npm - @lenne.tech/nest-server - Versions diffs - 11.20.1 → 11.21.1 - Mend

@lenne.tech/nest-server 11.20.1 → 11.21.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/src/core/modules/tenant/core-tenant.guard.ts ADDED Viewed

@@ -0,0 +1,441 @@
+import { CanActivate, ExecutionContext, ForbiddenException, Injectable, Logger, OnModuleDestroy } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { GqlContextType, GqlExecutionContext } from '@nestjs/graphql';
+import { InjectModel } from '@nestjs/mongoose';
+import { Model } from 'mongoose';
+import { RoleEnum } from '../../common/enums/role.enum';
+import { ConfigService } from '../../common/services/config.service';
+import { CoreTenantMemberModel } from './core-tenant-member.model';
+import { SKIP_TENANT_CHECK_KEY } from './core-tenant.decorators';
+import { TENANT_MEMBER_MODEL_TOKEN, TenantMemberStatus } from './core-tenant.enums';
+import {
+  checkRoleAccess,
+  getMinRequiredLevel,
+  getRoleHierarchy,
+  isSystemRole,
+  mergeRolesMetadata,
+} from './core-tenant.helpers';
+/**
+ * Cached membership entry with TTL
+ */
+interface CachedMembership {
+  expiresAt: number;
+  result: CoreTenantMemberModel | null;
+}
+/**
+ * Cached tenant IDs entry with TTL
+ */
+interface CachedTenantIds {
+  expiresAt: number;
+  ids: string[];
+}
+/**
+ * Global guard for multi-tenancy with defense-in-depth security.
+ *
+ * Only registered as APP_GUARD when multiTenancy is active.
+ * Runs after auth guards to validate tenant membership and role access.
+ *
+ * This guard is responsible for ALL non-system role checks when multiTenancy is active.
+ * RolesGuard passes through non-system roles to this guard.
+ *
+ * Security model:
+ * - Guard level: Membership validation, admin bypass, role checks (hierarchy + normal)
+ * - Plugin level: Safety net — ForbiddenException when tenantId-schema accessed without context
+ *
+ * Role check semantics:
+ * - Hierarchy roles (in roleHierarchy config): level comparison — higher includes lower
+ * - Normal roles (not in roleHierarchy): exact match — no compensation by higher role
+ * - Tenant context (header present): checks against membership.role only (user.roles ignored)
+ * - No tenant context: checks against user.roles
+ *
+ * Flow:
+ * 1. Config check: multiTenancy enabled?
+ * 2. Parse header (X-Tenant-Id, max 128 chars, trimmed)
+ * 3. @SkipTenantCheck → role check against user.roles, no tenant context
+ * 4. Read @Roles() metadata, filter out system roles
+ *
+ * HEADER PRESENT:
+ *   - System ADMIN (adminBypass: true) → set req.tenantId + isAdminBypass
+ *   - No user → 403 "Authentication required for tenant access"
+ *   - Authenticated non-admin user:
+ *     - Active member → checkRoleAccess against membership.role → set req.tenantId + tenantRole
+ *     - Not active member → ALWAYS 403
+ *
+ * NO HEADER:
+ *   - System ADMIN → set isAdminBypass (sees all data)
+ *   - Authenticated + checkable roles → checkRoleAccess against user.roles
+ *     → resolveUserTenantIds with minLevel filter
+ *   - Authenticated + no checkable roles → resolveUserTenantIds (all memberships)
+ *   - No user + no checkable roles → pass (plugin safety net catches tenantId-schema access)
+ *   - No user + checkable roles → 403 "Authentication required"
+ */
+@Injectable()
+export class CoreTenantGuard implements CanActivate, OnModuleDestroy {
+  private readonly logger = new Logger(CoreTenantGuard.name);
+  /**
+   * In-memory TTL cache for membership lookups.
+   * Key: `${userId}:${tenantId}`, Value: cached membership result with expiry.
+   * Eliminates repeated DB queries for the same user+tenant combination.
+   */
+  private readonly membershipCache = new Map<string, CachedMembership>();
+  /**
+   * In-memory TTL cache for tenant ID resolution (no-header path).
+   * Key: `${userId}` or `${userId}:${minLevel}`, Value: cached tenant IDs with expiry.
