Files
multica/server/internal/middleware/workspace.go
Naiyuan Qing f0f3cb5c3a fix(server): resolve X-Workspace-Slug in middleware-less handlers (#1165)
Problem
-------
The v2 workspace URL refactor (#1141) switched the frontend from sending
X-Workspace-ID (UUID) to X-Workspace-Slug. The workspace middleware was
updated to accept the slug and translate it via GetWorkspaceBySlug.

But the handler package maintained a PARALLEL resolver
(`resolveWorkspaceID` in handler.go) used by endpoints that sit outside
the workspace middleware — and that resolver was never updated. It only
checked context / ?workspace_id / X-Workspace-ID, never the slug.

/api/upload-file is the one production route that hit the broken path:
it's user-scoped (not behind workspace middleware) because it also
serves avatar uploads (no workspace). Post-refactor requests from the
frontend arrived with only X-Workspace-Slug; the handler resolver
returned "", the code fell into the "no workspace context" branch, and
every file upload since v2 landed in S3 with no corresponding DB
attachment row — files orphaned, invisible to the UI.

Root cause is structural: two resolvers doing the same job, written
independently, diverged silently when one was updated.

Fix
---
Collapse to a single shared helper. middleware.ResolveWorkspaceIDFromRequest
is the new canonical resolver; both the middleware's internal
`resolveWorkspaceUUID` (for middleware gating) and the handler-side
`(h *Handler).resolveWorkspaceID` (promoted from a package function)
now delegate to it. Priority order matches what the middleware has had
since v2: context > X-Workspace-Slug header > ?workspace_slug query >
X-Workspace-ID header > ?workspace_id query.

Impact analysis
---------------
47 call sites of the old `resolveWorkspaceID(r)` are renamed to
`h.resolveWorkspaceID(r)`. 46 of them sit behind workspace middleware,
so they hit the context fast path and see zero behavior change. The
one caller that actually gains capability is UploadFile — which now
correctly recognizes slug requests and creates DB attachment rows.

Tests
-----
- New table-driven unit test for ResolveWorkspaceIDFromRequest covers
  all priority levels and the unknown-slug fallback.
- Regression tests for UploadFile: once with X-Workspace-Slug only
  (the broken path), once with X-Workspace-ID only (legacy CLI/daemon
  compat path). Both assert that a DB attachment row is created.
- Full Go test suite passes; typecheck + pnpm test unaffected.

Plan
----
See docs/plans/2026-04-16-unify-workspace-identity-resolver.md for the
full first-principles writeup.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:01:56 +08:00

