ahmido
c5fbcaa692
Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76
93 lines
2.2 KiB
PHP
93 lines
2.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Filament\Pages;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\UserTenantPreference;
|
|
use Filament\Facades\Filament;
|
|
use Filament\Pages\Page;
|
|
use Illuminate\Database\Eloquent\Collection;
|
|
use Illuminate\Support\Facades\Schema;
|
|
|
|
class ChooseTenant extends Page
|
|
{
|
|
protected static string $layout = 'filament-panels::components.layout.simple';
|
|
|
|
protected static bool $shouldRegisterNavigation = false;
|
|
|
|
protected static bool $isDiscovered = false;
|
|
|
|
protected static ?string $slug = 'choose-tenant';
|
|
|
|
protected static ?string $title = 'Choose tenant';
|
|
|
|
protected string $view = 'filament.pages.choose-tenant';
|
|
|
|
/**
|
|
* @return Collection<int, Tenant>
|
|
*/
|
|
public function getTenants(): Collection
|
|
{
|
|
$user = auth()->user();
|
|
|
|
if (! $user instanceof User) {
|
|
return Tenant::query()->whereRaw('1 = 0')->get();
|
|
}
|
|
|
|
$tenants = $user->getTenants(Filament::getCurrentOrDefaultPanel());
|
|
|
|
if ($tenants instanceof Collection) {
|
|
return $tenants;
|
|
}
|
|
|
|
return collect($tenants);
|
|
}
|
|
|
|
public function selectTenant(int $tenantId): void
|
|
{
|
|
$user = auth()->user();
|
|
|
|
if (! $user instanceof User) {
|
|
abort(403);
|
|
}
|
|
|
|
$tenant = Tenant::query()
|
|
->where('status', 'active')
|
|
->whereKey($tenantId)
|
|
->first();
|
|
|
|
if (! $tenant instanceof Tenant) {
|
|
abort(404);
|
|
}
|
|
|
|
if (! $user->canAccessTenant($tenant)) {
|
|
abort(404);
|
|
}
|
|
|
|
$this->persistLastTenant($user, $tenant);
|
|
|
|
$this->redirect(TenantDashboard::getUrl(tenant: $tenant));
|
|
}
|
|
|
|
private function persistLastTenant(User $user, Tenant $tenant): void
|
|
{
|
|
if (Schema::hasColumn('users', 'last_tenant_id')) {
|
|
$user->forceFill(['last_tenant_id' => $tenant->getKey()])->save();
|
|
|
|
return;
|
|
}
|
|
|
|
if (! Schema::hasTable('user_tenant_preferences')) {
|
|
return;
|
|
}
|
|
|
|
UserTenantPreference::query()->updateOrCreate(
|
|
['user_id' => $user->getKey(), 'tenant_id' => $tenant->getKey()],
|
|
['last_used_at' => now()]
|
|
);
|
|
}
|
|
}
|