Session scoping & tenant() cleanup

src/Bootstrappers/QueueTenancyBootstrapper.php

@@ -46,7 +46,7 @@ class QueueTenancyBootstrapper implements TenancyBootstrapper
             }
 
             // Tenancy is already initialized for the tenant (e.g. dispatchNow was used)
-            if (tenancy()->initialized && tenant('id') === $tenantId) {
+            if (tenancy()->initialized && tenant()->getTenantKey() === $tenantId) {
                 return;
             }
 
@@ -87,7 +87,7 @@ class QueueTenancyBootstrapper implements TenancyBootstrapper
             return [];
         }
 
-        $id = tenant('id');
+        $id = tenant()->getTenantKey();
 
         return [
             'tenant_id' => $id,

src/CacheManager.php

@@ -17,7 +17,7 @@ class CacheManager extends BaseCacheManager
      */
     public function __call($method, $parameters)
     {
-        $tags = [config('tenancy.cache.tag_base') . tenant('id')];
+        $tags = [config('tenancy.cache.tag_base') . tenant()->getTenantKey()];
 
         if ($method === 'tags') {
             if (count($parameters) !== 1) {

src/Exceptions/TenancyNotInitializedException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Stancl\Tenancy\Exceptions;
+
+use Exception;
+
+class TenancyNotInitializedException extends Exception
+{
+    public function __construct($message = "")
+    {
+        parent::__construct($message ?: 'Tenancy is not initialized.');
+    }
+}

src/Features/UserImpersonation.php

@@ -37,7 +37,7 @@ class UserImpersonation implements Feature
     {
         $token = $token instanceof ImpersonationToken ? $token : ImpersonationToken::findOrFail($token);
 
-        if (((string) $token->tenant_id) !== ((string) tenant('id'))) {
+        if (((string) $token->tenant_id) !== ((string) tenant()->getTenantKey())) {
             abort(403);
         }
 

src/Middleware/ScopeSessions.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Stancl\Tenancy\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Stancl\Tenancy\Exceptions\TenancyNotInitializedException;
+
+class ScopeSessions
+{
+    public static $tenantIdKey = '_tenant_id';
+
+    public function handle(Request $request, Closure $next)
+    {
+        if (! tenancy()->initialized) {
+            throw new TenancyNotInitializedException('Tenancy needs to be initialized before the session scoping middleware is executed');
+        }
+
+        if (! $request->session()->has(static::$tenantIdKey)) {
+            $request->session()->put(static::$tenantIdKey, tenant()->getTenantKey());
+        } else {
+            if ($request->session()->get(static::$tenantIdKey) !== tenant()->getTenantKey()) {
+                abort(403);
+            }
+        }
+
+        return $next($request);
+    }
+}

tests/ScopeSessionsTest.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Stancl\Tenancy\Tests;
+
+use Illuminate\Session\Middleware\StartSession;
+use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Route;
+use Stancl\Tenancy\Events\TenantCreated;
+use Stancl\Tenancy\Exceptions\TenancyNotInitializedException;
+use Stancl\Tenancy\Middleware\InitializeTenancyBySubdomain;
+use Stancl\Tenancy\Middleware\ScopeSessions;
+use Stancl\Tenancy\Tests\Etc\Tenant;
+
+class ScopeSessionsTest extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        Route::group([
+            'middleware' => [StartSession::class, InitializeTenancyBySubdomain::class, ScopeSessions::class],
+        ], function () {
+            Route::get('/foo', function () {
+                return true;
+            });
+        });
+
+        Event::listen(TenantCreated::class, function (TenantCreated $event) {
+            $tenant = $event->tenant;
+
+            /** @var Tenant $tenant */
+            $tenant->domains()->create([
+                'domain' => $tenant->id,
+            ]);
+        });
+    }
+
+    /** @test */
+    public function tenant_id_is_auto_added_to_session_if_its_missing()
+    {
+        $tenant = Tenant::create([
+            'id' => 'acme',
+        ]);
+
+        $this->get('http://acme.localhost/foo')
+            ->assertSessionHas(ScopeSessions::$tenantIdKey, 'acme');
+    }
+
+    /** @test */
+    public function changing_tenant_id_in_session_will_abort_the_request()
+    {
+        $tenant = Tenant::create([
+            'id' => 'acme',
+        ]);
+
+        $this->get('http://acme.localhost/foo')
+            ->assertSuccessful();
+
+        session()->put(ScopeSessions::$tenantIdKey, 'foobar');
+
+        $this->get('http://acme.localhost/foo')
+            ->assertStatus(403);
+    }
+
+    /** @test */
+    public function an_exception_is_thrown_when_the_middleware_is_executed_before_tenancy_is_initialized()
+    {
+        Route::get('/bar', function () {
+            return true;
+        })->middleware([StartSession::class, ScopeSessions::class]);
+
+        $tenant = Tenant::create([
+            'id' => 'acme',
+        ]);
+
+        $this->expectException(TenancyNotInitializedException::class);
+        $this->withoutExceptionHandling()->get('http://acme.localhost/bar');
+    }
+}