217 lines
7.5 KiB
Go

package middleware
import (
"context"
"errors"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/multica-ai/multica/server/internal/util"
db "github.com/multica-ai/multica/server/pkg/db/generated"
)
// Context keys for workspace-scoped request data.
type contextKey int
const (
ctxKeyWorkspaceID contextKey = iota
ctxKeyMember
)
// MemberFromContext returns the workspace member injected by the workspace middleware.
func MemberFromContext(ctx context.Context) (db.Member, bool) {
m, ok := ctx.Value(ctxKeyMember).(db.Member)
return m, ok
}
// WorkspaceIDFromContext returns the workspace ID injected by the workspace middleware.
func WorkspaceIDFromContext(ctx context.Context) string {
id, _ := ctx.Value(ctxKeyWorkspaceID).(string)
return id
}
// SetMemberContext injects workspace ID and member into the context.
// This is useful for handlers that resolve the workspace from an entity lookup
// and want to share the member with downstream code.
func SetMemberContext(ctx context.Context, workspaceID string, member db.Member) context.Context {
ctx = context.WithValue(ctx, ctxKeyWorkspaceID, workspaceID)
ctx = context.WithValue(ctx, ctxKeyMember, member)
return ctx
}
// errWorkspaceNotFound is returned when a slug was provided but doesn't match
// any workspace. This lets the middleware distinguish "no identifier provided"
// (400) from "identifier provided but invalid" (404).
var errWorkspaceNotFound = errors.New("workspace not found")
// ResolveWorkspaceIDFromRequest returns the workspace UUID for an HTTP
// request using the same priority order as the workspace middleware. This is
// the single source of truth for "which workspace is this request targeting?",
// shared by middleware-protected routes (via context fast path) and
// middleware-less routes (e.g. /api/upload-file) that must resolve the slug
// themselves.
//
// Priority:
// 1. middleware-injected context (fast path for middleware-protected routes)
// 2. X-Workspace-Slug header → GetWorkspaceBySlug → UUID (post-refactor frontend)
// 3. ?workspace_slug query → GetWorkspaceBySlug → UUID
// 4. X-Workspace-ID header (CLI/daemon compat)
// 5. ?workspace_id query (CLI/daemon compat)
//
// Returns "" when no identifier was provided OR a slug was provided but
// doesn't resolve to any workspace. Callers that need to distinguish "no
// identifier" (400) from "invalid slug" (404) should use the middleware's
// internal resolver instead — this helper collapses both cases to "" for
// simpler handler-level checks.
func ResolveWorkspaceIDFromRequest(r *http.Request, queries *db.Queries) string {
if id := WorkspaceIDFromContext(r.Context()); id != "" {
return id
}
if slug := r.Header.Get("X-Workspace-Slug"); slug != "" {
if ws, err := queries.GetWorkspaceBySlug(r.Context(), slug); err == nil {
return util.UUIDToString(ws.ID)
}
}
if slug := r.URL.Query().Get("workspace_slug"); slug != "" {
if ws, err := queries.GetWorkspaceBySlug(r.Context(), slug); err == nil {
return util.UUIDToString(ws.ID)
}
}
if id := r.Header.Get("X-Workspace-ID"); id != "" {
return id
}
return r.URL.Query().Get("workspace_id")
}
// workspaceResolver extracts a workspace UUID from the request.
// Returns ("", nil) if no workspace identifier was provided at all.
// Returns ("", errWorkspaceNotFound) if a slug was provided but doesn't exist.
// Returns (uuid, nil) on success.
type workspaceResolver func(r *http.Request) (string, error)
// resolveWorkspaceUUID builds a resolver that accepts slug-first identification.
//
// Priority:
// 1. X-Workspace-Slug header / ?workspace_slug query → GetWorkspaceBySlug → UUID
// 2. X-Workspace-ID header / ?workspace_id query → UUID directly (CLI/daemon compat)
//
// TODO: cache slug→UUID lookup (slug is immutable, safe to cache with short TTL)
func resolveWorkspaceUUID(queries *db.Queries) workspaceResolver {
return func(r *http.Request) (string, error) {
// Slug path (preferred — frontend sends this after the URL refactor)
if slug := r.URL.Query().Get("workspace_slug"); slug != "" {
ws, err := queries.GetWorkspaceBySlug(r.Context(), slug)
if err != nil {
return "", errWorkspaceNotFound
}
return util.UUIDToString(ws.ID), nil
}
if slug := r.Header.Get("X-Workspace-Slug"); slug != "" {
ws, err := queries.GetWorkspaceBySlug(r.Context(), slug)
if err != nil {
return "", errWorkspaceNotFound
}
return util.UUIDToString(ws.ID), nil
}
// UUID fallback (CLI, daemon, legacy clients)
if id := r.URL.Query().Get("workspace_id"); id != "" {
return id, nil
}
if id := r.Header.Get("X-Workspace-ID"); id != "" {
return id, nil
}
return "", nil
}
}
func writeError(w http.ResponseWriter, status int, msg string) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
w.Write([]byte(`{"error":"` + msg + `"}`))
}
// RequireWorkspaceMember resolves the workspace from slug (preferred) or UUID
// (fallback), validates membership, and injects the member and workspace ID
// into the request context.
func RequireWorkspaceMember(queries *db.Queries) func(http.Handler) http.Handler {
return buildMiddleware(queries, resolveWorkspaceUUID(queries), nil)
}
// RequireWorkspaceRole is like RequireWorkspaceMember but additionally checks
// that the member has one of the specified roles.
func RequireWorkspaceRole(queries *db.Queries, roles ...string) func(http.Handler) http.Handler {
return buildMiddleware(queries, resolveWorkspaceUUID(queries), roles)
}
// RequireWorkspaceMemberFromURL resolves the workspace ID from a chi URL
// parameter, validates membership, and injects into context.
func RequireWorkspaceMemberFromURL(queries *db.Queries, param string) func(http.Handler) http.Handler {
return buildMiddleware(queries, func(r *http.Request) (string, error) {
id := chi.URLParam(r, param)
if id == "" {
return "", nil
}
return id, nil
}, nil)
}
// RequireWorkspaceRoleFromURL is like RequireWorkspaceMemberFromURL but
// additionally checks that the member has one of the specified roles.
func RequireWorkspaceRoleFromURL(queries *db.Queries, param string, roles ...string) func(http.Handler) http.Handler {
return buildMiddleware(queries, func(r *http.Request) (string, error) {
id := chi.URLParam(r, param)
if id == "" {
return "", nil
}
return id, nil
}, roles)
}
func buildMiddleware(queries *db.Queries, resolve workspaceResolver, roles []string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
workspaceID, resolveErr := resolve(r)
if resolveErr != nil {
writeError(w, http.StatusNotFound, "workspace not found")
return
}
if workspaceID == "" {
writeError(w, http.StatusBadRequest, "workspace_id or workspace_slug is required")
return
}
userID := r.Header.Get("X-User-ID")
if userID == "" {
writeError(w, http.StatusUnauthorized, "user not authenticated")
return
}
member, err := queries.GetMemberByUserAndWorkspace(r.Context(), db.GetMemberByUserAndWorkspaceParams{
UserID: util.ParseUUID(userID),
WorkspaceID: util.ParseUUID(workspaceID),
})
if err != nil {
writeError(w, http.StatusNotFound, "workspace not found")
return
}
if len(roles) > 0 {
allowed := false
for _, role := range roles {
if member.Role == role {
allowed = true
break
}
}
if !allowed {
writeError(w, http.StatusForbidden, "insufficient permissions")
return
}
}
ctx := SetMemberContext(r.Context(), workspaceID, member)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}