feat(#194): Fix workspace ID transmission mismatch between API and client
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
- Update WorkspaceGuard to support query string as fallback (backward compatibility) - Priority order: Header > Param > Body > Query - Update web client to send workspace ID via X-Workspace-Id header (recommended) - Extend apiRequest helpers to accept workspace ID option - Update fetchTasks to use header instead of query parameter - Add comprehensive tests for all workspace ID transmission methods - Tests passing: API 11 tests, Web 6 new tests (total 494) This ensures consistent workspace ID handling with proper multi-tenant isolation while maintaining backward compatibility with existing query string approaches. Fixes #194 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
71
docs/scratchpads/194-workspace-id-transmission.md
Normal file
71
docs/scratchpads/194-workspace-id-transmission.md
Normal file
@@ -0,0 +1,71 @@
|
||||
# Issue #194: Fix workspace ID transmission mismatch between API and client
|
||||
|
||||
## Objective
|
||||
|
||||
Fix the mismatch between how the API expects workspace IDs (header/param/body) and how the web client sends them (query string).
|
||||
|
||||
## Current State Analysis
|
||||
|
||||
Need to examine:
|
||||
|
||||
1. WorkspaceGuard implementation
|
||||
2. Web client API calls
|
||||
3. Consistent transmission strategy
|
||||
|
||||
## Approach
|
||||
|
||||
**Recommended: Use X-Workspace-Id header**
|
||||
|
||||
- Most consistent across all HTTP methods (GET/POST/PATCH/DELETE)
|
||||
- Doesn't clutter URLs
|
||||
- Standard practice for context/scope headers
|
||||
- Easy to validate and extract
|
||||
|
||||
## Implementation Plan
|
||||
|
||||
- [x] Analyze current WorkspaceGuard implementation
|
||||
- [x] Examine web client API calls
|
||||
- [x] Write tests for workspace ID extraction (header, query, param, body)
|
||||
- [x] Update WorkspaceGuard to check query string as fallback (priority 4)
|
||||
- [x] Update web client to send X-Workspace-Id header (recommended)
|
||||
- [x] Add validation tests for workspace isolation (11 tests passing)
|
||||
- [x] Test cross-workspace access prevention (covered in existing tests)
|
||||
- [x] Update web client tests (6 new tests for workspace ID handling)
|
||||
|
||||
## Changes Made
|
||||
|
||||
### API (WorkspaceGuard)
|
||||
|
||||
- Added query string support as fallback (priority 4 after header/param/body)
|
||||
- Updated documentation to reflect all extraction methods
|
||||
- Priority: Header > Param > Body > Query
|
||||
- All tests passing (11 tests)
|
||||
|
||||
### Web Client
|
||||
|
||||
- Extended `apiRequest` to accept `workspaceId` option
|
||||
- `workspaceId` is sent via `X-Workspace-Id` header (not query string)
|
||||
- Updated all helper functions (apiGet, apiPost, apiPatch, apiDelete)
|
||||
- Updated `fetchTasks` to use header instead of query parameter
|
||||
- Added tests for workspace ID header transmission (6 new tests)
|
||||
- All tests passing (494 tests)
|
||||
|
||||
## Testing Strategy
|
||||
|
||||
### Unit Tests
|
||||
|
||||
- WorkspaceGuard extracts workspace ID from all sources
|
||||
- Workspace ID validation (UUID format)
|
||||
- Missing workspace ID rejection
|
||||
|
||||
### Integration Tests
|
||||
|
||||
- Workspace isolation enforcement
|
||||
- Cross-workspace access blocked
|
||||
- All API routes respect workspace context
|
||||
|
||||
## Notes
|
||||
|
||||
- Need to maintain backward compatibility during transition
|
||||
- Should support both header and query string initially
|
||||
- Document preferred method (header)
|
||||
Reference in New Issue
Block a user