Currently the TenantMiddleware does only Block when x-dv-baseuri or x-dv-tenant-id Headers are set:
|
if (systemBaseUriFromHeader != null || tenantIdFromHeader != null) |
But following https://git.d-velop.de/dvelop/architecture/well-architected-app-review/-/blob/main/docs/SECURITY.md#si07---signatur-der-mandanten-header it should block more restrictive.
Idea for Solution:
If SignatureSecretKey is set, then block if not all tenant headers are set.
If SignatureSecretKey is not set, then default tenant ist always 0, regardless of tenant headers.
Currently the TenantMiddleware does only Block when x-dv-baseuri or x-dv-tenant-id Headers are set:
dvelop-sdk-cs/dvelop-sdk-tenant/TenantMiddleware/TenantMiddleware.cs
Line 58 in e7325a9
But following https://git.d-velop.de/dvelop/architecture/well-architected-app-review/-/blob/main/docs/SECURITY.md#si07---signatur-der-mandanten-header it should block more restrictive.
Idea for Solution:
If SignatureSecretKey is set, then block if not all tenant headers are set.
If SignatureSecretKey is not set, then default tenant ist always 0, regardless of tenant headers.