Add record access strategy

backend/src/tenant/tenant-database.service.ts

@@ -8,32 +8,116 @@ export class TenantDatabaseService {
   private readonly logger = new Logger(TenantDatabaseService.name);
   private tenantConnections: Map<string, Knex> = new Map();
 
-  async getTenantKnex(tenantIdOrSlug: string): Promise<Knex> {
-    if (this.tenantConnections.has(tenantIdOrSlug)) {
-      return this.tenantConnections.get(tenantIdOrSlug);
+  /**
+   * Get tenant database connection by domain (for subdomain-based authentication)
+   * This is used when users log in via tenant subdomains
+   */
+  async getTenantKnexByDomain(domain: string): Promise<Knex> {
+    const cacheKey = `domain:${domain}`;
+    
+    // Check if we have a cached connection
+    if (this.tenantConnections.has(cacheKey)) {
+      // Validate the domain still exists before returning cached connection
+      const centralPrisma = getCentralPrisma();
+      
+      try {
+        const domainRecord = await centralPrisma.domain.findUnique({
+          where: { domain },
+        });
+        
+        // If domain no longer exists, remove cached connection
+        if (!domainRecord) {
+          this.logger.warn(`Domain ${domain} no longer exists, removing cached connection`);
+          await this.disconnectTenant(cacheKey);
+          throw new Error(`Domain ${domain} not found`);
+        }
+      } catch (error) {
+        // If domain doesn't exist, remove from cache and re-throw
+        if (error.message.includes('not found')) {
+          throw error;
+        }
+        // For other errors, log but continue with cached connection
+        this.logger.warn(`Error validating domain ${domain}:`, error.message);
+      }
+      
+      return this.tenantConnections.get(cacheKey);
     }
 
     const centralPrisma = getCentralPrisma();
     
-    // Try to find tenant by ID first, then by slug
-    let tenant = await centralPrisma.tenant.findUnique({
-      where: { id: tenantIdOrSlug },
+    // Find tenant by domain
+    const domainRecord = await centralPrisma.domain.findUnique({
+      where: { domain },
+      include: { tenant: true },
     });
-    
-    if (!tenant) {
-      tenant = await centralPrisma.tenant.findUnique({
-        where: { slug: tenantIdOrSlug },
-      });
+
+    if (!domainRecord) {
+      throw new Error(`Domain ${domain} not found`);
     }
 
+    const tenant = domainRecord.tenant;
+    this.logger.log(`Found tenant by domain: ${domain} -> ${tenant.name}`);
+
+    if (tenant.status !== 'active') {
+      throw new Error(`Tenant ${tenant.name} is not active`);
+    }
+
+    // Create connection and cache it
+    const tenantKnex = await this.createTenantConnection(tenant);
+    this.tenantConnections.set(cacheKey, tenantKnex);
+    
+    return tenantKnex;
+  }
+
+  /**
+   * Get tenant database connection by tenant ID (for central admin operations)
+   * This is used when central admin needs to access tenant databases
+   */
+  async getTenantKnexById(tenantId: string): Promise<Knex> {
+    const cacheKey = `id:${tenantId}`;
+    
+    // Check if we have a cached connection (no validation needed for ID-based lookups)
+    if (this.tenantConnections.has(cacheKey)) {
+      return this.tenantConnections.get(cacheKey);
+    }
+
+    const centralPrisma = getCentralPrisma();
+    
+    // Find tenant by ID
+    const tenant = await centralPrisma.tenant.findUnique({
+      where: { id: tenantId },
+    });
+
     if (!tenant) {
-      throw new Error(`Tenant ${tenantIdOrSlug} not found`);
+      throw new Error(`Tenant ${tenantId} not found`);
     }
 
     if (tenant.status !== 'active') {
-      throw new Error(`Tenant ${tenantIdOrSlug} is not active`);
+      throw new Error(`Tenant ${tenant.name} is not active`);
     }
 
+    this.logger.log(`Connecting to tenant database by ID: ${tenant.name}`);
+
+    // Create connection and cache it
+    const tenantKnex = await this.createTenantConnection(tenant);
+    this.tenantConnections.set(cacheKey, tenantKnex);
+    
+    return tenantKnex;
+  }
+
+  /**
+   * Legacy method - delegates to domain-based lookup
+   * @deprecated Use getTenantKnexByDomain or getTenantKnexById instead
+   */
+  async getTenantKnex(tenantIdOrSlug: string): Promise<Knex> {
+    // Assume it's a domain if it contains a dot
+    return this.getTenantKnexByDomain(tenantIdOrSlug);
+  }
+
+  /**
+   * Create a new Knex connection to a tenant database
+   */
+  private async createTenantConnection(tenant: any): Promise<Knex> {
     // Decrypt password
     const decryptedPassword = this.decryptPassword(tenant.dbPassword);
 
@@ -64,7 +148,6 @@ export class TenantDatabaseService {
       throw error;
     }
 
-    this.tenantConnections.set(tenantIdOrSlug, tenantKnex);
     return tenantKnex;
   }
 
@@ -86,6 +169,36 @@ export class TenantDatabaseService {
     return domainRecord.tenant;
   }
 
+  /**
+   * Resolve tenant by ID or slug
+   * Tries ID first, then falls back to slug
+   */
+  async resolveTenantId(idOrSlug: string): Promise<string> {
+    const centralPrisma = getCentralPrisma();
+    
+    // Try by ID first
+    let tenant = await centralPrisma.tenant.findUnique({
+      where: { id: idOrSlug },
+    });
+
+    // If not found, try by slug
+    if (!tenant) {
+      tenant = await centralPrisma.tenant.findUnique({
+        where: { slug: idOrSlug },
+      });
+    }
+
+    if (!tenant) {
+      throw new Error(`Tenant ${idOrSlug} not found`);
+    }
+
+    if (tenant.status !== 'active') {
+      throw new Error(`Tenant ${tenant.name} is not active`);
+    }
+
+    return tenant.id;
+  }
+
   async disconnectTenant(tenantId: string) {
     const connection = this.tenantConnections.get(tenantId);
     if (connection) {