feat(#194): Fix workspace ID transmission mismatch between API and client

- Update WorkspaceGuard to support query string as fallback (backward compatibility) - Priority order: Header > Param > Body > Query - Update web client to send workspace ID via X-Workspace-Id header (recommended) - Extend apiRequest helpers to accept workspace ID option - Update fetchTasks to use header instead of query parameter - Add comprehensive tests for all workspace ID transmission methods - Tests passing: API 11 tests, Web 6 new tests (total 494) This ensures consistent workspace ID handling with proper multi-tenant isolation while maintaining backward compatibility with existing query string approaches. Fixes #194 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 22:38:13 -06:00
parent ae4221968e
commit 88be403c86
27 changed files with 706 additions and 33 deletions
--- a/apps/api/src/common/guards/workspace.guard.spec.ts
+++ b/apps/api/src/common/guards/workspace.guard.spec.ts
@@ -37,13 +37,15 @@ describe("WorkspaceGuard", () => {
    user: any,
    headers: Record<string, string> = {},
    params: Record<string, string> = {},
-    body: Record<string, any> = {}
+    body: Record<string, any> = {},
+    query: Record<string, string> = {}
  ): ExecutionContext => {
    const mockRequest = {
      user,
      headers,
      params,
      body,
+      query,
    };

    return {
@@ -111,16 +113,40 @@ describe("WorkspaceGuard", () => {
      expect(result).toBe(true);
    });

-    it("should prioritize header over param and body", async () => {
+    it("should allow access when user is a workspace member (via query string)", async () => {
+      const context = createMockExecutionContext({ id: userId }, {}, {}, {}, { workspaceId });
+
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
+        workspaceId,
+        userId,
+        role: "MEMBER",
+      });
+
+      const result = await guard.canActivate(context);
+
+      expect(result).toBe(true);
+      expect(mockPrismaService.workspaceMember.findUnique).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId,
+          },
+        },
+      });
+    });
+
+    it("should prioritize header over param, body, and query", async () => {
      const headerWorkspaceId = "workspace-header";
      const paramWorkspaceId = "workspace-param";
      const bodyWorkspaceId = "workspace-body";
+      const queryWorkspaceId = "workspace-query";

      const context = createMockExecutionContext(
        { id: userId },
        { "x-workspace-id": headerWorkspaceId },
        { workspaceId: paramWorkspaceId },
-        { workspaceId: bodyWorkspaceId }
+        { workspaceId: bodyWorkspaceId },
+        { workspaceId: queryWorkspaceId }
      );

      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
@@ -141,6 +167,67 @@ describe("WorkspaceGuard", () => {
      });
    });

+    it("should prioritize param over body and query when header missing", async () => {
+      const paramWorkspaceId = "workspace-param";
+      const bodyWorkspaceId = "workspace-body";
+      const queryWorkspaceId = "workspace-query";
+
+      const context = createMockExecutionContext(
+        { id: userId },
+        {},
+        { workspaceId: paramWorkspaceId },
+        { workspaceId: bodyWorkspaceId },
+        { workspaceId: queryWorkspaceId }
+      );
+
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
+        workspaceId: paramWorkspaceId,
+        userId,
+        role: "MEMBER",
+      });
+
+      await guard.canActivate(context);
+
+      expect(mockPrismaService.workspaceMember.findUnique).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId: paramWorkspaceId,
+            userId,
+          },
+        },
+      });
+    });
+
+    it("should prioritize body over query when header and param missing", async () => {
+      const bodyWorkspaceId = "workspace-body";
+      const queryWorkspaceId = "workspace-query";
+
+      const context = createMockExecutionContext(
+        { id: userId },
+        {},
+        {},
+        { workspaceId: bodyWorkspaceId },
+        { workspaceId: queryWorkspaceId }
+      );
+
+      mockPrismaService.workspaceMember.findUnique.mockResolvedValue({
+        workspaceId: bodyWorkspaceId,
+        userId,
+        role: "MEMBER",
+      });
+
+      await guard.canActivate(context);
+
+      expect(mockPrismaService.workspaceMember.findUnique).toHaveBeenCalledWith({
+        where: {
+          workspaceId_userId: {
+            workspaceId: bodyWorkspaceId,
+            userId,
+          },
+        },
+      });
+    });
+
    it("should throw ForbiddenException when user is not authenticated", async () => {
      const context = createMockExecutionContext(null, { "x-workspace-id": workspaceId });

--- a/apps/api/src/common/guards/workspace.guard.ts
+++ b/apps/api/src/common/guards/workspace.guard.ts
@@ -30,11 +30,12 @@ import type { AuthenticatedRequest } from "../types/user.types";
 * ```
 *
 * The workspace ID can be provided via:
- * - Header: `X-Workspace-Id`
+ * - Header: `X-Workspace-Id` (recommended)
 * - URL parameter: `:workspaceId`
 * - Request body: `workspaceId` field
+ * - Query parameter: `?workspaceId=xxx` (backward compatibility)
 *
- * Priority: Header > Param > Body
+ * Priority: Header > Param > Body > Query
 *
 * Note: RLS context must be set at the service layer using withUserContext()
 * or withUserTransaction() to ensure proper transaction scoping with connection pooling.
@@ -58,7 +59,7 @@ export class WorkspaceGuard implements CanActivate {

    if (!workspaceId) {
      throw new BadRequestException(
-        "Workspace ID is required (via header X-Workspace-Id, URL parameter, or request body)"
+        "Workspace ID is required (via header X-Workspace-Id, URL parameter, request body, or query string)"
      );
    }

@@ -89,18 +90,19 @@ export class WorkspaceGuard implements CanActivate {

  /**
   * Extracts workspace ID from request in order of priority:
-   * 1. X-Workspace-Id header
+   * 1. X-Workspace-Id header (recommended)
   * 2. :workspaceId URL parameter
   * 3. workspaceId in request body
+   * 4. workspaceId query parameter (for backward compatibility)
   */
  private extractWorkspaceId(request: AuthenticatedRequest): string | undefined {
-    // 1. Check header
+    // 1. Check header (recommended approach)
    const headerWorkspaceId = request.headers["x-workspace-id"];
    if (typeof headerWorkspaceId === "string") {
      return headerWorkspaceId;
    }

-    // 2. Check URL params
+    // 2. Check URL params (:workspaceId in route)
    const paramWorkspaceId = request.params.workspaceId;
    if (paramWorkspaceId) {
      return paramWorkspaceId;
@@ -112,6 +114,14 @@ export class WorkspaceGuard implements CanActivate {
      return bodyWorkspaceId;
    }

+    // 4. Check query string (backward compatibility for existing clients)
+    // Access query property if it exists (may not be in all request types)
+    const requestWithQuery = request as typeof request & { query?: Record<string, unknown> };
+    const queryWorkspaceId = requestWithQuery.query?.workspaceId;
+    if (typeof queryWorkspaceId === "string") {
+      return queryWorkspaceId;
+    }
+
    return undefined;
  }