🔧 fix(user-module-mt): 修复多租户用户模块测试中的API调用方式和租户隔离问题

- 修复用户路由集成测试中的API调用方式，确保使用正确的Hono测试客户端API
- 修复自定义路由中的租户ID传递问题，确保更新和删除操作正确应用租户过滤
- 启用用户服务中的autoExtractFromContext功能，确保租户ID从Hono上下文正确提取
- 修复租户隔离测试的预期，正确验证租户数据隔离效果
- 删除重复的租户隔离测试文件，将租户隔离测试整合到用户路由集成测试中

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

packages/auth-module-mt/src/middleware/auth.middleware.ts

@@ -27,7 +27,9 @@ export async function authMiddleware(c: Context<AuthContext>, next: Next) {
     const authService = new AuthService(userService);
     const decoded = authService.verifyToken(token);
 
-    const user = await userService.getUserById(decoded.id);
+    // 从token中提取租户ID（如果存在）
+    const tenantId = decoded.tenantId;
+    const user = await userService.getUserById(decoded.id, tenantId);
 
     if (!user) {
       return c.json({ message: 'User not found' }, 401);

packages/user-module-mt/src/routes/custom.routes.mt.ts

@@ -150,7 +150,7 @@ const app = new OpenAPIHono<AuthContext>()
 
       // 从认证上下文中获取租户ID
       const tenantId = c.get('tenantId');
-      const result = await userService.update(id, data, c.get('user')?.id);
+      const result = await userService.updateUser(id, data, tenantId);
 
       if (!result) {
         return c.json({ code: 404, message: '资源不存在' }, 404);
@@ -175,7 +175,10 @@ const app = new OpenAPIHono<AuthContext>()
     try {
       const { id } = c.req.valid('param');
       const userService = new UserServiceMt(AppDataSource);
-      const success = await userService.delete(id, c.get('user')?.id);
+
+      // 从认证上下文中获取租户ID
+      const tenantId = c.get('tenantId');
+      const success = await userService.deleteUser(id, tenantId);
 
       if (!success) {
         return c.json({ code: 404, message: '资源不存在' }, 404);

packages/user-module-mt/src/services/user.service.mt.ts

@@ -19,7 +19,7 @@ export class UserServiceMt extends ConcreteCrudService<UserEntityMt> {
       tenantOptions: {
         enabled: true,
         tenantIdField: 'tenantId',
-        autoExtractFromContext: false
+        autoExtractFromContext: true
       }
     });
     this.roleService = new RoleServiceMt(dataSource);

