postgraphile-plugin-connection-multi-tenant's Introduction

postgraphile-plugin-connection-multi-tenant

Filtering Connections in PostGraphile by Tenants

Disclaimer & Compatibility

This plugin targets the beta release of PostGraphile v4.

Bug reports and pull requests are very much welcome.

Multi Tenant Database

The main drawback of Multi Tenant with shared-tables is the need to append the tenant filter condition onto every single query in the application layer. One possible way to isolate tenants is to add tenant_id to every table, and scope every request with that field.

This plugin will filter tables (Connections) by looking for table with column name specified by tenantColumnName at graphileBuildOptions.

Currently, the collections will be filtered by using tenant_id (stored in jwt).

Add the tenant_id in your schema, i.e :

create type store_example.jwt_token as (
  tenant_id text
  role text,
  person_id integer
);

TODO

optional tables autofilter by connectionMultiTenantAllowedTables graphileBuildOptions.
add test

Usage

CLI

postgraphile --append-plugins `pwd`/path/to/this/plugin/index.js

Library

const express = require("express");
const { postgraphile } = require("postgraphile");
const PostGraphileConnectionMultiTenantPlugin = require("postgraphile-plugin-connection-multi-tenant");

const app = express();

app.use(
  postgraphile(pgConfig, schema, {
    graphiql: true,
    appendPlugins: [PostGraphileConnectionMultiTenantPlugin],
  })
);

app.listen(5000);

Plugin Options

When using PostGraphile as a library, the following plugin options can be passed via graphileBuildOptions:

tenantColumnName

Target column :

postgraphile(pgConfig, schema, {
  ...
  graphileBuildOptions: {
    tenantColumnName: 'tenantId',
  },
})

postgraphile-plugin-connection-multi-tenant's People

Contributors

Stargazers

Watchers

postgraphile-plugin-connection-multi-tenant's Issues

Optional auto scoping by tenant ..

Our use case I think is pretty standard ... we have both users and organizations. There is not a one to one mapping between the two. I.e. a user can belong to multiple organizations. The vast majority of queries will use the organization as the tenantId .. however, there will be certainly queries against some tables where there is both the userId AND the tenantId .. where we want to query only against the userId.

For example, to get the list of organizations a user belongs to -- there is a user_organization table .. when we query against that table we do not want to auto inject the tenantId to restrict it ..

So how can we "fine" tune the auto injection!?

BTW -- these tables have been around for 15 years with a LOT of supporting code behind it, so it's not as simple as just renaming the column in the tables we don't want to autoinject.. :)

Cheers!

old inflection system

Hi,
this plugin doesnt work with actual postgrahile-package (v4.12.12)

TypeError: Cannot read properties of undefined (reading 'filter')…
Error: Something (probably a plugin) called the old inflection system (inflector: 'column'). This system has been deprecated since 4.0.0-beta.6 (4th May 2018) and is not used internally so using it may cause inconsistencies, instead please use the plugin-capable inflection system https://www.graphile.org/postgraphile/inflection/
at Object.column (/usr/local/lib/node_modules/postgraphile/node_modules/graphile-build-pg/node8plus/inflections.js:24:20)
at /usr/local/lib/node_modules/postgraphile-plugin-connection-multi-tenant/src/ConnectionMultiTenantPlugin.js:32:42
at Array.reduce (<anonymous>)
at /usr/local/lib/node_modules/postgraphile-plugin-connection-multi-tenant/src/ConnectionMultiTenantPlugin.js:31:12
at SchemaBuilder.applyHooks (/usr/local/lib/node_modules/postgraphile/node_modules/graphile-build/node8plus/SchemaBuilder.js:264:20)
at fieldWithHooks (/usr/local/lib/node_modules/postgraphile/node_modules/graphile-build/node8plus/makeNewBuild.js:489:33)
at makeField (/usr/local/lib/node_modules/postgraphile/node_modules/graphile-build-pg/node8plus/plugins/PgAllRows.js:86:27)
at /usr/local/lib/node_modules/postgraphile/node_modules/graphile-build-pg/node8plus/plugins/PgAllRows.js:180:9
at Array.reduce (<anonymous>)
at /usr/local/lib/node_modules/postgraphile/node_modules/graphile-build-pg/node8plus/plugins/PgAllRows.js:46:60

deden / postgraphile-plugin-connection-multi-tenant Goto Github PK