You've probably got one of the first YT tutorials with Drizzle. Recently implemented multi-tenant auth in a Next app with tRPC recently using lucia-auth and some custom data flows for the tenants. This video would have certainly helped then to get an idea of how everything flowed into one another. Kudos and thanks for the video Tom.
You're the best thing to ever happen to my career. I have learned so much from your videos. Thank you for making these tutorials free for all. Love from 🇳🇬
I have been refreshing the channel for 4 days waiting on this one! Gotta tell the mrs to go out tonight, it's just me and a multi-tenanted, role-based access control system
Thanks for the video. I'm currently on SaaS MT side-project with a different stack but the content brought me light on some principles I have struggled to understand.
Tom - You legend! I've been looking for a tutorial like this for ages. And you used Drizzle ORM which I believe is going to be huge. Question: You've created the permission as strings. Is this convention or is a separate table for permissions the convention. What's your personal preference?
It really depends what you want to do. If you want your users to be able to create new permissions for their application, then you will need to create a table for the permissions. However, if you want to have a set of standard permissions that all applications share, then just hard code them as strings
Hey Tom, Sending you lots of love ❤❤❤❤. As always, I've been watching numerous videos to support you, even during my break time. I just let the video keep playing 😁 What is the best way to conduct testing for this API project? Should I use Open API v3 in my project or opt for Postman or Thunder Client? Additionally, What is the recommended approach for database schema: Drizzle schema or Zod?
Really great explanation here, thank you so much. I’d love to hear your thoughts on a issue I’m having. I’ve never understood the reason to store permissions in the signed JWT. I understand you can pull the permissions from the token on every request and perform logic based on those permissions, but what happens if your permissions/or role have changed by a third-party. The permissions would then be stale. I guess this opens the case for querying the database on every request in order to get the most up-to-date role and permissions for the requesting user but then there’s no reason to save the permissions in the JWT if you’re going to do that. Personally I just store a userId and query the database for each requests but maybe that’s a naive implementation. Id love to hear your thoughts! Cheers 😅
How would you handle permissions for a specific entity? for example if a user can create posts for a specific project only. Where would the identifier of the entity live? would it be ok to insert it in the permission string? "project::post:write" or would it be better to live in the db and introduce a permissions table that holds this information? If in db, I'm thinking you would want to create generic fields to that you don't have to create a join table for each entity that requires specific permissions. Thanks for the video.
It depends how you determine what user can edit the specific post. For example, if they are the owner then you could do `project::post:write_own` or something then write the function to validate that permission
Can you please make a video using fastify with the ts-rest library and their fastify module? It's like trpc but for rest. It looks awesome but there is no content out on it :( Thanks! A nextjs / fastify/ ts-rest stack
Thanjs for this tutorial, this made me realize I was designing authentication all wrong, just one question, is tgere a reason the permissions are stored on a separate table? It would make sense to just put it on the users object
The permissions are stored on the role. You could put them on the user if you like, but you'd need to think about what happens if you add or remove a permission from a role
If you got multiple instances of your server, is it sensible to decouple migrations from application startup? As if multiple instances spin up with migrations coupled to migration startup, you are running the same migration when a new server spins up.
but how does the user login to the system in the frontend? do they have to type the application id as well each time they login? or can we hide it behind implementation like sub-domains?
It really depends what your app is doing. Usually the application id will need to be included in the login request, so it can either be in the URL or hidden behind a URl/sub domain
The permissions are stored on the JWT so you'd either have to get the user to logout and back in, or you could do periodic checks on the JWT and update it
You've probably got one of the first YT tutorials with Drizzle.
Recently implemented multi-tenant auth in a Next app with tRPC recently using lucia-auth and some custom data flows for the tenants.
This video would have certainly helped then to get an idea of how everything flowed into one another.
Kudos and thanks for the video Tom.
You're the best thing to ever happen to my career. I have learned so much from your videos. Thank you for making these tutorials free for all. Love from 🇳🇬
Thank you, that means a lot!
I have been refreshing the channel for 4 days waiting on this one!
Gotta tell the mrs to go out tonight, it's just me and a multi-tenanted, role-based access control system
All seriousness though, can't wait to get stuck into this!
hahaha!
Thanks for this. Practical examples of Drizzle are scant at the moment. Would love to see more on that.
both drizzle and fastify are libraries I wish to use more and you're helping me a ton with these videos!
The drizzle bit was as if you read my mind on what I need to read up on next. Many thanks, top quality as always!
this tutorial is really amazing. considers all best practices and modern approaches. i am actually going to migrate from nestjs to this.
Package called drizzle-zod can create schemas that can be used later to validate DTO.
Next up: Authorization using Access Control Lists. Didn't see an implementation of this yet anywhere on YT.
BTW thanks for the amazing video. Can't express how grateful I am.
i was tryhard implement this using mysql, lol. thanks i learn something with this tutorial
Thanks for the video. I'm currently on SaaS MT side-project with a different stack but the content brought me light on some principles I have struggled to understand.
