I’ve been wrestling with multi-tenancy challenges for years. Why? Because every SaaS product I’ve built eventually faces the same critical question: How do we securely isolate customer data while maintaining performance? Today I’ll share a battle-tested approach using NestJS, Prisma, and PostgreSQL’s Row-Level Security. Stick with me - this could save you months of trial and error.
Let’s start with the foundation. Multi-tenancy means serving multiple customers from a single application instance. We’re using a shared database with PostgreSQL’s RLS for isolation. How does this compare to other approaches? Separate databases become costly at scale, while schema-based tenancy complicates migrations. Our method balances security with efficiency.
// Core domain models
class Tenant {
id: string;
slug: string;
}
class User {
id: string;
tenantId: string;
email: string;
}Setting up our project requires thoughtful structure. After initializing NestJS and Prisma, we organize code around domain features rather than technical layers. Notice how we separate tenant management from business modules. This pays dividends when adding new features later.
npm install @prisma/client prisma
npx prisma initOur schema design centers on tenant isolation. Each tenant-owned table includes a tenantId column. We enforce uniqueness within tenants using compound indexes. Why is this crucial? It prevents data leaks while allowing natural data relationships.
model Project {
id String @id @default(cuid())
tenantId String
name String
@@unique([tenantId, name])
}PostgreSQL’s RLS becomes our security backbone. We create policies that restrict access based on the current tenant context. Notice how we avoid direct table access - all operations go through a dedicated database role.
CREATE POLICY tenant_isolation ON projects
FOR ALL
USING (tenant_id = current_setting('app.tenant_id')::text);Integrating RLS with Prisma requires careful connection handling. We extend PrismaClient to manage tenant contexts. Each request sets the tenant ID before executing queries. What happens if we forget this step? The RLS policies block all data access - a safe failure mode.
// Prisma service extension
async setTenantContext(tenantId: string) {
await this.$executeRaw`SET app.tenant_id = ${tenantId}`;
}For service layers, we implement tenant-aware repositories. Each method automatically applies the tenant context. This pattern ensures we never accidentally query across tenant boundaries.
// Tenant-scoped service
async getUserProjects(tenantId: string, userId: string) {
await this.prisma.setTenantContext(tenantId);
return this.prisma.project.findMany({
where: { ownerId: userId }
});
}Authentication ties everything together. We use JWT tokens containing the tenant ID. A NestJS middleware extracts this and sets the tenant context globally for the request. How do we prevent token tampering? Cryptographic signatures and strict validation.
// Authentication middleware
@Injectable()
export class TenantMiddleware implements NestMiddleware {
use(req: Request, res: Response, next: NextFunction) {
const tenantId = extractTenantFromToken(req);
req.tenantId = tenantId;
next();
}
}For API endpoints, we inject the tenant context using custom decorators. This keeps controllers clean while maintaining security. Notice how we never trust client-provided tenant IDs - they come exclusively from verified tokens.
// Tenant-aware controller
@Get('projects')
async getProjects(@TenantId() tenantId: string) {
return this.projectService.findAll(tenantId);
}Migrations require special attention. We handle tenant-specific data seeding through programmatic scripts. Bulk operations use transaction blocks with tenant contexts. Why not use Prisma Migrate directly? It doesn’t support dynamic RLS contexts during execution.
// Tenant data seeding
async seedTenantData(tenantId: string) {
await this.prisma.withTenant(tenantId, async (tx) => {
await tx.project.create({ data: { name: 'Default' } });
});
}Performance optimization is critical at scale. We index tenantId on all tenant-owned tables and use partial indexes for tenant-specific queries. Connection pooling settings require tuning - we maintain separate pools for management vs tenant operations.
CREATE INDEX concurrently projects_tenant_idx
ON projects (tenant_id);Testing validates our isolation. We implement e2e tests that simulate multi-tenant scenarios. A common pitfall? Forgetting to reset tenant contexts between tests, causing cross-tenant data leaks.
// Isolation test case
it('prevents cross-tenant access', async () => {
const tenantAProjects = await getProjects(tenantA);
const tenantBProjects = await getProjects(tenantB);
expect(tenantAProjects).not.toContain(tenantBProjects[0]);
});Troubleshooting often centers on RLS policy issues. We log all database operations during development and verify SET statements execute before queries. Missing tenant contexts manifest as empty results rather than errors - a tricky debugging scenario.
This architecture has served me well across multiple production systems. The initial investment pays off when onboarding new tenants becomes a single API call rather than a deployment event. What limitations might you encounter? Extremely large tenants may eventually require dedicated infrastructure, but that’s a high-class problem.
If this resonates with your experiences, I’d love to hear your thoughts. Share your own multi-tenancy war stories in the comments - let’s learn from each other’s journeys.