+   */
+  private readonly tenantIdsCache = new Map<string, CachedTenantIds>();
+  /** Cache TTL in milliseconds. Configurable via multiTenancy.cacheTtlMs (default: 30s, 0 = disabled) */
+  private cacheTtlMs: number = 30_000;
+  /** Maximum cache entries before eviction */
+  private static readonly MAX_CACHE_SIZE = 500;
+  /** Cleanup interval handle */
+  private cleanupInterval: NodeJS.Timeout | null = null;
+  /** Tracks the last seen config reference to detect config changes (e.g., roleHierarchy) */
+  private lastSeenConfig: object | null = null;
+  constructor(
+    private readonly reflector: Reflector,
+    @InjectModel(TENANT_MEMBER_MODEL_TOKEN) private readonly memberModel: Model<CoreTenantMemberModel>,
+  ) {
+    // Clean up expired cache entries every 60 seconds
+    this.cleanupInterval = setInterval(() => this.evictExpired(), 60_000);
+    if (this.cleanupInterval.unref) {
+      this.cleanupInterval.unref();
+    }
+  }
+  onModuleDestroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+    this.membershipCache.clear();
+    this.tenantIdsCache.clear();
+  }
+  /**
+   * Invalidate all cache entries for a specific user.
+   * Call this when memberships change (add/remove/update).
+   *
+   * Note: userId must not contain ':' characters (used as cache key delimiter).
+   * MongoDB ObjectIds and standard UUID formats are safe.
+   *
+   * @param userId - The user ID whose cache entries should be invalidated
+   */
+  invalidateUser(userId: string): void {
+    for (const key of this.membershipCache.keys()) {
+      if (key.startsWith(`${userId}:`)) {
+        this.membershipCache.delete(key);
+      }
+    }
+    for (const key of this.tenantIdsCache.keys()) {
+      if (key === userId || key.startsWith(`${userId}:`)) {
+        this.tenantIdsCache.delete(key);
+      }
+    }
+  }
+  /**
+   * Clear all cache entries.
+   * Useful when configuration changes (e.g., roleHierarchy) or for testing.
+   */
+  invalidateAll(): void {
+    this.membershipCache.clear();
+    this.tenantIdsCache.clear();
+  }
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const config = ConfigService.configFastButReadOnly?.multiTenancy;
+    if (!config || config.enabled === false) {
+      return true;
+    }
+    // Detect config changes (e.g., roleHierarchy modified in tests) and flush caches
+    if (this.lastSeenConfig !== config) {
+      this.lastSeenConfig = config;
+      // Default 30s in production, 0 (disabled) in test environments to avoid stale data between test cases
+      const isTestEnv =
+        process.env.VITEST === 'true' || process.env.NODE_ENV === 'test' || process.env.NODE_ENV === 'e2e';
+      this.cacheTtlMs = config.cacheTtlMs ?? (isTestEnv ? 0 : 30_000);
+      this.invalidateAll();
+    }
+    const request = this.getRequest(context);
+    if (!request) {
+      return true;
+    }
+    // Parse tenant header
+    const headerName = (config.headerName ?? 'x-tenant-id').toLowerCase();
+    const rawHeader = request.headers?.[headerName] as string | undefined;
+    const headerTenantId =
+      rawHeader && typeof rawHeader === 'string' && rawHeader.length <= 128 ? rawHeader.trim() : undefined;
+    // Read @Roles() metadata and filter to non-system roles
+    const rolesMetadata = this.reflector.getAll<string[][]>('roles', [context.getHandler(), context.getClass()]);
+    const roles = mergeRolesMetadata(rolesMetadata);
+    const user = request.user;
+    const adminBypass = config.adminBypass !== false;
+    const isAdmin = adminBypass && user?.roles?.includes(RoleEnum.ADMIN);
+    // Filter to checkable (non-system) roles only when needed (avoids array allocation on fast paths)
+    const hasNonSystemRoles = roles.some((r) => !isSystemRole(r));
