search

jezzsantos / saastack

A comprehensive codebase template for starting your real-world, fully featured SaaS web products. On the .NET platform
The Unlicense
15 stars 5 forks source link

Detecting multi-tenancy #25

Closed jezzsantos closed 4 months ago

jezzsantos commented 4 months ago

We can only access the instance of the current request DTO from an IEndpointFilter (like the MultiTenancyFilter). These endpoint filters execute after all the middleware has been executed (including any custom middleware).

Trying to access the instance of the request DTO outside the IEndpointFilter is ideal, but presently not feasible. Need more research.

We need the tenantId, at the time that we verify Authorization roles and features for specific organizations. This occurs during the Authentication/Authorization middleware, which occurs way up the request pipeline. At that time, we simply don't have access to the TenantId from the request DTO. Since it is set way further down the pipeline.

In order to perform Authorization fully, (with these constraints in place) we either:

  1. Find a way to access the request DTO outside the IEndpointFilter. Then, we can set the TenantId in a middleware before the Authentication/Authorization middleware runs, and we move from IEndpointFilter to Middleware.
  2. Do not verify that the user has a specific organization in the Authorization middleware; just match the role part, not the tenant part, as the tenantId will be matched later in the pipeline (by the MultiTenancyFilter).
  3. Other options?
jezzsantos commented 4 months ago

Have asked for help from: https://github.com/dotnet/aspnetcore/issues/54237