From e9a7f16288d9c9a8253a7d62a97f30040160fdb4 Mon Sep 17 00:00:00 2001 From: Nikhil Sinha Date: Wed, 1 Jul 2026 09:15:33 +0700 Subject: [PATCH] fix: api key security risk add tenant id to the header when sent in the request otherwise server treats this as default tenant --- src/handlers/http/middleware.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/handlers/http/middleware.rs b/src/handlers/http/middleware.rs index 73ad3fca4..6dbb93f25 100644 --- a/src/handlers/http/middleware.rs +++ b/src/handlers/http/middleware.rs @@ -186,6 +186,10 @@ where permissions, &user.tenant, ); + req.headers_mut().insert( + HeaderName::from_static(TENANT_ID), + HeaderValue::from_str(tenant).unwrap(), + ); req.extensions_mut().insert(session_key); Some(session_id) }