+    const checkableRoles = hasNonSystemRoles ? roles.filter((r) => !isSystemRole(r)) : [];
+    const minRequiredLevel = checkableRoles.length > 0 ? getMinRequiredLevel(checkableRoles) : undefined;
+    // @SkipTenantCheck → no tenant context, but role check against user.roles
+    const skipTenantCheck = this.reflector.getAllAndOverride<boolean>(SKIP_TENANT_CHECK_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (skipTenantCheck) {
+      if (checkableRoles.length > 0 && user) {
+        if (!isAdmin && !checkRoleAccess(checkableRoles, user.roles, undefined)) {
+          throw new ForbiddenException('Insufficient role');
+        }
+      }
+      return true;
+    }
+    // === HEADER PRESENT ===
+    if (headerTenantId) {
+      // Admin bypass: set req.tenantId so plugin filters (read by RequestContextMiddleware
+      // lazy getter → context.tenantId, also consumed by @CurrentTenant() via RequestContext)
+      if (isAdmin) {
+        request.tenantId = headerTenantId;
+        request.isAdminBypass = true;
+        const requiredRole = checkableRoles.length > 0 ? checkableRoles.join(',') : 'none';
+        this.logger.log(`Admin bypass: user ${user.id} accessing tenant ${headerTenantId} (required: ${requiredRole})`);
+        return true;
+      }
+      // No user + header → 403 (tenant access requires authentication)
+      if (!user) {
+        throw new ForbiddenException('Authentication required for tenant access');
+      }
+      // Authenticated non-admin user: MUST be active member
+      const membership = await this.findMembershipCached(user.id, headerTenantId);
+      if (!membership) {
+        throw new ForbiddenException('Not a member of this tenant');
+      }
+      const memberRole = membership.role as string;
+      // Check role access if roles are required (hierarchy + normal, against membership.role)
+      if (checkableRoles.length > 0) {
+        if (!checkRoleAccess(checkableRoles, undefined, memberRole)) {
+          throw new ForbiddenException('Insufficient tenant role');
+        }
+      }
+      // Set validated tenant context on request (consumed by RequestContextMiddleware
+      // lazy getter → context.tenantId / context.tenantRole, and by @CurrentTenant() via RequestContext)
+      request.tenantId = headerTenantId;
+      request.tenantRole = memberRole;
+      return true;
+    }
+    // === NO HEADER ===
+    // Admin without header → sees all data
+    if (isAdmin) {
+      request.isAdminBypass = true;
+      return true;
+    }
+    // Checkable roles present
+    if (checkableRoles.length > 0) {
+      // No user + roles required → 403
+      if (!user) {
+        throw new ForbiddenException('Authentication required');
+      }
+      // Check role access against user.roles (hierarchy: level comparison, normal: exact match)
+      if (!checkRoleAccess(checkableRoles, user.roles, undefined)) {
+        throw new ForbiddenException('Insufficient role');
+      }
+      // Resolve tenant IDs filtered by minimum required hierarchy level
+      await this.resolveUserTenantIds(request, minRequiredLevel);
+      return true;
+    }
+    // Authenticated user without header and no checkable roles: resolve their tenant memberships
+    // so the plugin can filter by { tenantId: { $in: tenantIds } }
+    if (user) {
+      await this.resolveUserTenantIds(request);
+    }
+    return true;
+  }
+  /**
+   * Look up all active tenant memberships for the user and store them on the request.
+   * This allows the tenant plugin to filter by { tenantId: { $in: tenantIds } }
+   * when no specific tenant header is set.
+   *
+   * Uses a process-level TTL cache to avoid repeated DB queries for the same user.
