Middleware that resolves the authenticated user's workspace
and role, injecting req.workspaceId and req.userRole on every request.
Must run AFTER requireAuth (which sets req.authUser).
Resolution strategy
The JWT contains workspaceId as a hint for which workspace the user last
used. The role is always resolved from the database so that permission
changes (promote / demote / remove) take effect immediately — not after the
JWT expires. This follows the Slack / GitHub model: identity in the token,
authorization from the DB.
If the user has no workspace membership at all, returns 403.
- Source:
Example
import { workspaceScope } from "../middleware/workspaceScope.js";
app.use("/api/projects", requireAuth, workspaceScope, projectsRouter);Methods
(static) workspaceScope()
Express middleware that injects workspace context onto the request.
Sets:
req.workspaceId— The active workspace ID.req.userRole— The user's role in that workspace ('admin' | 'qa_lead' | 'viewer').
- Source: