Building secure multi-tenant SaaS applications has become essential in my work. I’ve witnessed firsthand how data isolation challenges can make or break a product. Today, I’ll share a battle-tested approach using NestJS, Prisma, and PostgreSQL Row-Level Security (RLS) that balances security with maintainability. Stick with me—you’ll learn practical patterns you can apply immediately.
Multi-tenancy means serving multiple customers from a single application instance. Why choose shared database isolation? It’s cost-effective and scales well, but demands rigorous security. PostgreSQL RLS becomes our foundation, acting as an extra security layer between application logic and data. How do we prevent accidental data leaks? Let’s explore.
First, set up your environment:
nest new saas-app
npm install @prisma/client prisma
npx prisma initOur PostgreSQL schema needs tenant context enforcement. Notice the set_tenant_id function—it’s our security gatekeeper:
CREATE POLICY tenant_isolation_policy ON users
USING (tenant_id = current_setting('app.current_tenant')::UUID);Prisma maps this structure elegantly. Here’s a snippet from schema.prisma:
model User {
id String @id @default(uuid())
tenant Tenant @relation(fields: [tenantId], references: [id])
tenantId String
email String @unique
// Other fields...
}In NestJS, tenant resolution happens via middleware. This snippet extracts the tenant ID from subdomains:
@Injectable()
export class TenantMiddleware implements NestMiddleware {
constructor(private prisma: PrismaService) {}
async use(req: Request, res: Response, next: NextFunction) {
const subdomain = req.hostname.split('.')[0];
const tenant = await this.prisma.tenant.findUnique({
where: { subdomain }
});
if (tenant) {
req.tenantId = tenant.id;
await this.prisma.setTenantContext(tenant.id);
}
next();
}
}Authentication must be tenant-aware. When users log in, we verify credentials within their tenant scope:
@Injectable()
export class AuthService {
async validateUser(email: string, password: string, tenantId: string) {
const user = await this.prisma.user.findFirst({
where: { email, tenantId }
});
if (user && bcrypt.compareSync(password, user.passwordHash)) {
return user;
}
return null;
}
}For database operations, Prisma executes within tenant context. Notice how services never specify tenant IDs—RLS handles it:
@Injectable()
export class UserService {
async getUsers() {
// RLS automatically filters by tenant
return this.prisma.user.findMany();
}
}Testing is critical. Use transactions to isolate test data:
describe('UserService', () => {
beforeEach(async () => {
await prisma.$transaction(async (tx) => {
await tx.user.create({ data: testUser });
});
});
});Performance tip: Connection pooling is crucial. PgBouncer in transaction mode works wonders with RLS. What happens when you scale to 10,000 tenants? Proper indexing becomes non-negotiable—always index tenant_id.
Security considerations:
- Always validate tenant ownership in mutations
- Use separate database roles for application access
- Audit RLS policies quarterly
Alternative approaches have tradeoffs. Schema-per-tenant offers stronger isolation but complicates migrations. Database-per-tenant simplifies backups but increases costs. For most SaaS products, RLS strikes the best balance.
I’ve deployed this pattern across multiple production systems handling millions of requests. It’s resilient, maintainable, and passes strict compliance audits. The key? Trusting PostgreSQL’s security model more than application-level checks.
What questions do you have about scaling this further? Share your experiences below—I read every comment. If this helped you, pay it forward by sharing with your network.