+   *
+   * @param minLevel - When set, only include memberships where role level >= minLevel
+   */
+  private async resolveUserTenantIds(request: any, minLevel?: number): Promise<void> {
+    // Skip if already resolved on this request
+    if (request.tenantIds) {
+      return;
+    }
+    const userId = request.user.id;
+    const ttl = this.cacheTtlMs;
+    // When cache is enabled, check process-level cache
+    if (ttl > 0) {
+      const cacheKey = minLevel !== undefined ? `${userId}:${minLevel}` : userId;
+      const now = Date.now();
+      const cached = this.tenantIdsCache.get(cacheKey);
+      if (cached && now < cached.expiresAt) {
+        request.tenantIds = cached.ids;
+        return;
+      }
+    }
+    const memberships = await this.memberModel
+      .find({
+        status: TenantMemberStatus.ACTIVE,
+        user: userId,
+      })
+      .select('tenant role')
+      .lean()
+      .exec();
+    let ids: string[];
+    if (minLevel !== undefined) {
+      const hierarchy = getRoleHierarchy();
+      ids = memberships
+        .filter((m) => {
+          const level = hierarchy[m.role as string] ?? 0;
+          return level >= minLevel;
+        })
+        .map((m) => m.tenant as string);
+    } else {
+      ids = memberships.map((m) => m.tenant as string);
+    }
+    request.tenantIds = ids;
+    // Store in process-level cache when enabled
+    if (ttl > 0) {
+      const cacheKey = minLevel !== undefined ? `${userId}:${minLevel}` : userId;
+      this.evictIfOverCapacity(this.tenantIdsCache);
+      this.tenantIdsCache.set(cacheKey, { expiresAt: Date.now() + ttl, ids });
+    }
+  }
+  /**
+   * Extract request from GraphQL or HTTP context
+   */
+  private getRequest(context: ExecutionContext): any {
+    if (context.getType<GqlContextType>() === 'graphql') {
+      const ctx = GqlExecutionContext.create(context);
+      return ctx.getContext()?.req;
+    }
+    try {
+      return context.switchToHttp().getRequest();
+    } catch {
+      return null;
+    }
+  }
+  // ===================================================================================================================
+  // Cache helpers
+  // ===================================================================================================================
+  /**
+   * Look up a membership with process-level TTL cache.
+   * Avoids repeated DB queries when the same user accesses the same tenant repeatedly.
+   */
+  private async findMembershipCached(userId: string, tenantId: string): Promise<CoreTenantMemberModel | null> {
+    const ttl = this.cacheTtlMs;
+    // Cache disabled (ttl = 0): always query DB
+    if (ttl <= 0) {
+      return this.memberModel
+        .findOne({ status: TenantMemberStatus.ACTIVE, tenant: tenantId, user: userId })
+        .lean()
+        .exec() as Promise<CoreTenantMemberModel | null>;
+    }
+    const key = `${userId}:${tenantId}`;
+    const now = Date.now();
+    const cached = this.membershipCache.get(key);
+    if (cached && now < cached.expiresAt) {
+      return cached.result;
+    }
+    const result = (await this.memberModel
+      .findOne({
+        status: TenantMemberStatus.ACTIVE,
+        tenant: tenantId,
+        user: userId,
+      })
+      .lean()
+      .exec()) as CoreTenantMemberModel | null;
+    // Only cache positive results (active membership found).
+    // Negative results (null) are NOT cached to ensure that:
+    // - Newly added members are recognized immediately
+    // - Removed memberships lead to immediate denial
+    if (result) {
+      this.evictIfOverCapacity(this.membershipCache);
+      this.membershipCache.set(key, { expiresAt: now + ttl, result });
+    } else {
+      // Ensure stale positive cache entries are removed
+      this.membershipCache.delete(key);
+    }
+    return result;
+  }
+  /**
+   * Evict the oldest entry if the cache exceeds MAX_CACHE_SIZE.
+   * Uses a simple FIFO strategy (Map insertion order).
+   */
+  private evictIfOverCapacity<T>(cache: Map<string, T>): void {
+    if (cache.size >= CoreTenantGuard.MAX_CACHE_SIZE) {
+      // Delete first 10% to avoid evicting on every insert
+      const deleteCount = Math.max(1, Math.floor(CoreTenantGuard.MAX_CACHE_SIZE * 0.1));
+      let deleted = 0;
+      for (const key of cache.keys()) {
+        if (deleted >= deleteCount) break;
+        cache.delete(key);
+        deleted++;
+      }
+    }
+  }
+  /**
+   * Remove all expired entries from both caches.
+   * Called periodically by the cleanup interval.
+   */
+  private evictExpired(): void {
+    const now = Date.now();
+    for (const [key, entry] of this.membershipCache.entries()) {
+      if (now >= entry.expiresAt) {
+        this.membershipCache.delete(key);
+      }
+    }
+    for (const [key, entry] of this.tenantIdsCache.entries()) {
+      if (now >= entry.expiresAt) {
+        this.tenantIdsCache.delete(key);
+      }
+    }
+  }
+}

package/src/core/modules/tenant/core-tenant.helpers.ts ADDED Viewed

@@ -0,0 +1,103 @@
+import { ConfigService } from '../../common/services/config.service';
+import { DEFAULT_ROLE_HIERARCHY } from './core-tenant.enums';
+const SYSTEM_ROLE_PREFIX = 's_';
+/**
+ * Merge handler-level and class-level @Roles() metadata arrays into a single flat array.
