fix: implement InjectTenantId middleware (#190) #200
Merged
+205
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ID (#190) Replaces TenantKey::first() workaround in SecretController with proper middleware-based tenant resolution. **What Changed:** - Added InjectTenantId middleware for automatic tenant_id injection - Registered as 'tenant.inject' alias in bootstrap/app.php - Applied to all /v1/secrets and /v1/attachments routes - Removed TODO comment and hardcoded tenant logic from SecretController - Middleware respects pre-existing tenant_id (SetTenant compatibility) **Implementation:** - Single-tenant development mode: Uses first available TenantKey - Production-ready pattern: Can be extended for user-based resolution - Returns 503 when no TenantKey exists - 5 comprehensive middleware tests added **Tests:** - All 444 Secret-related tests pass - PHPStan level max: ✓ - Laravel Pint: ✓ - REUSE 3.3 compliant: ✓ Fixes #190
💡 Tip: Consider Using Draft PRsBenefits of opening PRs as drafts initially:
How to convert:
This is just a friendly reminder - feel free to continue as is! 😊 |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Copilot finished reviewing on behalf of
kevalyq
November 19, 2025 09:49
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR replaces the hardcoded TenantKey::first() workaround in SecretController::store() with a proper middleware-based tenant resolution system. The new InjectTenantId middleware automatically injects tenant_id into requests for Secret-related routes, enabling cleaner controller code while maintaining the single-tenant development workflow.
Key Changes
- Introduced
InjectTenantIdmiddleware for automatic tenant resolution in single-tenant mode - Removed inline tenant resolution logic from
SecretController::store() - Applied middleware to all
/v1/secrets,/v1/attachments, and/v1/sharesroutes for consistent tenant handling
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| app/Http/Middleware/InjectTenantId.php | New middleware that injects tenant_id from first available TenantKey; returns 503 when none exists |
| app/Http/Controllers/Api/V1/SecretController.php | Removed hardcoded tenant resolution and TODO; now reads tenant_id from request |
| bootstrap/app.php | Registered InjectTenantId middleware with 'tenant.inject' alias |
| routes/api.php | Applied tenant.inject middleware to Secret, SecretAttachment, and SecretShare route groups |
| tests/Feature/Middleware/InjectTenantIdMiddlewareTest.php | Comprehensive test suite with 5 tests covering injection, 503 response, non-overwrite, authentication, and multiple tenants |
| CHANGELOG.md | Documented the fix in Unreleased section with implementation details |
- Improved error message clarity in InjectTenantId middleware - Added tenant_id validation in SecretController::store() - Updated middleware test to match new error message Changes based on Copilot PR review comments.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📌 Summary
Resolves #190 by replacing the hardcoded
TenantKey::first()workaround inSecretController::store()with a proper middleware-based tenant resolution system.🔧 What Changed
Added
app/Http/Middleware/InjectTenantId.php)tenant_idinto request for Secret routestenant_id(SetTenant compatibility)Modified
tenant.injectalias/v1/secretsand/v1/attachmentsroutesTests
✅ Quality Gates
🎯 Implementation Details
Current (Single-Tenant Mode):
Future (Multi-Tenant Production):
The middleware is structured to easily support:
$user->tenant_id)🔗 Related
📝 Migration Notes
No migration required - This is a transparent refactor. All existing Secret routes continue to work as before, but now use proper middleware instead of inline workaround.
Breaking Changes: None
Type: Bug Fix (Technical Debt)
Priority: Medium
LOC: +208, -20
Estimated Review Time: 10-15 minutes