mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
e5b772f7cbecb870d77e77ce22b477b210ba950a
stack/docs/scratchpads/194-workspace-id-transmission.md
Jason Woltje 88be403c86
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
feat(#194): Fix workspace ID transmission mismatch between API and client 
- Update WorkspaceGuard to support query string as fallback (backward compatibility)
- Priority order: Header > Param > Body > Query
- Update web client to send workspace ID via X-Workspace-Id header (recommended)
- Extend apiRequest helpers to accept workspace ID option
- Update fetchTasks to use header instead of query parameter
- Add comprehensive tests for all workspace ID transmission methods
- Tests passing: API 11 tests, Web 6 new tests (total 494)

This ensures consistent workspace ID handling with proper multi-tenant isolation
while maintaining backward compatibility with existing query string approaches.

Fixes #194

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 22:38:13 -06:00

2.2 KiB
Raw Blame History

Issue #194: Fix workspace ID transmission mismatch between API and client

Objective

Fix the mismatch between how the API expects workspace IDs (header/param/body) and how the web client sends them (query string).

Current State Analysis

Need to examine:

  1. WorkspaceGuard implementation
  2. Web client API calls
  3. Consistent transmission strategy

Approach

Recommended: Use X-Workspace-Id header

  • Most consistent across all HTTP methods (GET/POST/PATCH/DELETE)
  • Doesn't clutter URLs
  • Standard practice for context/scope headers
  • Easy to validate and extract

Implementation Plan

  • Analyze current WorkspaceGuard implementation
  • Examine web client API calls
  • Write tests for workspace ID extraction (header, query, param, body)
  • Update WorkspaceGuard to check query string as fallback (priority 4)
  • Update web client to send X-Workspace-Id header (recommended)
  • Add validation tests for workspace isolation (11 tests passing)
  • Test cross-workspace access prevention (covered in existing tests)
  • Update web client tests (6 new tests for workspace ID handling)

Changes Made

API (WorkspaceGuard)

  • Added query string support as fallback (priority 4 after header/param/body)
  • Updated documentation to reflect all extraction methods
  • Priority: Header > Param > Body > Query
  • All tests passing (11 tests)

Web Client

  • Extended apiRequest to accept workspaceId option
  • workspaceId is sent via X-Workspace-Id header (not query string)
  • Updated all helper functions (apiGet, apiPost, apiPatch, apiDelete)
  • Updated fetchTasks to use header instead of query parameter
  • Added tests for workspace ID header transmission (6 new tests)
  • All tests passing (494 tests)

Testing Strategy

Unit Tests

  • WorkspaceGuard extracts workspace ID from all sources
  • Workspace ID validation (UUID format)
  • Missing workspace ID rejection

Integration Tests

  • Workspace isolation enforcement
  • Cross-workspace access blocked
  • All API routes respect workspace context

Notes

  • Need to maintain backward compatibility during transition
  • Should support both header and query string initially
  • Document preferred method (header)
Reference in New Issue View Git Blame Copy Permalink