+ * Used by RolesGuard, BetterAuthRolesGuard, and CoreTenantGuard to avoid code duplication.
+ *
+ * @param meta - Two-element tuple [handlerRoles, classRoles] from Reflector.getAll or Reflect.getMetadata
+ */
+export function mergeRolesMetadata(meta: (string[] | undefined)[]): string[] {
+  return meta[0] ? (meta[1] ? [...meta[0], ...meta[1]] : meta[0]) : meta[1] || [];
+}
+/**
+ * Get the configured role hierarchy or the default.
+ */
+export function getRoleHierarchy(): Record<string, number> {
+  return ConfigService.configFastButReadOnly?.multiTenancy?.roleHierarchy ?? DEFAULT_ROLE_HIERARCHY;
+}
+/**
+ * Check if a role is a system role (S_USER, S_EVERYONE, etc.).
+ * System roles are handled by RolesGuard, not CoreTenantGuard.
+ */
+export function isSystemRole(role: string): boolean {
+  return role.startsWith(SYSTEM_ROLE_PREFIX);
+}
+/**
+ * Check if multiTenancy is configured and enabled.
+ */
+export function isMultiTenancyActive(): boolean {
+  const config = ConfigService.configFastButReadOnly?.multiTenancy;
+  return !!config && config.enabled !== false;
+}
+/**
+ * Check if a role is a hierarchy role (present in the configured role hierarchy).
+ * Returns false when multiTenancy is disabled to avoid false positives.
+ */
+export function isHierarchyRole(role: string): boolean {
+  if (!isMultiTenancyActive()) return false;
+  const hierarchy = getRoleHierarchy();
+  return role in hierarchy;
+}
+/**
+ * Get the minimum required level from a set of roles.
+ * Only considers roles that exist in the hierarchy.
+ * Returns undefined if no hierarchy roles found.
+ */
+export function getMinRequiredLevel(roles: string[]): number | undefined {
+  const hierarchy = getRoleHierarchy();
+  const levels = roles.filter((r) => r in hierarchy).map((r) => hierarchy[r]);
+  if (levels.length === 0) return undefined;
+  return Math.min(...levels);
+}
+/**
+ * Unified role access check for both tenant and non-tenant context.
+ * Handles hierarchy roles (level comparison) AND normal roles (exact match).
+ *
+ * @param requiredRoles - roles from @Roles/@Restricted (system roles should be filtered out by caller)
+ * @param userRoles - user.roles array (used when no tenantRole)
+ * @param tenantRole - membership.role (used when tenant context active)
+ *
+ * When tenantRole is set: checks against [tenantRole] (tenant overrides user.roles)
+ * When no tenantRole: checks against userRoles
+ *
+ * Hierarchy roles → level comparison (higher includes lower)
+ * Normal roles → exact match (no compensation by higher role)
+ *
+ * OR semantics: any match (hierarchy OR normal) is sufficient.
+ */
+export function checkRoleAccess(requiredRoles: string[], userRoles?: string[], tenantRole?: string): boolean {
+  const availableRoles = tenantRole ? [tenantRole] : (userRoles ?? []);
+  if (availableRoles.length === 0) return false;
+  // When multiTenancy is disabled, treat all roles as normal (exact match only)
+  const multiTenancyActive = isMultiTenancyActive();
+  const hierarchy = multiTenancyActive ? getRoleHierarchy() : {};
+  const hierarchyRequired = requiredRoles.filter((r) => r in hierarchy);
+  const nonHierarchyRequired = requiredRoles.filter((r) => !(r in hierarchy));
+  if (hierarchyRequired.length === 0 && nonHierarchyRequired.length === 0) return true;
+  // OR semantics: any category match is sufficient
+  // Hierarchy roles: level comparison (higher includes lower)
+  if (hierarchyRequired.length > 0) {
+    const minRequired = Math.min(...hierarchyRequired.map((r) => hierarchy[r]));
+    if (availableRoles.some((r) => r in hierarchy && hierarchy[r] >= minRequired)) return true;
+  }
+  // Non-hierarchy roles: exact match
+  if (nonHierarchyRequired.length > 0) {
+    if (nonHierarchyRequired.some((r) => availableRoles.includes(r))) return true;
+  }
+  return false;
+}

package/src/core/modules/tenant/core-tenant.module.ts ADDED Viewed

@@ -0,0 +1,102 @@
+import { CanActivate, DynamicModule, Global, Module, Type } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { MongooseModule, SchemaFactory, getModelToken } from '@nestjs/mongoose';
+import { Model } from 'mongoose';
+import { CoreTenantMemberModel } from './core-tenant-member.model';
+import { TENANT_MEMBER_MODEL_TOKEN } from './core-tenant.enums';
+import { CoreTenantGuard } from './core-tenant.guard';
+import { CoreTenantService } from './core-tenant.service';
+/**
+ * Options for CoreTenantModule.forRoot().
