feat: HL tenant + email domain auto-assignment

2026-03-30 11:29:53 +02:00
parent 93a25e3d72 118bae1ae3
commit 6b8c6f761d
11 changed files with 224 additions and 40 deletions
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -43,7 +43,7 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		}
 		ctx = ContextWithRequestInfo(ctx, ip, r.UserAgent())

-		// Tenant resolution is handled by TenantResolver middleware for scoped routes.
+		// Tenant/role resolution is handled by TenantResolver middleware for scoped routes.
 		// Tenant management routes handle their own access control.
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
--- a/backend/internal/auth/tenant_resolver.go
+++ b/backend/internal/auth/tenant_resolver.go
@@ -12,7 +12,6 @@ import (
 // Defined as an interface to avoid circular dependency with services.
 type TenantLookup interface {
 	FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
-	VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
 	GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error)
 }

@@ -42,7 +41,6 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
 				return
 			}
-
 			// Verify user has access and get their role
 			role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
 			if err != nil {
@@ -58,7 +56,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 			tenantID = parsed
 			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		} else {
-			// Default to user's first tenant (role already set by middleware)
+			// Default to user's first tenant
 			first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
 			if err != nil {
 				slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
@@ -70,6 +68,15 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
 				return
 			}
 			tenantID = *first
+
+			// Resolve role for default tenant
+			role, err := tr.lookup.GetUserRole(r.Context(), userID, tenantID)
+			if err != nil {
+				slog.Error("failed to resolve role for default tenant", "error", err)
+				http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
+				return
+			}
+			r = r.WithContext(ContextWithUserRole(r.Context(), role))
 		}

 		ctx := ContextWithTenantID(r.Context(), tenantID)
--- a/backend/internal/auth/tenant_resolver_test.go
+++ b/backend/internal/auth/tenant_resolver_test.go
@@ -10,27 +10,18 @@ import (
 )

 type mockTenantLookup struct {
-	tenantID  *uuid.UUID
-	err       error
-	hasAccess bool
-	accessErr error
-	role      string
-	noAccess  bool // when true, GetUserRole returns ""
+	tenantID *uuid.UUID
+	role     string
+	roleSet  bool // true means role was explicitly set (even if empty)
+	err      error
 }

 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }

-func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
-	return m.hasAccess, m.accessErr
-}
-
 func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
-	if m.noAccess {
-		return "", m.err
-	}
-	if m.role != "" {
+	if m.roleSet {
 		return m.role, m.err
 	}
 	return "associate", m.err
@@ -38,7 +29,7 @@ func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uui

 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{role: "partner", hasAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{role: "partner"})

 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -67,7 +58,7 @@ func TestTenantResolver_FromHeader(t *testing.T) {

 func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{noAccess: true})
+	tr := NewTenantResolver(&mockTenantLookup{role: "", roleSet: true})

 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Fatal("next should not be called")
@@ -87,7 +78,7 @@ func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {

 func TestTenantResolver_DefaultsToFirst(t *testing.T) {
 	tenantID := uuid.New()
-	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
+	tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID, role: "owner"})

 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/backend/internal/handlers/tenant_handler.go
+++ b/backend/internal/handlers/tenant_handler.go
@@ -356,6 +356,71 @@ func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request)
 	jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
 }

+// AutoAssign handles POST /api/tenants/auto-assign — checks if the user's email domain
+// matches any tenant's auto_assign_domains and assigns them if so.
+func (h *TenantHandler) AutoAssign(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req struct {
+		Email string `json:"email"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if req.Email == "" {
+		jsonError(w, "email is required", http.StatusBadRequest)
+		return
+	}
+
+	// Extract domain from email
+	parts := splitEmail(req.Email)
+	if parts == "" {
+		jsonError(w, "invalid email format", http.StatusBadRequest)
+		return
+	}
+
+	result, err := h.svc.AutoAssignByDomain(r.Context(), userID, parts)
+	if err != nil {
+		slog.Error("auto-assign failed", "error", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if result == nil {
+		jsonResponse(w, map[string]any{"assigned": false}, http.StatusOK)
+		return
+	}
+
+	jsonResponse(w, map[string]any{
+		"assigned":  true,
+		"tenant_id": result.ID,
+		"name":      result.Name,
+		"slug":      result.Slug,
+		"role":      result.Role,
+		"settings":  result.Settings,
+	}, http.StatusOK)
+}
+
+// splitEmail extracts the domain part from an email address.
+func splitEmail(email string) string {
+	at := -1
+	for i, c := range email {
+		if c == '@' {
+			at = i
+			break
+		}
+	}
+	if at < 0 || at >= len(email)-1 {
+		return ""
+	}
+	return email[at+1:]
+}
+
 // GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
 func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	userID, ok := auth.UserFromContext(r.Context())
@@ -370,11 +435,26 @@ func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	// Get user's permissions for frontend UI
 	perms := auth.GetRolePermissions(role)

