feat(security): 修复多租户环境下用户切换问题

- 在 TokenAuthenticationFilter 中添加逻辑，为没有 tenantId 的用户动态设置 tenantId
- 通过 AdminUserApi 获取用户信息，确保跨租户切换时能够正确获取目标租户信息

yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java

@@ -13,12 +13,16 @@ import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
 import cn.iocoder.yudao.framework.web.core.util.WebFrameworkUtils;
 import cn.iocoder.yudao.module.system.api.oauth2.OAuth2TokenApi;
 import cn.iocoder.yudao.module.system.api.oauth2.dto.OAuth2AccessTokenCheckRespDTO;
+import cn.iocoder.yudao.module.system.api.tenant.TenantApi;
+import cn.iocoder.yudao.module.system.api.user.AdminUserApi;
+import cn.iocoder.yudao.module.system.api.user.dto.AdminUserRespDTO;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.web.filter.OncePerRequestFilter;
 
+import javax.annotation.Resource;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -43,6 +47,9 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
 
     private final OAuth2TokenApi oauth2TokenApi;
 
+    @Resource
+    private AdminUserApi adminUserApi;
+
     @Override
     @SuppressWarnings("NullableProblems")
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
@@ -74,6 +81,11 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
 
         // 设置当前用户
         if (loginUser != null) {
+            if(null == loginUser.getTenantId()){
+                CommonResult<AdminUserRespDTO> user = adminUserApi.getUser(loginUser.getId());
+                loginUser.setTenantId(user.getData().getTenantId());
+            }
+
             SecurityFrameworkUtils.setLoginUser(loginUser, request);
         }
         // 继续过滤链