refactor: remove deprecated tenant scoped methods (#34)

Author: smncd

internal/api/handlers.go

@@ -205,102 +205,6 @@ func (h *Handlers) FinishWebAuthnLogin(c *gin.Context) {
 	c.JSON(200, resp)
 }
 
-// Tenant-scoped WebAuthn handlers
-// Deprecated: These handlers were used for path-based tenant routing (/t/{tenantID}/...).
-// Use the global handlers with X-Tenant-ID header instead.
-// See docs/adr/011-multi-tenancy.md for the new design.
-
-// StartTenantWebAuthnLogin begins WebAuthn login for a specific tenant
-// Deprecated: Use StartWebAuthnLogin with X-Tenant-ID header instead.
-func (h *Handlers) StartTenantWebAuthnLogin(c *gin.Context) {
-	if h.services.WebAuthn == nil {
-		c.JSON(503, gin.H{"error": "WebAuthn not available"})
-		return
-	}
-
-	tenantID, ok := h.getTenantID(c)
-	if !ok {
-		c.JSON(500, gin.H{"error": "Tenant context not available"})
-		return
-	}
-
-	resp, err := h.services.WebAuthn.BeginTenantLogin(c.Request.Context(), tenantID)
-	if err != nil {
-		h.logger.Error("Failed to start tenant WebAuthn login",
-			zap.Error(err),
-			zap.String("tenant_id", string(tenantID)))
-		c.JSON(500, gin.H{"error": "Failed to start login"})
-		return
-	}
-
-	c.JSON(200, resp)
-}
-
-// FinishTenantWebAuthnLogin completes WebAuthn login for a specific tenant
-// Deprecated: Use FinishWebAuthnLogin with X-Tenant-ID header instead.
-func (h *Handlers) FinishTenantWebAuthnLogin(c *gin.Context) {
-	if h.services.WebAuthn == nil {
-		c.JSON(503, gin.H{"error": "WebAuthn not available"})
-		return
-	}
-
-	tenantID, ok := h.getTenantID(c)
-	if !ok {
-		c.JSON(500, gin.H{"error": "Tenant context not available"})
-		return
-	}
-
-	var req service.FinishLoginRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(400, gin.H{"error": err.Error()})
-		return
-	}
-
-	resp, err := h.services.WebAuthn.FinishTenantLogin(c.Request.Context(), tenantID, &req)
-	if err != nil {
-		h.logger.Error("Failed to finish tenant WebAuthn login",
-			zap.Error(err),
-			zap.String("tenant_id", string(tenantID)))
-
-		// Check for redirect error - user belongs to a different tenant
-		if redirectErr, ok := service.IsTenantRedirectError(err); ok {
-			h.logger.Info("Tenant redirect required",
-				zap.String("correct_tenant", string(redirectErr.CorrectTenantID)),
-				zap.String("requested_tenant", string(tenantID)))
-			c.JSON(409, gin.H{
-				"error":           "Tenant mismatch - redirect required",
-				"redirect_tenant": string(redirectErr.CorrectTenantID),
-				"user_id":         redirectErr.UserID.String(),
-			})
-			return
-		}
-
-		switch {
-		case errors.Is(err, service.ErrChallengeNotFound):
-			c.JSON(404, gin.H{"error": "Challenge not found"})
-		case errors.Is(err, service.ErrChallengeExpired):
-			c.JSON(410, gin.H{"error": "Challenge expired"})
-		case errors.Is(err, service.ErrUserNotFound):
-			c.JSON(404, gin.H{"error": "User not found"})
-		case errors.Is(err, service.ErrCredentialNotFound):
-			c.JSON(404, gin.H{"error": "Credential not found"})
-		case errors.Is(err, service.ErrVerificationFailed):
-			c.JSON(401, gin.H{"error": "Authentication failed"})
-		case errors.Is(err, service.ErrTenantMismatch):
-			c.JSON(403, gin.H{"error": "Credential belongs to a different tenant"})
-		default:
-			c.JSON(500, gin.H{"error": "Failed to complete login"})
-		}
-		return
-	}
-
-	if len(resp.PrivateData) > 0 {
-		c.Header("X-Private-Data-ETag", domain.ComputePrivateDataETag(resp.PrivateData))
-	}
-
-	c.JSON(200, resp)
-}
-
 // Storage handlers - Credentials
 
 // getHolderDID retrieves the holder DID from context

internal/api/handlers_test.go

@@ -458,36 +458,6 @@ func TestHandlers_FinishWebAuthnRegistration_NotAvailable(t *testing.T) {
 	}
 }
 