+	// Check if tenant is in demo mode
+	isDemo := false
+	if tenant, err := h.svc.GetByID(r.Context(), tenantID); err == nil && tenant != nil {
+		var settings map[string]json.RawMessage
+		if json.Unmarshal(tenant.Settings, &settings) == nil {
+			if demoRaw, ok := settings["demo"]; ok {
+				var demo bool
+				if json.Unmarshal(demoRaw, &demo) == nil {
+					isDemo = demo
+				}
+			}
+		}
+	}
+
 	jsonResponse(w, map[string]any{
 		"user_id":     userID,
 		"tenant_id":   tenantID,
 		"role":        role,
 		"permissions": perms,
+		"is_demo":     isDemo,
 	}, http.StatusOK)
 }

--- a/backend/internal/router/router.go
+++ b/backend/internal/router/router.go
@@ -77,6 +77,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	api := http.NewServeMux()

 	// Tenant management (no tenant resolver — these operate across tenants)
+	api.HandleFunc("POST /api/tenants/auto-assign", tenantH.AutoAssign)
 	api.HandleFunc("POST /api/tenants", tenantH.CreateTenant)
 	api.HandleFunc("GET /api/tenants", tenantH.ListTenants)
 	api.HandleFunc("GET /api/tenants/{id}", tenantH.GetTenant)
@@ -161,7 +162,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
 	scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)

 	// Audit log
-	scoped.HandleFunc("GET /api/audit-log", auditH.List)
+	scoped.HandleFunc("GET /api/audit-log", perm(auth.PermViewAuditLog, auditH.List))

 	// Documents — all can upload, delete checked in handler (own vs all)
 	scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
--- a/backend/internal/services/tenant_service.go
+++ b/backend/internal/services/tenant_service.go
@@ -240,6 +240,54 @@ func (s *TenantService) UpdateMemberRole(ctx context.Context, tenantID, userID u
 	return nil
 }

+// AutoAssignByDomain finds a tenant with a matching auto_assign_domains setting
+// and adds the user as a member. Returns the tenant and role, or nil if no match.
+func (s *TenantService) AutoAssignByDomain(ctx context.Context, userID uuid.UUID, emailDomain string) (*models.TenantWithRole, error) {
+	// Find tenant where settings.auto_assign_domains contains this domain
+	var tenant models.Tenant
+	err := s.db.GetContext(ctx, &tenant,
+		`SELECT id, name, slug, settings, created_at, updated_at
+		 FROM tenants
+		 WHERE settings->'auto_assign_domains' ? $1
+		 LIMIT 1`,
+		emailDomain,
+	)
+	if err != nil {
+		return nil, nil // no match — not an error
+	}
+
+	// Check if already a member
+	var exists bool
+	err = s.db.GetContext(ctx, &exists,
+		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
+		userID, tenant.ID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("check membership: %w", err)
+	}
+	if exists {
+		// Already a member — return the existing membership
+		role, err := s.GetUserRole(ctx, userID, tenant.ID)
+		if err != nil {
+			return nil, fmt.Errorf("get existing role: %w", err)
+		}
+		return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+	}
+
+	// Add as member (associate by default for auto-assigned users)
+	role := "associate"
+	_, err = s.db.ExecContext(ctx,
+		`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, $3)`,
+		userID, tenant.ID, role,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("auto-assign user: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "auto_membership", &tenant.ID, map[string]any{"domain": emailDomain}, map[string]any{"user_id": userID, "role": role})
+	return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+}
+
 // RemoveMember removes a user from a tenant. Cannot remove the last owner.
 func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
 	// Check if the user being removed is an owner