feat: enforce tenant route isolation

2026-01-13 15:41:32 +08:00
parent 95c14fdd86
commit bd8dab5764
3 changed files with 10 additions and 4 deletions
--- a/backend/app/http/v1/auth/routes.manual.go
+++ b/backend/app/http/v1/auth/routes.manual.go
@@ -1,9 +1,11 @@
 package auth
 func (r *Routes) Path() string {
-	return "/v1/auth"
+	return "/t/:tenantCode/v1/auth"
 }
 func (r *Routes) Middlewares() []any {
-	return []any{}
+	return []any{
 		r.middlewares.TenantResolver,
 	}
 }
--- a/docs/todo_list.md
+++ b/docs/todo_list.md
@@ -199,6 +199,7 @@
 - 运营统计报表（overview + CSV 导出基础版）。
 - 超管后台治理能力（健康度/异常监控/内容审核）。
 - 性能优化（避免 N+1：topics 聚合批量查询）。
 - 多租户强隔离（/t/:tenantCode/v1 + TenantResolver）。
 ## 里程碑建议
 - M1：完成 P0
--- a/frontend/portal/src/utils/request.js
+++ b/frontend/portal/src/utils/request.js
@@ -3,7 +3,10 @@ import { getTenantCode } from './tenant';
 export async function request(endpoint, options = {}) {
    const tenantCode = getTenantCode();
-    const baseUrl = tenantCode ? `/t/${tenantCode}/v1` : '/v1';
+    if (!tenantCode) {
        throw new Error('Tenant code missing in URL');
    }
    const baseUrl = `/t/${tenantCode}/v1`;
    const token = localStorage.getItem('token');
    const headers = {
@@ -42,7 +45,7 @@ export async function request(endpoint, options = {}) {
            if (res.status === 401) {
                localStorage.removeItem('token');
                localStorage.removeItem('user');
-                const loginPath = tenantCode ? `/t/${tenantCode}/auth/login` : '/auth/login';
+                const loginPath = `/t/${tenantCode}/auth/login`;
                // Redirect to login if not already there
                if (!window.location.pathname.includes('/auth/login')) {
                    window.location.href = loginPath;