-func TestHandlers_StartTenantWebAuthnLogin_NotAvailable(t *testing.T) {
-	handlers, router := setupTestHandlers(t)
-	handlers.services.WebAuthn = nil
-	router.POST("/tenant/webauthn/login/start", handlers.StartTenantWebAuthnLogin)
-
-	w := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodPost, "/tenant/webauthn/login/start", strings.NewReader(`{}`))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	if w.Code != http.StatusServiceUnavailable {
-		t.Errorf("Expected status %d, got %d", http.StatusServiceUnavailable, w.Code)
-	}
-}
-
-func TestHandlers_FinishTenantWebAuthnLogin_NotAvailable(t *testing.T) {
-	handlers, router := setupTestHandlers(t)
-	handlers.services.WebAuthn = nil
-	router.POST("/tenant/webauthn/login/finish", handlers.FinishTenantWebAuthnLogin)
-
-	w := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodPost, "/tenant/webauthn/login/finish", strings.NewReader(`{}`))
-	req.Header.Set("Content-Type", "application/json")
-	router.ServeHTTP(w, req)
-
-	if w.Code != http.StatusServiceUnavailable {
-		t.Errorf("Expected status %d, got %d", http.StatusServiceUnavailable, w.Code)
-	}
-}
-
 // Test credential storage handlers with authentication context
 func TestHandlers_StoreCredential_Unauthorized(t *testing.T) {
 	handlers, router := setupTestHandlers(t)

internal/service/webauthn.go

@@ -1178,216 +1178,6 @@ func (r *credentialReader) Read(p []byte) (n int, err error) {
 	return n, nil
 }
 
