WEB-579: make API gateway tenant header name configurable

[deepaksoni47]

Description

Make the API Gateway (Mifos Endpoint) tenant header name configurable so different deployments (or API gateways) can use a custom header name without code changes.

• Add apiGatewayHeaderName to runtime environment defaults (default: Fineract-Platform-TenantId).
• Update TokenInterceptor to read environment.apiGatewayHeaderName and use it when setting the tenant header on outgoing requests.
• Preserve existing behavior by default to remain backward compatible with tests and deployments.

Related issues and discussion

WEB-579

Deployment / Ops notes

• To override the header name at runtime set apiGatewayHeaderName in your window.env or deployment environment (same mechanism used for other loadedEnv values).
• No DB or backend migration required.

Screenshots, if any

N/A

Checklist

• If you have multiple commits please combine them into one commit by squashing them.

• Read and understood the contribution guidelines at web-app/.github/CONTRIBUTING.md.

Summary by CodeRabbit

• Chores
  • Made the API gateway tenant header name configurable via environment with validation and a safe default, and ensured the app consistently uses this configured header.
  • Explicitly typed the environment configuration to include the new setting.
  • Minor cleanup: tenant selector trimming/filtering improved for more reliable display.

[coderabbitai]

Warning

Rate limit exceeded

@deepaksoni47 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 25 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6e6261ca-3957-4c6c-88e7-958b59d22427

📥 Commits

Reviewing files that changed from the base of the PR and between cdc932e and d951450.

📒 Files selected for processing (4)

• src/app/login/login.component.ts
• src/app/zitadel/token.interceptor.ts
• src/environments/environment.prod.ts
• src/environments/environment.ts

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'pre_merge_checks'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Walkthrough

The PR exposes the API gateway tenant header name as a validated apiGatewayHeaderName environment property (with fallback), types the environment exports, and updates TokenInterceptor to use this dynamic header key in normal and 401-retry request flows; a minor tenant normalization typing change in the login component is included.

Changes

API Gateway Header Configuration

Layer / File(s)	Summary
Environment (dev) configuration src/environments/environment.ts	Normalize/validate window.env.apiGatewayHeaderName, add IEnvironment, and add typed apiGatewayHeaderName to the exported environment.
Environment (prod) configuration src/environments/environment.prod.ts	Same normalization/validation and apiGatewayHeaderName addition for production environment export, typed via IEnvironment.
Token interceptor header usage src/app/zitadel/token.interceptor.ts	Add FINERACT_TENANT_HEADER_NAME derived from environment.apiGatewayHeaderName and use it when building request headers and when retrying after 401 responses.
Login tenant normalization src/app/login/login.component.ts	Explicitly type tenant ID parameter in map/filter calls during tenant selector visibility calculation.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers:

• IOhacker

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'WEB-579: make API gateway tenant header name configurable' accurately summarizes the main change: making the API gateway tenant header name configurable rather than hardcoded.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/environments/environment.ts`:
- Line 157: Validate and normalize loadedEnv.apiGatewayHeaderName before
assigning to apiGatewayHeaderName: trim whitespace, ensure it is non-empty and
matches a safe HTTP header token pattern (e.g., allowed token characters), and
if validation fails fall back to the default 'Fineract-Platform-TenantId'.
Update the code that sets apiGatewayHeaderName (referencing
loadedEnv.apiGatewayHeaderName and the apiGatewayHeaderName export) to perform
this sanitize/validate step and use the default when the runtime value is
invalid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bd7c68c-5884-40d8-bbb8-e2daad564cbc

📥 Commits

Reviewing files that changed from the base of the PR and between ffde440 and 93d08a8.

📒 Files selected for processing (2)

• src/app/zitadel/token.interceptor.ts
• src/environments/environment.ts

[IOhacker]

Could you please elaborate a use case? The API Gateways can do any header change. In fact the sanbox is using an API Gateway.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/environments/environment.prod.ts`:
- Around line 27-32: The IEnvironment declaration currently uses a permissive
index signature ([key: string]: any) which disables type checking; remove that
index signature and either (a) explicitly declare all expected environment
properties with proper types in the IEnvironment interface (e.g.,
apiGatewayHeaderName: string, other keys present on environment) or (b) replace
the any index with a safer type (e.g., Record<string, unknown> or unknown) so
consumers keep type safety; update the IEnvironment interface and ensure the
exported environment object matches those explicit fields (or use object-literal
inference without the index signature).