Thanks for the video Tom. I have started this video and I am 100% sure this going to very informative. You are just awesome
Excellent video. Your videos are very well structured and codebase is nicely organized.
Happy Birthday to you, Sir. Thanks for your amazing content
Great content!
thank you for your great content 💖
very helpful video
Tom - You legend! I've been looking for a tutorial like this for ages. And you used Drizzle ORM which I believe is going to be huge.
Question: You've created the permission as strings. Is this convention or is a separate table for permissions the convention. What's your personal preference?
It really depends what you want to do. If you want your users to be able to create new permissions for their application, then you will need to create a table for the permissions. However, if you want to have a set of standard permissions that all applications share, then just hard code them as strings
Thank you Tom 🖤
You are the Best
Can you do TypeScript video?
I have lots of ts videos
Thanks you for this amazing video. I got tons of knowledge. Btw, can you make a video that dive deeper into the role based access control system?
Learned alot today thanks Tom. I am thinking how it would look like with nextjs
I think more drizzle tutorial would be nice
I have 2 more planned :)
@@TomDoesTech sweet!
next/express + drizzle would be nice
Finally! A video
Hey Tom,
Sending you lots of love ❤❤❤❤. As always, I've been watching numerous videos to support you, even during my break time. I just let the video keep playing 😁
What is the best way to conduct testing for this API project? Should I use Open API v3 in my project or opt for Postman or Thunder Client? Additionally, What is the recommended approach for database schema: Drizzle schema or Zod?
Fastify apps are really easy to write tests for. You can create an instance of the server and then use the inject method
Thanks Sensei :)
Really great explanation here, thank you so much. I’d love to hear your thoughts on a issue I’m having. I’ve never understood the reason to store permissions in the signed JWT. I understand you can pull the permissions from the token on every request and perform logic based on those permissions, but what happens if your permissions/or role have changed by a third-party. The permissions would then be stale. I guess this opens the case for querying the database on every request in order to get the most up-to-date role and permissions for the requesting user but then there’s no reason to save the permissions in the JWT if you’re going to do that. Personally I just store a userId and query the database for each requests but maybe that’s a naive implementation. Id love to hear your thoughts! Cheers 😅
very nice, thanks.
How would you handle permissions for a specific entity? for example if a user can create posts for a specific project only. Where would the identifier of the entity live? would it be ok to insert it in the permission string? "project::post:write" or would it be better to live in the db and introduce a permissions table that holds this information? If in db, I'm thinking you would want to create generic fields to that you don't have to create a join table for each entity that requires specific permissions. Thanks for the video.
It depends how you determine what user can edit the specific post. For example, if they are the owner then you could do `project::post:write_own` or something then write the function to validate that permission
Can you please make a video using fastify with the ts-rest library and their fastify module? It's like trpc but for rest. It looks awesome but there is no content out on it :( Thanks!
A nextjs / fastify/ ts-rest stack
Thanjs for this tutorial, this made me realize I was designing authentication all wrong, just one question, is tgere a reason the permissions are stored on a separate table? It would make sense to just put it on the users object
The permissions are stored on the role. You could put them on the user if you like, but you'd need to think about what happens if you add or remove a permission from a role
how can we create the migrations file naming as our preference?
How can I use Postgres based schema multi-tenancy?
Do you plan to cover video on payment gateway, how to setup for recurring and verify using webhook?
Like Stripe? I have a video on Stripe
If you got multiple instances of your server, is it sensible to decouple migrations from application startup? As if multiple instances spin up with migrations coupled to migration startup, you are running the same migration when a new server spins up.
Yeah, you'd ideally run migrations in a pipeline
but how does the user login to the system in the frontend? do they have to type the application id as well each time they login? or can we hide it behind implementation like sub-domains?
It really depends what your app is doing. Usually the application id will need to be included in the login request, so it can either be in the URL or hidden behind a URl/sub domain
I have to add company before i start an application? So, there must be 2 steps on registration?
Yeah, they need to register for a specific company
Hi tom, im building a hms and i need a solid structure for the multi-tenancy, i would love to pick your brain if possible
Amazing
Awesome video +++++++++ 🙂
Wow 💖
Do you recommend Drizzle over Prisma?
I haven't thought about it enough to make those prescriptions. I think both have their place
@TomDoesTech it depends on if Prisma sponsored the next video?! 😅
how to regenerate new jwt token? when some user permission update?
The permissions are stored on the JWT so you'd either have to get the user to logout and back in, or you could do periodic checks on the JWT and update it
I am begiinner. But I stucks in the logic building help me.
1:18:50
Drizzle doesn't support transaction
I could be wrong but you don't really need it to. You can can create a client and do it yourself with Postgres
Drizzle supports transactions. We just didn't move it to web docs yet. Will do it asap and thanks for pointing that out!
it might be me but it looks like a lot of boilerplate
Compared to what? The start of any app is going to be a lot of boilerplate