open-resource-discovery · pavelkornev · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/api/crm/v1/resources/openApi.ts b/src/api/crm/v1/resources/openApi.ts
@@ -1,8 +1,9 @@
-import { FastifyInstance, FastifyRequest } from 'fastify'
+import { FastifyInstance } from 'fastify'
 import { OpenAPIV3 } from 'openapi-types'
 import { globalTenantIdToLocalTenantIdMapping } from '../../../../data/user/tenantMapping.js'
 import { getTenantIdsFromHeader } from '../../../shared/validateUserAuthorization.js'
 import { getCrmV1ApiDefinition } from '../config.js'
+import { CustomRequest } from '../../../../types/types.js'
 
 export const openApiResourceName = 'openapi'
 
@@ -12,11 +13,11 @@
 *
 * This will later be referenced through ORD.
 */
 export async function openApiResource(fastify: FastifyInstance): Promise<void> {
   fastify.get('/oas3.json', {}, getOpenApiDefinitionHandler)
 }
 
-async function getOpenApiDefinitionHandler(req: FastifyRequest): Promise<OpenAPIV3.Document> {
+async function getOpenApiDefinitionHandler(req: CustomRequest): Promise<OpenAPIV3.Document> {
   const tenantIds = getTenantIdsFromHeader(req)
   if (tenantIds.localTenantId) {
     // This is the `sap.foo.bar:open-local-tenant-id:v1` access strategy

diff --git a/src/api/open-resource-discovery/v1/index.ts b/src/api/open-resource-discovery/v1/index.ts
@@ -1,10 +1,11 @@
-import { FastifyInstance, FastifyRequest } from 'fastify'
+import { FastifyInstance } from 'fastify'
 import fastifyETag from '@fastify/etag'
 import { globalTenantIdToLocalTenantIdMapping } from '../../../data/user/tenantMapping.js'
 import { getTenantIdsFromHeader } from '../../shared/validateUserAuthorization.js'
 import { ordDocumentApiV1Config } from './config.js'
 import { ordConfiguration } from './data/configuration.js'
 import { getOrdDocumentForTenant, ordDocument } from './data/document.js'
+import { CustomRequest } from '../../../types/types.js'
 
 export async function ordDocumentV1Api(fastify: FastifyInstance): Promise<void> {
   fastify.log.info(`Registering ${ordDocumentApiV1Config.apiName}...`)
@@ -31,7 +32,7 @@ export async function ordDocumentV1Api(fastify: FastifyInstance): Promise<void>
   // The result of this request will differ, depending on the tenant chosen
   // We'll implement this as an ORD access strategy, where the tenant ID is passed via Header
   // To show multiple options, we can offer both local tenant ID and global tenant ID for correlations
-  fastify.get(`/${ordDocumentApiV1Config.apiEntryPoint}/documents/system-instance`, (req: FastifyRequest) => {
+  fastify.get(`/${ordDocumentApiV1Config.apiEntryPoint}/documents/system-instance`, (req: CustomRequest) => {
     const tenantIds = getTenantIdsFromHeader(req)
 
     if (tenantIds.localTenantId) {

diff --git a/src/api/shared/validateUserAuthorization.ts b/src/api/shared/validateUserAuthorization.ts
@@ -3,6 +3,8 @@ import _ from 'lodash'
 import { TenantConfiguration, tenants } from '../../data/user/tenants.js'
 import { apiUsersAndPasswords } from '../../data/user/users.js'
 import { UnauthorizedError } from '../../error/UnauthorizedError.js'
+import { globalTenantIdToLocalTenantIdMapping } from '../../data/user/tenantMapping.js'
+import { CustomRequest } from '../../types/types.js'
 
 export interface UserInfo {
   userName: string
@@ -12,6 +14,8 @@ export interface UserInfo {
 
 export const basicAuthConfig = { validate: validateUserAuthorization, authenticate: true }
 
