Settings,
|
||||
}, http.StatusOK)
|
||||
}
|
||||
|
||||
// splitEmail extracts the domain part from an email address.
|
||||
func splitEmail(email string) string {
|
||||
at := -1
|
||||
for i, c := range email {
|
||||
if c == '@' {
|
||||
at = i
|
||||
break
|
||||
}
|
||||
}
|
||||
if at < 0 || at >= len(email)-1 {
|
||||
return ""
|
||||
}
|
||||
return email[at+1:]
|
||||
}
|
||||
|
||||
// GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
|
||||
func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
|
||||
userID, ok := auth.UserFromContext(r.Context())
|
||||
@@ -370,11 +435,26 @@ func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
|
||||
// Get user's permissions for frontend UI
|
||||
perms := auth.GetRolePermissions(role)
|
||||
|
||||
// Check if tenant is in demo mode
|
||||
isDemo := false
|
||||
if tenant, err := h.svc.GetByID(r.Context(), tenantID); err == nil && tenant != nil {
|
||||
var settings map[string]json.RawMessage
|
||||
if json.Unmarshal(tenant.Settings, &settings) == nil {
|
||||
if demoRaw, ok := settings["demo"]; ok {
|
||||
var demo bool
|
||||
if json.Unmarshal(demoRaw, &demo) == nil {
|
||||
isDemo = demo
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
jsonResponse(w, map[string]any{
|
||||
"user_id": userID,
|
||||
"tenant_id": tenantID,
|
||||
"role": role,
|
||||
"permissions": perms,
|
||||
"is_demo": isDemo,
|
||||
}, http.StatusOK)
|
||||
}
|
||||
|
||||
|
||||
@@ -240,6 +240,54 @@ func (s *TenantService) UpdateMemberRole(ctx context.Context, tenantID, userID u
|
||||
return nil
|
||||
}
|
||||
|
||||
// AutoAssignByDomain finds a tenant with a matching auto_assign_domains setting
|
||||
// and adds the user as a member. Returns the tenant and role, or nil if no match.
|
||||
func (s *TenantService) AutoAssignByDomain(ctx context.Context, userID uuid.UUID, emailDomain string) (*models.TenantWithRole, error) {
|
||||
// Find tenant where settings.auto_assign_domains contains this domain
|
||||
var tenant models.Tenant
|
||||
err := s.db.GetContext(ctx, &tenant,
|
||||
`SELECT id, name, slug, settings, created_at, updated_at
|
||||
FROM tenants
|
||||
WHERE settings->'auto_assign_domains' ? $1
|
||||
LIMIT 1`,
|
||||
emailDomain,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, nil // no match — not an error
|
||||
}
|
||||
|
||||
// Check if already a member
|
||||
var exists bool
|
||||
err = s.db.GetContext(ctx, &exists,
|
||||
`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
|
||||
userID, tenant.ID,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("check membership: %w", err)
|
||||
}
|
||||
if exists {
|
||||
// Already a member — return the existing membership
|
||||
role, err := s.GetUserRole(ctx, userID, tenant.ID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("get existing role: %w", err)
|
||||
}
|
||||
return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
|
||||
}
|
||||
|
||||
// Add as member (associate by default for auto-assigned users)
|
||||
role := "associate"
|
||||
_, err = s.db.ExecContext(ctx,
|
||||
`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, $3)`,
|
||||
userID, tenant.ID, role,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("auto-assign user: %w", err)
|
||||
}
|
||||
|
||||
s.audit.Log(ctx, "create", "auto_membership", &tenant.ID, map[string]any{"domain": emailDomain}, map[string]any{"user_id": userID, "role": role})
|
||||
return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
|
||||
}
|
||||
|
||||
// RemoveMember removes a user from a tenant. Cannot remove the last owner.
|
||||
func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
|
||||
// Check if the user being removed is an owner
|
||||
|
||||
Reference in New Issue
Block a user