Build a Multi-Tenanted, Role-Based Access Control System
Вставка
- Опубліковано 3 лип 2024
- Neon: bit.ly/tomdoestech
In this video, you will build a multi-tenanted, Role-Based access control authentication API with Node.js, Drizzle ORM, TypeScript, PosgresSQL & Neon.
Repository: github.com/TomDoesTech/user-api
0:00 Introduction
5:07 - Bootstrap application
15:13 - Setup Drizzle ORM
20:04 - Define schemas
35:10 - Application module
44:17 - Default roles
56:50 -Register user
1:18:37 - Login
1:35:18 - Create a role
1:41:22 Assign role to user
1:47:30 Guards
2:01:03 Outro
Thank you to Neon for sponsoring this video. If you want a managed PostgresSQL database with a generous free tier, make sure you check out Neon bit.ly/tomdoestech
What you will learn:
- How to create a multi-tenant application
- How to create a role-based access control system
- Some basic relational database concepts
- A nice and neat file structure for backend services
- RESTful API design
- TypeScript
- Fastify
- How to use Drizzle ORM
🌎 Follow me here:
Discord: / discord
Twitter: / tomdoes_tech
Facebook: / tomdoestech
Instagram: / tomdoestech
TikTok: / tomdoes_tech
☕ Buy me a coffee: www.buymeacoffee.com/tomn - Розваги
You've probably got one of the first YT tutorials with Drizzle.
Recently implemented multi-tenant auth in a Next app with tRPC recently using lucia-auth and some custom data flows for the tenants.
This video would have certainly helped then to get an idea of how everything flowed into one another.
Kudos and thanks for the video Tom.
The drizzle bit was as if you read my mind on what I need to read up on next. Many thanks, top quality as always!
Excellent video. Your videos are very well structured and codebase is nicely organized.
both drizzle and fastify are libraries I wish to use more and you're helping me a ton with these videos!
You're the best thing to ever happen to my career. I have learned so much from your videos. Thank you for making these tutorials free for all. Love from 🇳🇬
Thank you, that means a lot!
Thanks for the video. I'm currently on SaaS MT side-project with a different stack but the content brought me light on some principles I have struggled to understand.
Thanks for this. Practical examples of Drizzle are scant at the moment. Would love to see more on that.
Thanks for the video Tom. I have started this video and I am 100% sure this going to very informative. You are just awesome
this tutorial is really amazing. considers all best practices and modern approaches. i am actually going to migrate from nestjs to this.
thank you for your great content 💖
very helpful video
Great content!
Happy Birthday to you, Sir. Thanks for your amazing content
I have been refreshing the channel for 4 days waiting on this one!
Gotta tell the mrs to go out tonight, it's just me and a multi-tenanted, role-based access control system
All seriousness though, can't wait to get stuck into this!
hahaha!
Finally! A video
i was tryhard implement this using mysql, lol. thanks i learn something with this tutorial
Thanks Sensei :)
Learned alot today thanks Tom. I am thinking how it would look like with nextjs
Next up: Authorization using Access Control Lists. Didn't see an implementation of this yet anywhere on YT.
BTW thanks for the amazing video. Can't express how grateful I am.
Amazing
Thanks you for this amazing video. I got tons of knowledge. Btw, can you make a video that dive deeper into the role based access control system?
I think more drizzle tutorial would be nice
I have 2 more planned :)
@@TomDoesTech sweet!
next/express + drizzle would be nice
Thank you Tom 🖤
You are the Best
Can you do TypeScript video?
I have lots of ts videos
Wow 💖
Awesome video +++++++++ 🙂
Really great explanation here, thank you so much. I’d love to hear your thoughts on a issue I’m having. I’ve never understood the reason to store permissions in the signed JWT. I understand you can pull the permissions from the token on every request and perform logic based on those permissions, but what happens if your permissions/or role have changed by a third-party. The permissions would then be stale. I guess this opens the case for querying the database on every request in order to get the most up-to-date role and permissions for the requesting user but then there’s no reason to save the permissions in the JWT if you’re going to do that. Personally I just store a userId and query the database for each requests but maybe that’s a naive implementation. Id love to hear your thoughts! Cheers 😅
Tom - You legend! I've been looking for a tutorial like this for ages. And you used Drizzle ORM which I believe is going to be huge.
Question: You've created the permission as strings. Is this convention or is a separate table for permissions the convention. What's your personal preference?
It really depends what you want to do. If you want your users to be able to create new permissions for their application, then you will need to create a table for the permissions. However, if you want to have a set of standard permissions that all applications share, then just hard code them as strings
Hey Tom,
Sending you lots of love ❤❤❤❤. As always, I've been watching numerous videos to support you, even during my break time. I just let the video keep playing 😁
What is the best way to conduct testing for this API project? Should I use Open API v3 in my project or opt for Postman or Thunder Client? Additionally, What is the recommended approach for database schema: Drizzle schema or Zod?
Fastify apps are really easy to write tests for. You can create an instance of the server and then use the inject method
how can we create the migrations file naming as our preference?
Thanjs for this tutorial, this made me realize I was designing authentication all wrong, just one question, is tgere a reason the permissions are stored on a separate table? It would make sense to just put it on the users object
The permissions are stored on the role. You could put them on the user if you like, but you'd need to think about what happens if you add or remove a permission from a role
How can I use Postgres based schema multi-tenancy?
Do you plan to cover video on payment gateway, how to setup for recurring and verify using webhook?
Like Stripe? I have a video on Stripe
If you got multiple instances of your server, is it sensible to decouple migrations from application startup? As if multiple instances spin up with migrations coupled to migration startup, you are running the same migration when a new server spins up.
Yeah, you'd ideally run migrations in a pipeline
but how does the user login to the system in the frontend? do they have to type the application id as well each time they login? or can we hide it behind implementation like sub-domains?
It really depends what your app is doing. Usually the application id will need to be included in the login request, so it can either be in the URL or hidden behind a URl/sub domain
How would you handle permissions for a specific entity? for example if a user can create posts for a specific project only. Where would the identifier of the entity live? would it be ok to insert it in the permission string? "project::post:write" or would it be better to live in the db and introduce a permissions table that holds this information? If in db, I'm thinking you would want to create generic fields to that you don't have to create a join table for each entity that requires specific permissions. Thanks for the video.
It depends how you determine what user can edit the specific post. For example, if they are the owner then you could do `project::post:write_own` or something then write the function to validate that permission
Can you please make a video using fastify with the ts-rest library and their fastify module? It's like trpc but for rest. It looks awesome but there is no content out on it :( Thanks!
A nextjs / fastify/ ts-rest stack
I have to add company before i start an application? So, there must be 2 steps on registration?
Yeah, they need to register for a specific company
Hi tom, im building a hms and i need a solid structure for the multi-tenancy, i would love to pick your brain if possible
how to regenerate new jwt token? when some user permission update?
The permissions are stored on the JWT so you'd either have to get the user to logout and back in, or you could do periodic checks on the JWT and update it
Do you recommend Drizzle over Prisma?
I haven't thought about it enough to make those prescriptions. I think both have their place
@TomDoesTech it depends on if Prisma sponsored the next video?! 😅
I am begiinner. But I stucks in the logic building help me.
Drizzle doesn't support transaction
I could be wrong but you don't really need it to. You can can create a client and do it yourself with Postgres
Drizzle supports transactions. We just didn't move it to web docs yet. Will do it asap and thanks for pointing that out!
it might be me but it looks like a lot of boilerplate
Compared to what? The start of any app is going to be a lot of boilerplate