FEAT: Multi tenant feature

README.md

@@ -55,14 +55,17 @@ Developers can customise this as per their requirement.
 -   Clone the repo and execute command `npm install`
 -   Create a copy of the env.sample file and rename it as .env
 -   Install postgres and redis
+-   Create a restricted tenant user that cannot bypass RLS policies
 -   Provide postgres, redis secrets and default user details in .env file as mentioned below
 
 | Database configuration(Required) |  |
 |--|--|
 |POSTGRES_HOST  | localhost |
 |POSTGRES_PORT  |  5432|
-|POSTGRES_USER  | postgres |
-|POSTGRES_PASSWORD  | postgres |
+|POSTGRES_ADMIN_USER  | postgres |
+|POSTGRES_ADMIN_PASSWORD  | postgres |
+|POSTGRES_TENANT_USER  | tenant |
+|POSTGRES_TENANT_PASSWORD  | tenant |
 |POSTGRES_DB  | auth_service |
 
  
@@ -80,6 +83,7 @@ Developers can customise this as per their requirement.
 |JWT_TOKEN_EXPTIME|3600  |
 |JWT_REFRESH_TOKEN_EXP_TIME| 36000 |
 |ENV  |  local|
+|AUTH_KEY|  Required authentication key for tenant creation |
 
    
 | Other Configuration(Required) |  |
@@ -114,6 +118,12 @@ Developers can customise this as per their requirement.
 | OTP_WINDOW | 300  |
 | OTP_STEP | 1 |
 
+   
+|Multi-Tenancy Configuration(Optional)  |  |
+|--|--|
+|MULTI_TENANCY_ENABLED  | A boolean that indicates if multi-tenancy is enabled, used for handling user login |
+|DEFAULT_TENANT_ID  | Default tenant id to be used when multi-tenancy is disabled |
+
 -   Run `npm run migration:run`
 -   Run `npm run start`
 -   Service should be up and running in http://localhost:${PORT}.
@@ -131,4 +141,18 @@ GraphQL endpoint
 
 http://localhost:${PORT}/auth/api/graphql
 
-[API Documentation](https://documenter.getpostman.com/view/10091423/U16ev8cG)
+[API Documentation](https://documenter.getpostman.com/view/10091423/U16ev8cG)
+
+## Multi-tenancy Support
+
+This service supports multi-tenancy with complete data isolation between tenants at the database level using PostgreSQL row-level security (RLS). Each tenant's data is isolated using a tenant_id column and RLS policies.
+
+### How it Works
+
+1. Every tenant specific entities in the system has a `tenant_id` column
+2. PostgreSQL Row Level Security (RLS) policies are enabled on all tables
+3. The `app.tenant_id` configuration parameter is set for each request
+4. Database queries are automatically filtered by the `tenant_id` through RLS policies
+
+##### Setting up Database User for Multi-tenancy
+Create a database user with restricted access (can be done using the provided init-db.sh)

docker-compose.yml

@@ -19,12 +19,19 @@ services:
   postgres:
     container_name: postgres
     image: postgres:12
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_ADMIN_USER: ${POSTGRES_USER}
+      PGPASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_TENANT_USER: ${POSTGRES_TENANT_USER}
+      POSTGRES_TENANT_PASSWORD: ${POSTGRES_TENANT_PASSWORD}
     expose:
       - '5432'
     ports:
       - '5432:5432'
     volumes:
       - /data/postgres:/var/lib/postgresql/data
+      - ./init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
     env_file:
       - docker.env
     networks:

docker.env.sample

@@ -1,5 +1,7 @@
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=postgres
 POSTGRES_DB=authentication-service
+POSTGRES_TENANT_USER=tenant
+POSTGRES_TENANT_PASSWORD=tenant
 PGADMIN_DEFAULT_EMAIL=
 PGADMIN_DEFAULT_PASSWORD=

