refactor: 移除租户头校验并后置租户解析

src/Api/TakeoutSaaS.AdminApi/Program.cs

@@ -164,10 +164,12 @@ builder.Services.AddCors(options =>
 // 8. 构建应用并配置中间件管道
 var app = builder.Build();
 app.UseCors("AdminApiCors");
-app.UseTenantResolution();
 app.UseRateLimiter();
 app.UseSharedWebCore();
 app.UseAuthentication();
+
+// 8.1 (空行后) 解析租户：在认证后才能读取 Token Claim（tenant_id）
+app.UseTenantResolution();
 app.UseAuthorization();
 if (app.Environment.IsDevelopment())
 {

src/Application/TakeoutSaaS.Application/App/Tenants/Handlers/BindInitialTenantSubscriptionCommandHandler.cs

@@ -9,7 +9,6 @@ using TakeoutSaaS.Domain.Tenants.Repositories;
 using TakeoutSaaS.Shared.Abstractions.Constants;
 using TakeoutSaaS.Shared.Abstractions.Exceptions;
 using TakeoutSaaS.Shared.Abstractions.Ids;
-using TakeoutSaaS.Shared.Abstractions.Tenancy;
 
 namespace TakeoutSaaS.Application.App.Tenants.Handlers;
 
@@ -18,8 +17,7 @@ namespace TakeoutSaaS.Application.App.Tenants.Handlers;
 /// </summary>
 public sealed class BindInitialTenantSubscriptionCommandHandler(
     ITenantRepository tenantRepository,
-    IIdGenerator idGenerator,
-    ITenantProvider tenantProvider)
+    IIdGenerator idGenerator)
     : IRequestHandler<BindInitialTenantSubscriptionCommand, TenantSubscriptionDto>
 {
     private static readonly ConcurrentDictionary<long, SemaphoreSlim> TenantLocks = new();
@@ -27,23 +25,28 @@ public sealed class BindInitialTenantSubscriptionCommandHandler(
     /// <inheritdoc />
     public async Task<TenantSubscriptionDto> Handle(BindInitialTenantSubscriptionCommand request, CancellationToken cancellationToken)
     {
-        // 1. 校验租户上下文
-        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (currentTenantId == 0 || currentTenantId != request.TenantId)
+        // 1. 校验请求参数
+        if (request.TenantId <= 0)
         {
-            throw new BusinessException(ErrorCodes.Forbidden, "租户上下文不匹配，请在请求头 X-Tenant-Id 指定目标租户");
+            throw new BusinessException(ErrorCodes.BadRequest, "租户 ID 无效");
         }
 
-        // 1.2 获取租户级幂等锁，避免并发重复创建
+        // 1.2 (空行后) 校验套餐 ID
+        if (request.TenantPackageId <= 0)
+        {
+            throw new BusinessException(ErrorCodes.BadRequest, "套餐 ID 无效");
+        }
+
+        // 2. 获取租户级幂等锁，避免并发重复创建
         var tenantLock = GetTenantLock(request.TenantId);
         await tenantLock.WaitAsync(cancellationToken);
         try
         {
-            // 2. 获取租户
+            // 3. 获取租户
             var tenant = await tenantRepository.FindByIdAsync(request.TenantId, cancellationToken)
                 ?? throw new BusinessException(ErrorCodes.NotFound, "租户不存在");
 
-            // 3. 幂等校验：若已存在订阅则直接返回
+            // 4. 幂等校验：若已存在订阅则直接返回
             var existing = await tenantRepository.GetActiveSubscriptionAsync(request.TenantId, cancellationToken);
             if (existing is not null)
             {
@@ -51,7 +54,7 @@ public sealed class BindInitialTenantSubscriptionCommandHandler(
                     ?? throw new BusinessException(ErrorCodes.InternalServerError, "订阅读取失败");
             }
 
-            // 4. 创建 0 个月订阅（待支付/待生效）
+            // 5. 创建 0 个月订阅（待支付/待生效）
             var now = DateTime.UtcNow;
             var subscription = new TenantSubscription
             {
@@ -66,7 +69,7 @@ public sealed class BindInitialTenantSubscriptionCommandHandler(
                 Notes = "初次绑定订阅"
             };
 
-            // 5. 记录订阅与历史
+            // 6. 记录订阅与历史
             await tenantRepository.AddSubscriptionAsync(subscription, cancellationToken);
             await tenantRepository.AddSubscriptionHistoryAsync(new TenantSubscriptionHistory
             {
@@ -83,7 +86,7 @@ public sealed class BindInitialTenantSubscriptionCommandHandler(
                 Notes = "初次绑定订阅（0 个月）"
             }, cancellationToken);
 
