I’ve been thinking a lot about building multi-tenant applications lately. The challenge of securely isolating customer data while maintaining performance and scalability fascinates me. Today, I want to share my approach to creating a robust SaaS architecture using NestJS, Prisma, and PostgreSQL’s powerful Row-Level Security features.
Why did this topic come to mind? Because I’ve seen too many developers struggle with data isolation in multi-tenant environments. The consequences of getting this wrong can be catastrophic. So let’s build something secure and scalable together.
At its core, multi-tenancy means serving multiple customers from a single application instance while keeping their data completely separate. PostgreSQL’s Row-Level Security (RLS) provides an elegant solution for this isolation challenge. Instead of managing multiple databases or complex filtering logic, RLS handles data separation at the database level.
Have you ever wondered how to ensure that users from one tenant never accidentally access another tenant’s data?
Let me show you how to set up RLS policies. First, we enable RLS on our tables and create policies that automatically filter data based on the current tenant context:
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
CREATE POLICY users_tenant_policy ON users
USING (tenant_id = current_setting('app.current_tenant_id')::UUID);This policy ensures that users can only see records where the tenant_id matches their current tenant context. The database handles the filtering automatically, eliminating human error.
Now, how do we integrate this with our NestJS application? We need to establish the tenant context for each request. Here’s a middleware that extracts the tenant identifier from the request and sets it in the database session:
@Injectable()
export class TenantMiddleware implements NestMiddleware {
async use(req: Request, res: Response, next: NextFunction) {
const tenantId = this.extractTenantId(req);
if (tenantId) {
await prisma.$executeRaw`
SELECT set_config('app.current_tenant_id', ${tenantId}, false)
`;
}
next();
}
}But wait—how do we handle authentication in this multi-tenant environment? We need to ensure users can only access their own tenant’s resources. Here’s a JWT strategy that validates both the user and their tenant context:
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor(private configService: ConfigService) {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
secretOrKey: configService.get('JWT_SECRET'),
});
}
async validate(payload: any) {
return {
userId: payload.sub,
tenantId: payload.tenantId,
email: payload.email,
role: payload.role
};
}
}When building our services, we can leverage Prisma’s client extensions to automatically include tenant context in all queries:
const tenantAwarePrisma = prisma.$extends({
query: {
async $allOperations({ args, query }) {
const [, result] = await prisma.$transaction([
prisma.$executeRaw`SELECT set_config('app.current_tenant_id', ${tenantId}, true)`,
query(args),
]);
return result;
},
},
});This approach ensures that every database operation automatically respects the RLS policies we’ve set up. No more worrying about forgetting to add tenant_id filters to every query.
What about performance? RLS adds minimal overhead when properly implemented. PostgreSQL’s query planner optimizes RLS policies efficiently. However, we should still follow best practices like proper indexing:
CREATE INDEX idx_users_tenant_id ON users(tenant_id);
CREATE INDEX idx_orders_tenant_id ON orders(tenant_id);For complex queries involving multiple tenants (like admin reports), we can temporarily bypass RLS using security definer functions or separate connections. But this requires careful consideration and additional security measures.
Testing is crucial in multi-tenant applications. We need to verify that data isolation works correctly:
describe('Multi-tenant Data Isolation', () => {
it('should prevent cross-tenant data access', async () => {
// Create users in different tenants
const user1 = await createUser(tenant1);
const user2 = await createUser(tenant2);
// Set tenant1 context
await setTenantContext(tenant1.id);
const users = await userService.findAll();
// Should only see tenant1 users
expect(users).toHaveLength(1);
expect(users[0].id).toBe(user1.id);
});
});Building a multi-tenant application requires careful planning and attention to security. By leveraging PostgreSQL’s RLS, we can create a robust foundation that scales well while maintaining strong data isolation. The combination of NestJS’s modular architecture, Prisma’s type safety, and PostgreSQL’s security features creates a powerful stack for SaaS development.
Remember to regularly audit your RLS policies and test your isolation boundaries. Security is not a one-time setup but an ongoing process.
I’d love to hear about your experiences with multi-tenant architectures. What challenges have you faced? What patterns have worked well for you? Share your thoughts in the comments below, and if you found this useful, please like and share with others who might benefit from this approach.
