From 100ca43460c22940d9fbd5e9fbdfca96c3ee926b Mon Sep 17 00:00:00 2001 From: hailin Date: Sat, 7 Mar 2026 04:17:14 -0800 Subject: [PATCH] fix(auth): use slug for tenant lookup in createInvite; fix getMemberCount search_path - createInvite: findOneBy({ slug }) instead of { id } since JWT tenantId is slug - getMemberCount: use SET LOCAL + transaction to prevent pool search_path leak Co-Authored-By: Claude Sonnet 4.6 --- .../auth-service/src/application/services/auth.service.ts | 4 ++-- .../src/interfaces/rest/controllers/tenant.controller.ts | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/services/auth-service/src/application/services/auth.service.ts b/packages/services/auth-service/src/application/services/auth.service.ts index e5944a1..3759340 100644 --- a/packages/services/auth-service/src/application/services/auth.service.ts +++ b/packages/services/auth-service/src/application/services/auth.service.ts @@ -288,8 +288,8 @@ export class AuthService { role: string, invitedBy: string, ): Promise { - // Check tenant exists - const tenant = await this.tenantRepository.findOneBy({ id: tenantId }); + // Check tenant exists — tenantId here is the slug (matches user.tenantId in JWT) + const tenant = await this.tenantRepository.findOneBy({ slug: tenantId }); if (!tenant) { throw new NotFoundException('Tenant not found'); } diff --git a/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts b/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts index a4e87dc..5e71f82 100644 --- a/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts +++ b/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts @@ -51,10 +51,13 @@ export class TenantController { const qr = this.dataSource.createQueryRunner(); await qr.connect(); try { - await qr.query(`SET search_path TO "${schemaName}", public`); + await qr.startTransaction(); + await qr.query(`SET LOCAL search_path TO "${schemaName}", public`); const result = await qr.query(`SELECT COUNT(*)::int AS count FROM users`); + await qr.commitTransaction(); return result[0]?.count ?? 0; } catch { + await qr.rollbackTransaction().catch(() => {}); return 0; } finally { await qr.release();