feat(backend): Implement 3 CRITICAL Day 8 Gap Fixes from Architecture Analysis

Implemented all 3 critical fixes identified in Day 6 Architecture Gap Analysis: **Fix 1: UpdateUserRole Feature (RESTful PUT endpoint)** - Created UpdateUserRoleCommand and UpdateUserRoleCommandHandler - Added PUT /api/tenants/{tenantId}/users/{userId}/role endpoint - Implements self-demotion prevention (cannot demote self from TenantOwner) - Implements last owner protection (cannot remove last TenantOwner) - Returns UserWithRoleDto with updated role information - Follows RESTful best practices (PUT for updates) **Fix 2: Last TenantOwner Deletion Prevention (Security)** - Verified CountByTenantAndRoleAsync repository method exists - Verified IsLastTenantOwnerAsync validation in RemoveUserFromTenantCommandHandler - UpdateUserRoleCommandHandler now prevents: * Self-demotion from TenantOwner role * Removing the last TenantOwner from tenant - SECURITY: Prevents tenant from becoming ownerless (critical vulnerability fix) **Fix 3: Database-Backed Rate Limiting (Security & Reliability)** - Created EmailRateLimit entity with proper domain logic - Added EmailRateLimitConfiguration for EF Core - Implemented DatabaseEmailRateLimiter service (replaces MemoryRateLimitService) - Updated DependencyInjection to use database-backed implementation - Created database migration: AddEmailRateLimitsTable - Added composite unique index on (email, tenant_id, operation_type) - SECURITY: Rate limit state persists across server restarts (prevents email bombing) - Implements cleanup logic for expired rate limit records **Testing:** - Added 9 comprehensive integration tests in Day8GapFixesTests.cs - Fix 1: 3 tests (valid update, self-demote prevention, idempotency) - Fix 2: 3 tests (remove last owner fails, update last owner fails, remove 2nd-to-last succeeds) - Fix 3: 3 tests (persists across requests, expiry after window, prevents bulk emails) - 6 tests passing, 3 skipped (long-running/environment-specific tests) **Files Changed:** - 6 new files created - 6 existing files modified - 1 database migration added - All existing tests still pass (no regressions) **Verification:** - Build succeeds with no errors - All critical business logic tests pass - Database migration generated successfully - Security vulnerabilities addressed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 23:17:41 +01:00
parent 312df4b70e
commit 9ed2bc36bd
12 changed files with 1482 additions and 3 deletions
--- a/colaflow-api/src/ColaFlow.API/Controllers/TenantUsersController.cs
+++ b/colaflow-api/src/ColaFlow.API/Controllers/TenantUsersController.cs
@@ -1,5 +1,6 @@
 using ColaFlow.Modules.Identity.Application.Commands.AssignUserRole;
 using ColaFlow.Modules.Identity.Application.Commands.RemoveUserFromTenant;
+using ColaFlow.Modules.Identity.Application.Commands.UpdateUserRole;
 using ColaFlow.Modules.Identity.Application.Queries.ListTenantUsers;
 using ColaFlow.Modules.Identity.Application.Dtos;
 using MediatR;
@@ -69,6 +70,48 @@ public class TenantUsersController(IMediator mediator) : ControllerBase
        return Ok(new { Message = "Role assigned successfully" });
    }

+    /// <summary>
+    /// Update an existing user's role in the tenant (RESTful PUT endpoint)
+    /// </summary>
+    [HttpPut("{userId:guid}/role")]
+    [Authorize(Policy = "RequireTenantOwner")]
+    public async Task<ActionResult<UserWithRoleDto>> UpdateRole(
+        [FromRoute] Guid tenantId,
+        [FromRoute] Guid userId,
+        [FromBody] AssignRoleRequest request)
+    {
+        // SECURITY: Validate user belongs to target tenant
+        var userTenantIdClaim = User.FindFirst("tenant_id")?.Value;
+        if (userTenantIdClaim == null)
+            return Unauthorized(new { error = "Tenant information not found in token" });
+
+        var userTenantId = Guid.Parse(userTenantIdClaim);
+        if (userTenantId != tenantId)
+            return StatusCode(403, new { error = "Access denied: You can only manage users in your own tenant" });
+
+        // Extract current user ID from claims
+        var currentUserIdClaim = User.FindFirst("user_id")?.Value;
+        if (currentUserIdClaim == null)
+            return Unauthorized(new { error = "User ID not found in token" });
+
+        var currentUserId = Guid.Parse(currentUserIdClaim);
+
+        try
+        {
+            var command = new UpdateUserRoleCommand(tenantId, userId, request.Role, currentUserId);
+            var result = await mediator.Send(command);
+            return Ok(result);
+        }
+        catch (InvalidOperationException ex)
+        {
+            return BadRequest(new { error = ex.Message });
+        }
+        catch (ArgumentException ex)
+        {
+            return BadRequest(new { error = ex.Message });
+        }
+    }
+
    /// <summary>
    /// Remove a user from the tenant
    /// </summary>