packages/user-module-mt/tests/integration/tenant-isolation.integration.test.ts

@@ -1,336 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { OpenAPIHono } from '@hono/zod-openapi';
-import { AppDataSource } from '@d8d/shared-utils';
-import { setupIntegrationDatabaseHooksWithEntities } from '@d8d/shared-test-util';
-import { TestUserEntityMt } from '../entities/test-user.entity';
-import { RoleMt } from '../../src/entities/role.entity';
-import testUserRoutesMt from '../routes/test-user.routes.mt';
-
-// 测试数据
-const testToken1 = 'tenant1-token';
-const testToken2 = 'tenant2-token';
-const invalidToken = 'invalid-token';
-
-// 创建测试应用
-const createTestApp = () => {
-  const app = new OpenAPIHono();
-
-  // 添加认证中间件（简化版本，仅用于测试）
-  app.use('*', async (c, next) => {
-    const authHeader = c.req.header('Authorization');
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      return c.json({ code: 401, message: '未授权' }, 401);
-    }
-
-    const token = authHeader.substring(7);
-
-    // 根据token确定租户ID
-    let tenantId: number | undefined;
-    if (token === testToken1) {
-      tenantId = 1;
-    } else if (token === testToken2) {
-      tenantId = 2;
-    } else {
-      return c.json({ code: 401, message: '无效token' }, 401);
-    }
-
-    // 设置用户和租户上下文
-    const payload = {
-      id: 1,
-      username: `tenant${tenantId}_user`,
-      roles: ['user'],
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(Date.now() / 1000) + 3600
-    };
-
-    // 确保用户对象包含tenantId
-    const userWithTenant = { ...payload, tenantId };
-    c.set('user', userWithTenant);
-    // 设置租户上下文
-    c.set('tenantId', tenantId);
-
-    await next();
-  });
-
-  app.route('/', testUserRoutesMt);
-  return app;
-};
-
-describe('多租户用户模块租户隔离集成测试', () => {
-  const app = createTestApp();
-
-  // 设置数据库钩子
-  setupIntegrationDatabaseHooksWithEntities([TestUserEntityMt, RoleMt]);
-
-  beforeEach(async () => {
-    // 创建测试数据
-    const userRepository = AppDataSource.getRepository(TestUserEntityMt);
-    const roleRepository = AppDataSource.getRepository(RoleMt);
-
-    // 创建租户1的角色
-    const role1 = roleRepository.create({
-      name: 'admin',
-      description: '管理员角色',
-      permissions: ['user:create', 'user:delete'],
-      tenantId: 1
-    });
-    await roleRepository.save(role1);
-
-    // 创建租户2的角色
-    const role2 = roleRepository.create({
-      name: 'admin',
-      description: '管理员角色',
-      permissions: ['user:create', 'user:delete'],
-      tenantId: 2
-    });
-    await roleRepository.save(role2);
-
-    // 创建租户1的用户
-    const user1 = userRepository.create({
-      username: 'tenant1_user',
-      password: 'password123',
-      nickname: '租户1用户',
-      tenantId: 1,
-      roles: [role1]
-    });
-    await userRepository.save(user1);
-
-    // 创建租户2的用户
-    const user2 = userRepository.create({
-      username: 'tenant2_user',
-      password: 'password123',
-      nickname: '租户2用户',
-      tenantId: 2,
-      roles: [role2]
-    });
-    await userRepository.save(user2);
-  });
-
-  describe('GET / - 列表查询租户隔离', () => {
-    it('应该只返回当前租户的数据', async () => {
-      const response = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      console.log('GET列表响应状态:', response.status);
-      if (response.status !== 200) {
-        const errorResult = await response.json();
-        console.log('GET列表错误响应:', errorResult);
-      }
-      expect(response.status).toBe(200);
-      const result = await response.json();
-
-      // 验证只返回租户1的数据
-      expect(result.data).toHaveLength(1);
-      expect(result.data[0].tenantId).toBe(1);
-      expect(result.data[0].username).toBe('tenant1_user');
-    });
-
-    it('应该拒绝未认证用户的访问', async () => {
-      const response = await app.request('/');
-
-      expect(response.status).toBe(401);
-    });
-  });
-
-  describe('POST / - 创建操作租户验证', () => {
-    it('应该成功创建属于当前租户的数据', async () => {
-      const newUser = {
-        username: 'new_tenant1_user',
-        password: 'newpassword123',
-        nickname: '新租户1用户'
-      };
-
-      const response = await app.request('/', {
-        method: 'POST',
-        headers: {
-          'Authorization': `Bearer ${testToken1}`,