env.sample

@@ -1,8 +1,13 @@
+# Superuser for migrations
+POSTGRES_ADMIN_USER=postgres
+POSTGRES_ADMIN_PASSWORD=postgres
+# Minimal user with restricted access
+POSTGRES_TENANT_USER=tenant
+POSTGRES_TENANT_PASSWORD=tenant
 POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
-POSTGRES_USER=postgres
-POSTGRES_PASSWORD=postgres
 POSTGRES_DB=authentication-service
+POSTGRES_TENANT_MAX_CONNECTION_LIMIT=10
 REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_CACHE_TTL=3600
@@ -32,3 +37,6 @@ MIN_RECAPTCHA_SCORE=.5
 RECAPTCHA_VERIFY_URL=https://www.google.com/recaptcha/api/siteverify
 DEFAULT_ADMIN_PASSWORD=adminpassword
 INVITATION_TOKEN_EXPTIME = 7d
+AUTH_KEY=
+MULTI_TENANCY_ENABLED=
+DEFAULT_TENANT_ID=

init-db.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+# Create the database if it doesn't exist
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+  DO \$\$
+  BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB') THEN
+      CREATE DATABASE "$POSTGRES_DB"
+        WITH 
+        OWNER = postgres
+        ENCODING = 'UTF8';
+    END IF;
+  END
+  \$\$;
+EOSQL
+
+# Create tenant user if it doesn't exist
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+  DO \$\$
+  BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_user WHERE usename = '$POSTGRES_TENANT_USER') THEN
+      CREATE USER $POSTGRES_TENANT_USER WITH PASSWORD '$POSTGRES_TENANT_PASSWORD';
+    END IF;
+  END
+  \$\$;
+
+  GRANT CONNECT ON DATABASE "$POSTGRES_DB" TO "$POSTGRES_TENANT_USER";
+  ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "$POSTGRES_TENANT_USER";
+  GRANT USAGE ON SCHEMA public TO "$POSTGRES_TENANT_USER";
+EOSQL
+
+echo "Database setup complete"

package.json

@@ -65,6 +65,7 @@
     "twilio": "^3.67.1",
     "typeorm": "^0.3.11",
     "typeorm-naming-strategies": "^2.0.0",
+    "uuid": "^8.3.2",
     "winston": "^3.3.3"
   },
   "devDependencies": {
@@ -86,6 +87,7 @@
     "@types/speakeasy": "^2.0.6",
     "@types/supertest": "^2.0.10",
     "@types/totp-generator": "0.0.2",
+    "@types/uuid": "^10.0.0",
     "@typescript-eslint/eslint-plugin": "^4.19.0",
     "@typescript-eslint/parser": "^4.19.0",
     "eslint": "^7.22.0",

src/app.module.ts

@@ -1,4 +1,4 @@
-import { Module } from '@nestjs/common';
+import { MiddlewareConsumer, Module } from '@nestjs/common';
 import * as Joi from '@hapi/joi';
 import { ConfigModule } from '@nestjs/config';
 
@@ -7,15 +7,18 @@ import { AppGraphQLModule } from './graphql/graphql.module';
 import { UserAuthModule } from './authentication/authentication.module';
 import { AuthorizationModule } from './authorization/authorization.module';
 import { HealthModule } from './health/health.module';
+import { ExecutionContextBinder } from './middleware/executionContext.middleware';
 
