From 52b85f085e472d166817ec6a12610f9789d4ff0c Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Sun, 22 Feb 2026 00:25:32 -0800
Subject: [PATCH] fix: decode JWT in middleware to populate req.user for
 RolesGuard

Kong validates the JWT but doesn't populate req.user on the backend.
The middleware now decodes the JWT payload to extract user info (id,
email, tenantId, roles) so RolesGuard can check role-based access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../database/src/tenant-context.middleware.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/packages/shared/database/src/tenant-context.middleware.ts b/packages/shared/database/src/tenant-context.middleware.ts
index a52847b..4aa0a4e 100644
--- a/packages/shared/database/src/tenant-context.middleware.ts
+++ b/packages/shared/database/src/tenant-context.middleware.ts
@@ -6,6 +6,25 @@ export class TenantContextMiddleware implements NestMiddleware {
   use(req: any, res: any, next: () => void) {
     const tenantId = req.headers?.['x-tenant-id'] as string;
 
+    // Decode JWT to populate req.user for RolesGuard
+    const authHeader = req.headers?.['authorization'] as string;
+    if (authHeader?.startsWith('Bearer ')) {
+      try {
+        const token = authHeader.slice(7);
+        const payload = JSON.parse(
+          Buffer.from(token.split('.')[1], 'base64').toString(),
+        );
+        req.user = {
+          id: payload.sub,
+          email: payload.email,
+          tenantId: payload.tenantId,
+          roles: payload.roles || [],
+        };
+      } catch {
+        // Ignore decode errors - JWT validation is handled by Kong
+      }
+    }
+
     if (!tenantId) {
       return next();
     }