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify(newUser)
-      });
-
-      console.log('POST创建响应状态:', response.status);
-      if (response.status !== 201) {
-        const errorResult = await response.json();
-        console.log('POST创建错误响应:', errorResult);
-      }
-      expect(response.status).toBe(201);
-      const result = await response.json();
-
-      // 验证创建的用户的租户ID正确
-      expect(result.tenantId).toBe(1);
-      expect(result.username).toBe('new_tenant1_user');
-    });
-  });
-
-  describe('GET /:id - 获取详情租户验证', () => {
-    it('应该成功获取属于当前租户的数据详情', async () => {
-      // 先获取租户1的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant1UserId = listResult.data[0].id;
-
-      // 获取用户详情
-      const response = await app.request(`/${tenant1UserId}`, {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      expect(response.status).toBe(200);
-      const result = await response.json();
-
-      expect(result.tenantId).toBe(1);
-      expect(result.username).toBe('tenant1_user');
-    });
-
-    it('应该拒绝获取不属于当前租户的数据详情', async () => {
-      // 先获取租户2的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken2}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant2UserId = listResult.data[0].id;
-
-      // 尝试用租户1的token获取租户2的用户详情
-      const response = await app.request(`/${tenant2UserId}`, {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      expect(response.status).toBe(404);
-    });
-  });
-
-  describe('PUT /:id - 更新操作租户验证', () => {
-    it('应该成功更新属于当前租户的数据', async () => {
-      // 先获取租户1的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant1UserId = listResult.data[0].id;
-
-      const updateData = {
-        nickname: '更新后的租户1用户'
-      };
-
-      const response = await app.request(`/${tenant1UserId}`, {
-        method: 'PUT',
-        headers: {
-          'Authorization': `Bearer ${testToken1}`,
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify(updateData)
-      });
-
-      expect(response.status).toBe(200);
-      const result = await response.json();
-
-      expect(result.tenantId).toBe(1);
-      expect(result.nickname).toBe('更新后的租户1用户');
-    });
-
-    it('应该拒绝更新不属于当前租户的数据', async () => {
-      // 先获取租户2的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken2}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant2UserId = listResult.data[0].id;
-
-      const updateData = {
-        nickname: '尝试跨租户更新'
-      };
-
-      // 尝试用租户1的token更新租户2的用户
-      const response = await app.request(`/${tenant2UserId}`, {
-        method: 'PUT',
-        headers: {
-          'Authorization': `Bearer ${testToken1}`,
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify(updateData)
-      });
-
-      expect(response.status).toBe(404);
-    });
-  });
-
-  describe('DELETE /:id - 删除操作租户验证', () => {
-    it('应该成功删除属于当前租户的数据', async () => {
-      // 先获取租户1的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant1UserId = listResult.data[0].id;
-
-      const response = await app.request(`/${tenant1UserId}`, {
-        method: 'DELETE',
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      expect(response.status).toBe(204);
-    });
-
-    it('应该拒绝删除不属于当前租户的数据', async () => {
-      // 先获取租户2的用户列表
-      const listResponse = await app.request('/', {
-        headers: {
-          'Authorization': `Bearer ${testToken2}`
-        }
-      });
-
-      const listResult = await listResponse.json();
-      const tenant2UserId = listResult.data[0].id;
-
-      // 尝试用租户1的token删除租户2的用户
-      const response = await app.request(`/${tenant2UserId}`, {
-        method: 'DELETE',
-        headers: {
-          'Authorization': `Bearer ${testToken1}`
-        }
-      });
-
-      expect(response.status).toBe(404);
-    });
-  });
-
-  describe('禁用租户隔离的情况', () => {
-    it('当租户隔离禁用时应该允许跨租户访问', async () => {
-      // 注意：这个测试需要修改路由配置，暂时跳过
-      // 在实际实现中，可以通过设置 tenantOptions.enabled = false 来测试
-      expect(true).toBe(true);
-    });
-
-    it('当不传递tenantOptions配置时应该允许跨租户访问', async () => {
-      // 注意：这个测试需要修改路由配置，暂时跳过
-      // 在实际实现中，可以通过不传递 tenantOptions 来测试
-      expect(true).toBe(true);
-    });
-  });
-});

