cameleer/cameleer-saas
2
0
Fork 0
Code Issues 23 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: replace manual Logto role check with @PreAuthorize in TenantController

Browse Source 
Remove LogtoManagementClient dependency from TenantController; gate
listAll and create with @PreAuthorize("hasRole('platform-admin')"),
relying on the JWT roles claim already mapped by JwtAuthenticationConverter.
Update TenantControllerTest to supply the platform-admin role via jwt()
on all POST requests that expect 201/409.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-05 12:39:40 +02:00
parent d4408634a6
commit b8b0c686e8
2 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/main/java/net/siegeln/cameleer/saas/tenant/TenantController.java
View File

@@ -1,11 +1,11 @@
package net.siegeln.cameleer.saas.tenant;
import jakarta.validation.Valid;
import net.siegeln.cameleer.saas.identity.LogtoManagementClient;
import net.siegeln.cameleer.saas.tenant.dto.CreateTenantRequest;
import net.siegeln.cameleer.saas.tenant.dto.TenantResponse;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
@@ -22,30 +22,24 @@ import java.util.UUID;
public class TenantController {
private final TenantService tenantService;
private final LogtoManagementClient logtoClient;
public TenantController(TenantService tenantService, LogtoManagementClient logtoClient) {
public TenantController(TenantService tenantService) {
this.tenantService = tenantService;
this.logtoClient = logtoClient;
}
@GetMapping
public ResponseEntity<List<TenantResponse>> listAll(Authentication authentication) {
String userId = authentication.getName();
List<String> roles = logtoClient.getUserRoles(userId);
if (!roles.contains("platform-admin")) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
}
@PreAuthorize("hasRole('platform-admin')")
public ResponseEntity<List<TenantResponse>> listAll() {
List<TenantResponse> tenants = tenantService.findAll().stream()
.map(this::toResponse).toList();
return ResponseEntity.ok(tenants);
}
@PostMapping
@PreAuthorize("hasRole('platform-admin')")
public ResponseEntity<TenantResponse> create(@Valid @RequestBody CreateTenantRequest request,
Authentication authentication) {
try {
// Extract actor ID from JWT subject (Logto OIDC: sub may be a non-UUID string)
String sub = authentication.getName();
UUID actorId;
try {