+ *
+ * Projects using auto-registration via `multiTenancy: {}` get default implementations.
+ * For custom model/guard/service, use `CoreTenantModule.forRoot({ ... })` directly
+ * in your ServerModule instead of auto-registration.
+ */
+export interface CoreTenantModuleOptions {
+  /** Custom TenantMember model class (must extend CoreTenantMemberModel) */
+  memberModel?: Type<CoreTenantMemberModel>;
+  /** Custom guard class (must implement CanActivate) */
+  guard?: Type<CanActivate>;
+  /** Custom service class (must extend CoreTenantService) */
+  service?: Type<CoreTenantService>;
+  /**
+   * Mongoose model name for the membership collection.
+   * Defaults to 'TenantMember'. When changed, an alias is created so that
+   * @InjectModel('TenantMember') continues to work in guard and service.
+   * @default 'TenantMember'
+   */
+  modelName?: string;
+}
+/**
+ * Core tenant module for multi-tenancy support.
+ *
+ * Provides:
+ * - TenantMember model (user <-> tenant membership with roles)
+ * - CoreTenantGuard (APP_GUARD for X-Tenant-Id header validation)
+ * - CoreTenantService (membership CRUD operations)
+ *
+ * Projects can extend via the Module Inheritance Pattern by passing custom
+ * model, guard, or service classes to forRoot().
+ *
+ * @example
+ * ```typescript
+ * // Auto-registration via CoreModule config
+ * CoreModule.forRoot({ multiTenancy: {} })
+ *
+ * // Manual registration with custom service
+ * CoreTenantModule.forRoot({ service: CustomTenantService })
+ *
+ * // Custom model name (config.multiTenancy.membershipModel)
+ * CoreTenantModule.forRoot({ modelName: 'OrgMember' })
+ * ```
+ */
+@Global()
+@Module({})
+export class CoreTenantModule {
+  static forRoot(options: CoreTenantModuleOptions = {}): DynamicModule {
+    const MemberModel = options.memberModel || CoreTenantMemberModel;
+    const Guard = options.guard || CoreTenantGuard;
+    const Service = options.service || CoreTenantService;
+    const modelName = options.modelName || TENANT_MEMBER_MODEL_TOKEN;
+    const memberSchema = SchemaFactory.createForClass(MemberModel);
+    // Compound unique index: one membership per user per tenant
+    memberSchema.index({ user: 1, tenant: 1 }, { unique: true });
+    // Compound index for per-request membership lookups (index-covered query)
+    memberSchema.index({ user: 1, tenant: 1, status: 1 });
+    const providers: any[] = [
+      {
+        provide: CoreTenantService,
+        useClass: Service,
+      },
+      {
+        provide: APP_GUARD,
+        useClass: Guard,
+      },
+    ];
+    // When a custom model name is used, alias the default injection token to the custom model.
+    // This allows @InjectModel(TENANT_MEMBER_MODEL_TOKEN) in guard/service to continue working.
+    if (modelName !== TENANT_MEMBER_MODEL_TOKEN) {
+      providers.push({
+        provide: getModelToken(TENANT_MEMBER_MODEL_TOKEN),
+        useFactory: (model: Model<any>) => model,
+        inject: [getModelToken(modelName)],
+      });
+    }
+    return {
+      exports: [CoreTenantService],
+      global: true,
+      imports: [MongooseModule.forFeature([{ name: modelName, schema: memberSchema }])],
+      module: CoreTenantModule,
+      providers,
+    };
+  }
+}