 @Module({
   imports: [
     ConfigModule.forRoot({
       validationSchema: Joi.object({
         POSTGRES_HOST: Joi.string().required(),
         POSTGRES_PORT: Joi.number().required(),
-        POSTGRES_USER: Joi.string().required(),
-        POSTGRES_PASSWORD: Joi.string().required(),
+        POSTGRES_ADMIN_USER: Joi.string().required(),
+        POSTGRES_ADMIN_PASSWORD: Joi.string().required(),
+        POSTGRES_TENANT_USER: Joi.string().required(),
+        POSTGRES_TENANT_PASSWORD: Joi.string().required(),
         POSTGRES_DB: Joi.string().required(),
         PORT: Joi.number(),
         JWT_SECRET: Joi.string().required().min(10),
@@ -30,4 +33,8 @@ import { HealthModule } from './health/health.module';
   controllers: [],
   providers: [],
 })
-export class AppModule {}
+export class AppModule {
+  configure(consumer: MiddlewareConsumer) {
+    consumer.apply(ExecutionContextBinder).forRoutes('*');
+  }
+}

src/authentication/authKey.guard.ts

@@ -0,0 +1,20 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { GqlExecutionContext } from '@nestjs/graphql';
+
+@Injectable()
+export class AuthKeyGuard implements CanActivate {
+  constructor(private configService: ConfigService) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const ctx = GqlExecutionContext.create(context).getContext();
+    if (ctx) {
+      const authKeyInHeader = ctx.headers['x-api-key'];
+      if (authKeyInHeader) {
+        const secretKey = this.configService.get('AUTH_KEY') as string;
+        return secretKey === authKeyInHeader;
+      }
+    }
+    return false;
+  }
+}

src/authentication/authentication.graphql

@@ -1,16 +1,16 @@
 type Mutation {
-    passwordLogin(input: UserPasswordLoginInput!): TokenResponse
-    passwordSignup(input: UserPasswordSignupInput!): UserSignupResponse
-    inviteTokenSignup(input: UserInviteTokenSignupInput): InviteTokenResponse
-    refreshInviteToken(id: ID!):InviteTokenResponse
-    setPasswordForInvite(input: UserPasswordForInviteInput): UserSignupResponse
-    revokeInviteToken(id: ID!): Boolean
-    otpLogin(input: UserOTPLoginInput!): TokenResponse
-    otpSignup(input: UserOTPSignupInput!): UserSignupResponse
-    changePassword(input: UserPasswordInput!): User
-    refresh(input: RefreshTokenInput!): TokenResponse
-    logout: String
-    generateOtp(input: GenerateOtpInput): String
+  passwordLogin(input: UserPasswordLoginInput!): TokenResponse
+  passwordSignup(input: UserPasswordSignupInput!): UserSignupResponse
+  inviteTokenSignup(input: UserInviteTokenSignupInput): InviteTokenResponse
+  refreshInviteToken(id: ID!): InviteTokenResponse
+  setPasswordForInvite(input: UserPasswordForInviteInput): UserSignupResponse
+  revokeInviteToken(id: ID!): Boolean
+  otpLogin(input: UserOTPLoginInput!): TokenResponse
+  otpSignup(input: UserOTPSignupInput!): UserSignupResponse
+  changePassword(input: UserPasswordInput!): User
+  refresh(input: RefreshTokenInput!): TokenResponse
+  logout: String
+  generateOtp(input: GenerateOtpInput): String
 }
 
 input UserPasswordSignupInput {
@@ -20,6 +20,7 @@ input UserPasswordSignupInput {
   firstName: String!
   middleName: String
   lastName: String!
+  tenantDomain: String
 }
 
 input UserOTPSignupInput {
@@ -28,16 +29,19 @@ input UserOTPSignupInput {
   firstName: String!
   middleName: String
   lastName: String!
+  tenantDomain: String
 }
 
 input UserPasswordLoginInput {
   username: String!
   password: String!
+  tenantDomain: String
 }
 
 input UserOTPLoginInput {
   username: String!
   otp: String!
+  tenantDomain: String
 }
 
 type TokenResponse {
@@ -65,11 +69,12 @@ input RefreshTokenInput {
 }
 
 input GenerateOtpInput {
-    phone: String!
+  phone: String!
+  tenantDomain: String
 }
 
-input Enable2FAInput{
-    code: String!
+input Enable2FAInput {
+  code: String!
 }
 
 input UserInviteTokenSignupInput {