In `@src/environments/environment.ts`:
- Around line 30-35: The IEnvironment interface currently includes a wide index
signature ([key: string]: any) which disables type checking for environment
properties; remove that index signature from IEnvironment and either (a) declare
explicit, typed properties you expect (e.g., apiGatewayHeaderName: string and
any other known keys) or (b) drop the explicit IEnvironment annotation and let
the exported environment constant infer its shape from the object literal,
ensuring apiGatewayHeaderName and other fields have concrete types instead of
any.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c3c2f7a6-34e1-4e2c-9ee6-e95c18a59329

📥 Commits

Reviewing files that changed from the base of the PR and between 93d08a8 and cdc932e.

📒 Files selected for processing (4)

• src/app/login/login.component.ts
• src/app/zitadel/token.interceptor.ts
• src/environments/environment.prod.ts
• src/environments/environment.ts

✅ Files skipped from review due to trivial changes (1)

• src/app/login/login.component.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/app/zitadel/token.interceptor.ts

[deepaksoni47]

Could you please elaborate a use case? The API Gateways can do any header change. In fact the sanbox is using an API Gateway.

Thanks — good point.

The header we send is still the Fineract tenant header (Fineract-Platform-TenantId by default). We made its name configurable at runtime so deployments behind gateways/reverse proxies can use different tenant headers (X-Tenant-Id, X-Client-Tenant, etc.) without rebuilding the frontend or adding extra gateway translation rules.

This helps with multi-tenant routing, legacy gateway requirements, and QA/staging environments that already expect different header names.

I also renamed the in-code constant to FINERACT_TENANT_HEADER_NAME to make the intent clearer while keeping the runtime env key for backward compatibility.

[IOhacker]

Those actions are done by a API Gateway. I think this ticket should be closed. I will open a new one, because it is missing in Mifos WebApp the header for the API Key or Subscription Key. El mar, 12 may 2026 a las 14:42, Deepak soni ***@***.***>) escribió:

…

*deepaksoni47* left a comment (openMF/web-app#3573) <#3573 (comment)> Could you please elaborate a use case? The API Gateways can do any header change. In fact the sanbox is using an API Gateway. Thanks — good point. The header we send is still the Fineract tenant header ( Fineract-Platform-TenantId by default). We made its *name* configurable at runtime so deployments behind gateways/reverse proxies can use different tenant headers (X-Tenant-Id, X-Client-Tenant, etc.) without rebuilding the frontend or adding extra gateway translation rules. This helps with multi-tenant routing, legacy gateway requirements, and QA/staging environments that already expect different header names. I also renamed the in-code constant to FINERACT_TENANT_HEADER_NAME to make the intent clearer while keeping the runtime env key for backward compatibility. — Reply to this email directly, view it on GitHub <#3573 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALD2ZAVO2PXVJWGZ4ESSY3L42OEC3AVCNFSM6AAAAACY2ILTACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DIMZUGYYTINBYGU> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>

[deepaksoni47]

Understood, thanks for the clarification. The intention was mainly to reduce deployment-specific gateway translation rules while keeping the default behavior unchanged.

Thanks also for pointing out the API Key / Subscription Key header support gap.

[IOhacker]

As I have mentioned before, it is already done. And it is a header required by Apache Fineract, check the sandbox.mifos.community deployment. ;) El mar, 12 may 2026 a las 14:50, Deepak soni ***@***.***>) escribió:

…

*deepaksoni47* left a comment (openMF/web-app#3573) <#3573 (comment)> Understood, thanks for the clarification. The intention was mainly to reduce deployment-specific gateway translation rules while keeping the default behavior unchanged. Thanks also for pointing out the API Key / Subscription Key header support gap. — Reply to this email directly, view it on GitHub <#3573 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALD2ZATGE4GUR5FQ6JBXLLT42OE7RAVCNFSM6AAAAACY2ILTACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DIMZUGY4DCNZTGY> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>