fix(auth): use slug for tenant lookup in createInvite; fix getMemberCount search_path

- createInvite: findOneBy({ slug }) instead of { id } since JWT tenantId is slug - getMemberCount: use SET LOCAL + transaction to prevent pool search_path leak Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 04:17:14 -08:00 · 2026-03-07 04:17:14 -08:00 · 100ca43460
parent 074e031685
commit 100ca43460
2 changed files with 6 additions and 3 deletions
--- a/packages/services/auth-service/src/application/services/auth.service.ts
+++ b/packages/services/auth-service/src/application/services/auth.service.ts
@ -288,8 +288,8 @@ export class AuthService {
    role: string,
    invitedBy: string,
  ): Promise<TenantInvite> {
-    // Check tenant exists
-    const tenant = await this.tenantRepository.findOneBy({ id: tenantId });
+    // Check tenant exists — tenantId here is the slug (matches user.tenantId in JWT)
+    const tenant = await this.tenantRepository.findOneBy({ slug: tenantId });
    if (!tenant) {
      throw new NotFoundException('Tenant not found');
    }
--- a/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts
+++ b/packages/services/auth-service/src/interfaces/rest/controllers/tenant.controller.ts
@ -51,10 +51,13 @@ export class TenantController {
    const qr = this.dataSource.createQueryRunner();
    await qr.connect();
    try {
-      await qr.query(`SET search_path TO "${schemaName}", public`);
+      await qr.startTransaction();
+      await qr.query(`SET LOCAL search_path TO "${schemaName}", public`);
      const result = await qr.query(`SELECT COUNT(*)::int AS count FROM users`);
+      await qr.commitTransaction();
      return result[0]?.count ?? 0;
    } catch {
+      await qr.rollbackTransaction().catch(() => {});
      return 0;
    } finally {
      await qr.release();