-            // 6. 记录审计日志
+            // 7. 记录审计日志
             await tenantRepository.AddAuditLogAsync(new TenantAuditLog
             {
                 TenantId = tenant.Id,
@@ -92,16 +95,16 @@ public sealed class BindInitialTenantSubscriptionCommandHandler(
                 Description = $"套餐 {request.TenantPackageId}，时长 0 月"
             }, cancellationToken);
 
-            // 7. 保存变更
+            // 8. 保存变更
             await tenantRepository.SaveChangesAsync(cancellationToken);
 
-            // 8. 返回 DTO
+            // 9. 返回 DTO
             return subscription.ToSubscriptionDto()
                 ?? throw new BusinessException(ErrorCodes.InternalServerError, "订阅绑定失败");
         }
         finally
         {
-            // 9. 释放幂等锁
+            // 10. 释放幂等锁
             tenantLock.Release();
         }
     }

src/Application/TakeoutSaaS.Application/App/Tenants/Handlers/CheckTenantQuotaCommandHandler.cs

@@ -6,7 +6,6 @@ using TakeoutSaaS.Domain.Tenants.Enums;
 using TakeoutSaaS.Domain.Tenants.Repositories;
 using TakeoutSaaS.Shared.Abstractions.Constants;
 using TakeoutSaaS.Shared.Abstractions.Exceptions;
-using TakeoutSaaS.Shared.Abstractions.Tenancy;
 
 namespace TakeoutSaaS.Application.App.Tenants.Handlers;
 
@@ -17,27 +16,25 @@ public sealed class CheckTenantQuotaCommandHandler(
     ITenantRepository tenantRepository,
     ITenantPackageRepository packageRepository,
     ITenantQuotaUsageRepository quotaUsageRepository,
-    ITenantQuotaUsageHistoryRepository quotaUsageHistoryRepository,
-    ITenantProvider tenantProvider)
+    ITenantQuotaUsageHistoryRepository quotaUsageHistoryRepository)
     : IRequestHandler<CheckTenantQuotaCommand, QuotaCheckResultDto>
 {
     /// <inheritdoc />
     public async Task<QuotaCheckResultDto> Handle(CheckTenantQuotaCommand request, CancellationToken cancellationToken)
     {
         // 1. 校验请求参数
+        if (request.TenantId <= 0)
+        {
+            throw new BusinessException(ErrorCodes.BadRequest, "租户 ID 无效");
+        }
+
+        // 1.2 (空行后) 校验消耗量
         if (request.Delta <= 0)
         {
             throw new BusinessException(ErrorCodes.BadRequest, "配额消耗量必须大于 0");
         }
 
-        // 2. 校验租户上下文
-        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (currentTenantId == 0 || currentTenantId != request.TenantId)
-        {
-            throw new BusinessException(ErrorCodes.Forbidden, "租户上下文不匹配，请在请求头 X-Tenant-Id 指定目标租户");
-        }
-
-        // 3. 获取租户与当前订阅
+        // 2. 获取租户与当前订阅
         _ = await tenantRepository.FindByIdAsync(request.TenantId, cancellationToken)
             ?? throw new BusinessException(ErrorCodes.NotFound, "租户不存在");
 
@@ -52,7 +49,7 @@ public sealed class CheckTenantQuotaCommandHandler(
 
         var limit = ResolveLimit(package, request.QuotaType);
 
-        // 4. 加载配额使用记录并计算
+        // 3. 加载配额使用记录并计算
         var usage = await quotaUsageRepository.FindAsync(request.TenantId, request.QuotaType, cancellationToken)
                     ?? new TenantQuotaUsage
                     {
@@ -63,7 +60,7 @@ public sealed class CheckTenantQuotaCommandHandler(
                         ResetCycle = ResolveResetCycle(request.QuotaType)
                     };
 
-        // 4.1 记录是否为首次初始化（用于落库历史）
+        // 3.1 记录是否为首次初始化（用于落库历史）
         var isNewUsage = usage.Id == 0;
 
         var usedAfter = usage.UsedValue + request.Delta;
@@ -74,12 +71,12 @@ public sealed class CheckTenantQuotaCommandHandler(
             throw new BusinessException(ErrorCodes.Conflict, $"{request.QuotaType} 配额不足");
         }
 
-        // 5. 更新使用并保存
+        // 4. 更新使用并保存
         usage.LimitValue = limit ?? usage.LimitValue;
         usage.UsedValue = usedAfter;
         usage.ResetCycle ??= ResolveResetCycle(request.QuotaType);
 
-        // 5.1 落库历史（初始化 + 本次消耗）
+        // 4.1 落库历史（初始化 + 本次消耗）
         var now = DateTime.UtcNow;
         if (isNewUsage)
         {
@@ -109,7 +106,7 @@ public sealed class CheckTenantQuotaCommandHandler(
 
         await PersistUsageAsync(usage, quotaUsageRepository, cancellationToken);
 
-        // 6. 返回结果
+        // 5. 返回结果
         return new QuotaCheckResultDto
         {
             QuotaType = request.QuotaType,