-// =============================================================================
-// Tenant-scoped WebAuthn methods
-// =============================================================================
-
-// BeginTenantLogin starts WebAuthn login for a specific tenant
-func (s *WebAuthnService) BeginTenantLogin(ctx context.Context, tenantID domain.TenantID) (*BeginLoginResponse, error) {
-	// Generate login options without credentials (discoverable credentials mode)
-	_, session, err := s.webauthn.BeginDiscoverableLogin()
-	if err != nil {
-		s.logger.Error("Failed to begin tenant login", zap.Error(err))
-		return nil, fmt.Errorf("failed to begin login: %w", err)
-	}
-
-	// Store challenge with tenant ID
-	challengeID := generateChallengeID()
-	challenge := &domain.WebauthnChallenge{
-		ID:        challengeID,
-		TenantID:  string(tenantID),
-		Challenge: session.Challenge,
-		Action:    "login",
-		ExpiresAt: time.Now().Add(5 * time.Minute),
-	}
-
-	if err := s.store.Challenges().Create(ctx, challenge); err != nil {
-		s.logger.Error("Failed to store challenge", zap.Error(err))
-		return nil, fmt.Errorf("failed to store challenge: %w", err)
-	}
-
-	// Build response
-	challengeBytes, err := base64.RawURLEncoding.DecodeString(session.Challenge)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode challenge: %w", err)
-	}
-
-	getOptions := GetOptionsResponse{
-		PublicKey: PublicKeyCredentialRequestOptions{
-			Challenge:        challengeBytes,
-			RPId:             s.cfg.Server.RPID,
-			UserVerification: protocol.VerificationRequired,
-			AllowCredentials: []PublicKeyCredentialDescriptor{},
-		},
-	}
-
-	return &BeginLoginResponse{
-		ChallengeID: challengeID,
-		GetOptions:  getOptions,
-	}, nil
-}
-
-// FinishTenantLogin completes WebAuthn login for a specific tenant
-// It validates that the user handle contains the expected tenant ID prefix
-func (s *WebAuthnService) FinishTenantLogin(ctx context.Context, tenantID domain.TenantID, req *FinishLoginRequest) (*FinishLoginResponse, error) {
-	// Retrieve challenge
-	challenge, err := s.store.Challenges().GetByID(ctx, req.ChallengeID)
-	if err != nil {
-		if errors.Is(err, storage.ErrNotFound) {
-			return nil, ErrChallengeNotFound
-		}
-		return nil, fmt.Errorf("failed to retrieve challenge: %w", err)
-	}
-
-	// Check expiration
-	if time.Now().After(challenge.ExpiresAt) {
-		return nil, ErrChallengeExpired
-	}
-
-	// Verify tenant matches
-	if challenge.TenantID != string(tenantID) {
-		s.logger.Warn("Tenant mismatch in login challenge",
-			zap.String("expected", string(tenantID)),
-			zap.String("actual", challenge.TenantID))
-		return nil, ErrTenantMismatch
-	}
-
-	// Parse credential response
-	reader := newCredentialReader(req.Credential)
-	parsedResponse, err := protocol.ParseCredentialRequestResponseBody(reader)
-	if err != nil {
-		s.logger.Error("Failed to parse credential", zap.Error(err))
-		return nil, fmt.Errorf("failed to parse credential: %w", err)
-	}
-
-	// Decode user ID from user handle
-	// The new binary format (v1) doesn't include recoverable tenant ID,
-	// so we validate tenant membership after looking up the user.
-	userHandle := parsedResponse.Response.UserHandle
-	userID, err := domain.UserIDFromHandle(userHandle)
-	if err != nil {
-		// For backward compatibility, try treating the user handle as just a user ID
-		s.logger.Debug("User handle decode failed, treating as legacy user",
-			zap.String("user_handle", string(userHandle)),
-			zap.Error(err))
-		userID = domain.UserIDFromUserHandle(userHandle)
-	}
-
-	// Look up user
-	user, err := s.store.Users().GetByID(ctx, userID)
-	if err != nil {
-		if errors.Is(err, storage.ErrNotFound) {
-			return nil, ErrUserNotFound
-		}
-		return nil, fmt.Errorf("failed to retrieve user: %w", err)
-	}
-
-	// Get the user's actual tenant memberships for redirect support
-	userTenants, err := s.store.UserTenants().GetUserTenants(ctx, userID)
-	if err != nil {
-		s.logger.Warn("Failed to get user tenant memberships", zap.Error(err))
-		userTenants = []domain.TenantID{}
-	}
-
-	// Verify the user is a member of the requested tenant
-	isMember := false
-	for _, tid := range userTenants {
-		if tid == tenantID {
-			isMember = true
-			break
-		}
-	}
-
-	if !isMember {
-		// User is not a member of the requested tenant.
-		// Return a redirect error with the correct tenant if available.
-		s.logger.Warn("User not a member of requested tenant",
-			zap.String("user_id", userID.String()),
-			zap.String("requested_tenant", string(tenantID)),
-			zap.Any("user_tenants", userTenants))
-
-		if len(userTenants) > 0 {
-			// Return redirect error with the user's actual tenant
-			return nil, &TenantRedirectError{
-				CorrectTenantID: userTenants[0],
-				UserID:          userID,
-			}
-		}
-		// User has no tenant memberships - this shouldn't happen normally
-		return nil, ErrTenantMismatch
-	}
-
-	// Find the credential
-	// Encode RawID to base64url to match the format used during credential storage
-	credentialID := base64.RawURLEncoding.EncodeToString(parsedResponse.RawID)
-	var foundCred *domain.WebauthnCredential
-	for i := range user.WebauthnCredentials {
-		if user.WebauthnCredentials[i].ID == credentialID {
-			foundCred = &user.WebauthnCredentials[i]
-			break
-		}
-	}
-
-	if foundCred == nil {
-		return nil, ErrCredentialNotFound
-	}
-
-	// Verify with the correct tenant-scoped user handle
-	waUser := &TenantWebAuthnUser{user: user, userHandle: domain.EncodeUserHandle(tenantID, userID)}
-	sessionData := webauthn.SessionData{
-		Challenge:            challenge.Challenge,
-		RelyingPartyID:       s.cfg.Server.RPID,
-		AllowedCredentialIDs: [][]byte{},
-		Expires:              challenge.ExpiresAt,
-		UserVerification:     protocol.VerificationRequired,
-		// UserID intentionally left empty for discoverable login
-	}
-
-	// Verify credential
-	_, err = s.webauthn.ValidateDiscoverableLogin(func(rawID, userHandle []byte) (webauthn.User, error) {
-		return waUser, nil
-	}, sessionData, parsedResponse)
-
-	if err != nil {
-		s.logger.Error("Failed to verify credential", zap.Error(err))
-		return nil, ErrVerificationFailed
-	}
-
-	// Generate token with tenant_id included for security boundary
-	token, err := s.generateToken(user, tenantID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate token: %w", err)
-	}
-
-	// Clean up challenge
-	_ = s.store.Challenges().Delete(ctx, req.ChallengeID)
-
-	// Get tenant display name for the response
-	var tenantDisplayName string
-	if tenant, err := s.store.Tenants().GetByID(ctx, tenantID); err == nil {
-		tenantDisplayName = tenant.DisplayName
-	}
-
-	s.logger.Info("Completed tenant login",
-		zap.String("user_id", userID.String()),
-		zap.String("tenant_id", string(tenantID)))
-
-	displayName := ""
-	if user.DisplayName != nil {
-		displayName = *user.DisplayName
-	}
-
-	return &FinishLoginResponse{
-		UUID:              userID.String(),
-		Token:             token,
-		DisplayName:       displayName,
-		PrivateData:       user.PrivateData,
-		WebauthnRpId:      s.cfg.Server.RPID,
-		TenantID:          string(tenantID),
-		TenantDisplayName: tenantDisplayName,
-	}, nil
-}
-
 // TenantWebAuthnUser wraps a user with a tenant-scoped user handle
 type TenantWebAuthnUser struct {
 	user       *domain.User