Add complete role management functionality for tenant administrators to manage user roles within their tenants.
Changes:
- Extended IUserTenantRoleRepository with pagination, role counting, and last owner check methods
- Extended IUserRepository with GetByIdAsync(Guid) and GetByIdsAsync for flexible user retrieval
- Extended IRefreshTokenRepository with GetByUserAndTenantAsync and UpdateRangeAsync
- Implemented repository methods in Infrastructure layer
- Created DTOs: UserWithRoleDto and PagedResultDto<T>
- Implemented ListTenantUsersQuery with pagination support
- Implemented AssignUserRoleCommand to assign/update user roles
- Implemented RemoveUserFromTenantCommand with token revocation
- Created TenantUsersController with 4 endpoints (list, assign, remove, get-roles)
- Added comprehensive PowerShell test script
Security Features:
- Only TenantOwner can assign/update/remove roles
- Prevents removal of last TenantOwner (lockout protection)
- Prevents manual assignment of AIAgent role (reserved for MCP)
- Cross-tenant access protection
- Automatic refresh token revocation when user removed
API Endpoints:
- GET /api/tenants/{id}/users - List users with roles (paginated)
- POST /api/tenants/{id}/users/{userId}/role - Assign/update role
- DELETE /api/tenants/{id}/users/{userId} - Remove user from tenant
- GET /api/tenants/roles - Get available roles
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed 8 failing integration tests by addressing two root causes:
1. GlobalExceptionHandler returning incorrect HTTP status codes
- Added handling for UnauthorizedAccessException → 401
- Added handling for ArgumentException/InvalidOperationException → 400
- Added handling for DbUpdateException (duplicate key) → 409
- Now correctly maps exception types to HTTP status codes
2. Test isolation issue with shared HttpClient
- Modified DatabaseFixture to create new HttpClient for each test
- Prevents Authorization header pollution between tests
- Ensures clean test state for authentication tests
Test Results:
- Before: 23/31 passed (8 failed)
- After: 31/31 passed (0 failed)
Changes:
- Enhanced GlobalExceptionHandler with proper status code mapping
- Fixed DatabaseFixture.Client to create isolated instances
- All authentication and RBAC tests now pass
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement environment-aware dependency injection to resolve EF Core provider conflict
in Integration Tests. The issue was caused by both PostgreSQL and InMemory providers
being registered in the same service provider.
Changes:
- Modified Identity Module DependencyInjection to skip PostgreSQL DbContext registration in Testing environment
- Modified ProjectManagement Module ModuleExtensions with same environment check
- Updated Program.cs to pass IHostEnvironment to both module registration methods
- Added Microsoft.Extensions.Hosting.Abstractions package to Identity.Infrastructure project
- Updated ColaFlowWebApplicationFactory to set Testing environment and register InMemory databases
- Simplified WebApplicationFactory by removing complex RemoveAll logic
Results:
- All 31 Integration Tests now run (previously only 1 ran)
- No EF Core provider conflict errors
- 23 tests pass, 8 tests fail (failures are business logic issues, not infrastructure)
- Production environment still uses PostgreSQL as expected
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed EF Core LINQ query translation error that caused 500 errors in Login and Refresh Token endpoints.
Problem:
- UserTenantRoleRepository was using `.Value` property accessor on value objects (UserId, TenantId) in LINQ queries
- EF Core could not translate expressions like `utr.UserId.Value == userId` to SQL
- This caused System.InvalidOperationException with message "The LINQ expression could not be translated"
- Resulted in 500 Internal Server Error for Login and Refresh Token endpoints
Solution:
- Create value object instances (UserId.Create(), TenantId.Create()) before query
- Compare value objects directly instead of accessing .Value property
- EF Core can translate value object comparison due to HasConversion configuration
- Removed .Include(utr => utr.User) since User navigation is ignored in EF config
Impact:
- Login endpoint now works correctly (200 OK)
- Refresh Token endpoint now works correctly (200 OK)
- RBAC role assignment and retrieval working properly
- Resolves BUG-003 and BUG-004 from QA test report
Test Results:
- Before fix: 57% pass rate (8/14 tests)
- After fix: ~79% pass rate (11/14 tests) - core functionality restored
- Diagnostic test: All critical endpoints (Register, Login, Refresh) passing
Files Changed:
- UserTenantRoleRepository.cs: Fixed all three query methods (GetByUserAndTenantAsync, GetByUserAsync, GetByTenantAsync)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implemented Role-Based Access Control (RBAC) with 5 tenant-level roles following Clean Architecture principles.
Changes:
- Created TenantRole enum (TenantOwner, TenantAdmin, TenantMember, TenantGuest, AIAgent)
- Created UserTenantRole entity with repository pattern
- Updated JWT service to include role claims (tenant_role, role)
- Updated RegisterTenant to auto-assign TenantOwner role
- Updated Login to query and include user role in JWT
- Updated RefreshToken to preserve role claims
- Added authorization policies in Program.cs (RequireTenantOwner, RequireTenantAdmin, etc.)
- Updated /api/auth/me endpoint to return role information
- Created EF Core migration for user_tenant_roles table
- Applied database migration successfully
Database:
- New table: identity.user_tenant_roles
- Columns: id, user_id, tenant_id, role, assigned_at, assigned_by_user_id
- Indexes: user_id, tenant_id, role, unique(user_id, tenant_id)
- Foreign keys: CASCADE on user and tenant deletion
Testing:
- Created test-rbac.ps1 PowerShell script
- All RBAC tests passing
- JWT tokens contain role claims
- Role persists across login and token refresh
Documentation:
- DAY5-PHASE2-RBAC-IMPLEMENTATION-SUMMARY.md with complete implementation details
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added comprehensive debugging tools and documentation for API connection issues.
Changes:
- Created test-api-connection.sh - Automated diagnostic script
- Created DEBUGGING_GUIDE.md - Step-by-step debugging guide
- Created API_CONNECTION_FIX_SUMMARY.md - Complete fix summary
- Updated progress.md with API connection debugging enhancement entry
These tools help diagnose and resolve frontend-backend connection issues.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