+const localTenants = Object.values(globalTenantIdToLocalTenantIdMapping)
+
 /**
  * Validates a request for a valid BasicAuth login
  *
@@ -20,11 +24,7 @@ export const basicAuthConfig = { validate: validateUserAuthorization, authentica
  *
  * @throws UnauthorizedError
  */
-export async function validateUserAuthorization(
-  username: string,
-  password: string,
-  req: FastifyRequest,
-): Promise<void> {
+export function validateUserAuthorization(username: string, password: string, req: FastifyRequest): void {
   if (apiUsersAndPasswords[username] && apiUsersAndPasswords[username].password === password) {
     const tenantId = apiUsersAndPasswords[username].tenantId
     // Add user info to the request that we've validated
@@ -34,23 +34,31 @@ export async function validateUserAuthorization(
       tenantConfiguration: tenants[tenantId],
     }
     req.log.info(`User "${username}" of tenant "${tenantId}" authenticated successfully.`)
-    return
   } else {
     throw new UnauthorizedError(`Unknown username "${username}" and password combination`)
   }
 }
 
-export function getTenantIdsFromHeader(req: FastifyRequest): {
+export function getTenantIdsFromHeader(req: CustomRequest): {
   localTenantId: string | undefined
   sapGlobalTenantId: string | undefined
 } {
-  const localTenantId = _.isArray(req.headers['sap-local-tenant-id'])
+  let localTenantId = _.isArray(req.headers['sap-local-tenant-id'])
     ? req.headers['sap-local-tenant-id'].join()
     : req.headers['sap-local-tenant-id']
+
+  if (req.query['local-tenant-id'] && localTenants.includes(req.query['local-tenant-id'])) {
+    localTenantId = req.query['local-tenant-id']
+  }
+
   const sapGlobalTenantId = _.isArray(req.headers['sap-global-tenant-id'])
     ? req.headers['sap-global-tenant-id'].join()
     : req.headers['sap-global-tenant-id']
 
+  if (req.query['global-tenant-id'] && req.query['global-tenant-id'] in globalTenantIdToLocalTenantIdMapping) {
+    localTenantId = req.query['global-tenant-id']
+  }
+
   return {
     localTenantId,
     sapGlobalTenantId,

diff --git a/src/event/odm-finance-costobject/v1/eventCatalogDefinition.ts b/src/event/odm-finance-costobject/v1/eventCatalogDefinition.ts
@@ -1,8 +1,9 @@
-import { FastifyInstance, FastifyRequest } from 'fastify'
+import { FastifyInstance } from 'fastify'
 import { getTenantIdsFromHeader } from '../../../api/shared/validateUserAuthorization.js'
 import { globalTenantIdToLocalTenantIdMapping } from '../../../data/user/tenantMapping.js'
 import { SapEventCatalog } from '../../shared/SapEventCatalog.js'
 import { getOdmCostObjectSapEventCatalogDefinition } from './config.js'
+import { CustomRequest } from '../../../types/types.js'
 
 export const openApiResourceName = 'openapi'
 
@@ -16,7 +17,7 @@ export async function sapEventCatalogDefinition(fastify: FastifyInstance): Promi
   fastify.get('/odm-finance-costobject.asyncapi2.json', {}, getSapEventCatalogDefinitionHandler)
 }
 
-async function getSapEventCatalogDefinitionHandler(req: FastifyRequest): Promise<SapEventCatalog> {
+async function getSapEventCatalogDefinitionHandler(req: CustomRequest): Promise<SapEventCatalog> {
   const tenantIds = getTenantIdsFromHeader(req)
   if (tenantIds.localTenantId) {
     // This is the `sap.foo.bar:open-local-tenant-id:v1` access strategy

diff --git a/src/types/fastify.d.ts b/src/types/fastify.d.ts
@@ -9,4 +9,7 @@ declare module 'fastify' {
       tenantConfiguration: TenantConfiguration
     }
   }
+  export interface FastifyQueryParameters {
+    [key: string]: string
+  }
 }
diff --git a/src/types/types.ts b/src/types/types.ts
@@ -0,0 +1,8 @@
+import { FastifyRequest } from 'fastify'
+
+export type CustomRequest = FastifyRequest<{
+  Querystring: {
+    'local-tenant-id': string
+    'global-tenant-id': string
+  }
+}>