packages/user-module-mt/tests/integration/user.routes.integration.test.ts

@@ -565,4 +565,121 @@ describe('用户路由API集成测试 (使用hono/testing)', () => {
       }
     });
   });
+
+  describe('租户隔离测试', () => {
+    let tenant1Token: string;
+    let tenant2Token: string;
+    let tenant1User: any;
+    let tenant2User: any;
+
+    beforeEach(async () => {
+      // 创建租户1的用户和token
+      const dataSource = await IntegrationTestDatabase.getDataSource();
+      if (!dataSource) throw new Error('Database not initialized');
+
+      tenant1User = await TestDataFactory.createTestUser(dataSource, {
+        username: 'tenant1_user',
+        password: 'password123',
+        email: 'tenant1@example.com',
+        tenantId: 1
+      });
+
+      tenant2User = await TestDataFactory.createTestUser(dataSource, {
+        username: 'tenant2_user',
+        password: 'password123',
+        email: 'tenant2@example.com',
+        tenantId: 2
+      });
+
+      // 生成不同租户的token，确保包含完整的用户信息
+      tenant1Token = authService.generateToken(tenant1User);
+      tenant2Token = authService.generateToken(tenant2User);
+    });
+
+    it('应该只返回当前租户的用户列表', async () => {
+      // 租户1只能看到租户1的用户
+      const response1 = await client.index.$get({
+        query: {}
+      }, {
+        headers: {
+          'Authorization': `Bearer ${tenant1Token}`
+        }
+      });
+
+      console.debug('租户1列表响应状态:', response1.status);
+      if (response1.status !== 200) {
+        const errorResult = await response1.json();
+        console.debug('租户1列表错误响应:', errorResult);
+      }
+      expect(response1.status).toBe(200);
+      const result1 = await response1.json();
+      console.debug('租户1返回的用户数据:', result1.data);
+      expect(result1.data).toHaveLength(2);
+      expect(result1.data.every((user: any) => user.tenantId === 1)).toBe(true);
+
+      // 租户2只能看到租户2的用户
+      const response2 = await client.index.$get({
+        query: {}
+      }, {
+        headers: {
+          'Authorization': `Bearer ${tenant2Token}`
+        }
+      });
+
+      console.debug('租户2列表响应状态:', response2.status);
+      if (response2.status !== 200) {
+        const errorResult = await response2.json();
+        console.debug('租户2列表错误响应:', errorResult);
+      }
+      expect(response2.status).toBe(200);
+      const result2 = await response2.json();
+      console.debug('租户2返回的用户数据:', result2.data);
+      expect(result2.data).toHaveLength(1);
+      expect(result2.data.every((user: any) => user.tenantId === 2)).toBe(true);
+    });
+
+    it('应该拒绝跨租户访问用户详情', async () => {
+      // 租户1尝试访问租户2的用户
+      const response = await client[':id'].$get({
+        param: { id: tenant2User.id }
+      }, {
+        headers: {
+          'Authorization': `Bearer ${tenant1Token}`
+        }
+      });
+
+      expect(response.status).toBe(404);
+    });
+
+    it('应该拒绝跨租户更新用户', async () => {
+      const updateData = {
+        nickname: '尝试跨租户更新'
+      };
+
+      // 租户1尝试更新租户2的用户
+      const response = await client[':id'].$put({
+        param: { id: tenant2User.id },
+        json: updateData
+      }, {
+        headers: {
+          'Authorization': `Bearer ${tenant1Token}`
+        }
+      });
+
+      expect(response.status).toBe(404);
+    });
+
+    it('应该拒绝跨租户删除用户', async () => {
+      // 租户1尝试删除租户2的用户
+      const response = await client[':id'].$delete({
+        param: { id: tenant2User.id }
+      }, {
+        headers: {
+          'Authorization': `Bearer ${tenant1Token}`
+        }
+      });
+
+      expect(response.status).toBe(404);
+    });
+  });
 });

packages/user-module-mt/tests/routes/test-user.routes.mt.ts

@@ -1,15 +1,15 @@
 import { OpenAPIHono } from '@hono/zod-openapi';
 import { createCrudRoutes } from '@d8d/shared-crud';
-import { TestUserEntityMt } from '../entities/test-user.entity';
-import { TestUserSchemaMt, TestCreateUserDtoMt, TestUpdateUserDtoMt } from '../schemas/test-user.schema.mt';
+import { UserEntityMt } from '../../src/entities/user.entity';
+import { UserSchemaMt, CreateUserDtoMt, UpdateUserDtoMt } from '../../src/schemas/user.schema.mt';
 
 // 创建多租户通用CRUD路由配置（测试版本，不包含认证中间件）
 const userCrudRoutesMt = createCrudRoutes({
-  entity: TestUserEntityMt,
-  createSchema: TestCreateUserDtoMt,
-  updateSchema: TestUpdateUserDtoMt,
-  getSchema: TestUserSchemaMt,
-  listSchema: TestUserSchemaMt,
+  entity: UserEntityMt,
+  createSchema: CreateUserDtoMt,
+  updateSchema: UpdateUserDtoMt,
+  getSchema: UserSchemaMt,
+  listSchema: UserSchemaMt,
   searchFields: ['username', 'nickname', 'phone', 'email'],
   relations: ['roles'],
   readOnly: false, // 启用所有CRUD操作