Authentication And Security

Multi-tenant Security

Back to videos

Summary

Building multi-tenant applications can be a challenging task, especially when it comes to ensuring data security and privacy. Xano provides a powerful no-code solution that simplifies the process of creating secure multi-tenant applications. In this step-by-step guide, we'll walk through how to implement a security technique that ensures users can only access data related to their associated companies.

Understanding the Data Structure

Before diving into the implementation, let's first understand the data structure we'll be working with:

  1. Company: This table stores information about the different companies.
  2. Private Information: This table contains sensitive data that needs to be secured.
  3. Users: This table stores user information.
  4. Users Company: This table maintains the relationship between users and the companies they are associated with. A user can be associated with multiple companies.

The key to our security implementation lies in the `Users Company` table, which allows us to control access based on the user's association with specific companies.

Step 1: Create a Reusable Security Function

Since we'll be implementing this security measure across multiple endpoints, it's best to create a reusable function that we can call from different parts of our application. Here's how to do it:

  1. In the Xano console, navigate to the "Functions" section and click "Add Function."
  2. Name the function "CheckUserAccess" and assign it the "security" tag.
  3. In the function editor, we'll query the `Users Company` table to check if a relationship exists between the user and the company they're trying to access. We'll use the `company_id` as input and the signed-in user's `auth_id` to perform the query.

 let users_company_one = query_all_records(
  table: 'users_company',
  constraints: [
  {
  field: 'company_id',
  operator: '==',
  value: get('company_id')
  },
  {
  field: 'user_id',
  operator: '==',
  value: auth.id
  }
  ],
  output: 'exists'
 );
 
 precondition(
  users_company_one == true,
  'You do not have access to this information',
  'access_denied'
 );

  1. Click "Save" and "Publish" the function.

Step 2: Implement the Security Check in Your Endpoints

Now that we have our reusable security function, we can call it from any endpoint that needs to restrict access based on the user's association with a company.

  1. In the Xano console, navigate to the endpoint you want to secure.
  2. Drag and drop the `CheckUserAccess` function above the query that retrieves the sensitive data.
  3. Pass the `company_id` as an input to the `CheckUserAccess` function.

Your endpoint should now look something like this:

 let users_company_one = CheckUserAccess(company_id: get('company_id'));
 
 let private_information = query_all_records(
  table: 'private_information',
  constraints: [
  {
  field: 'company_id',
  operator: '==',
  value: get('company_id')
  }
  ]
 );
 
 return private_information;

Step 3: Test Your Implementation

To test the security implementation, follow these steps:

  1. Run the endpoint you've secured, passing in the `company_id` of a company you're associated with as a user.
  2. Verify that you can access the private information for that company.
  3. Try running the same endpoint with a `company_id` you're not associated with.
  4. You should receive an "access denied" error, confirming that the security measure is working as intended.

Conclusion

Implementing secure multi-tenant applications can be a daunting task, but with Xano's no-code platform, it becomes a breeze. By following this step-by-step guide, you can ensure that your users can only access data related to the companies they are associated with, maintaining data privacy and security.

Remember, the power of Xano lies in its ability to simplify complex development tasks, making it accessible to both non-technical users and experienced developers alike. Whether you're a no-code enthusiast, citizen developer, traditional developer, or part of a startup or small business, Xano empowers you to build and deploy secure, scalable applications without writing a single line of code.

This transcript was AI generated to allow users to quickly answer technical questions about Xano.

Was this helpful?

I found it helpful

I need more support
Recommended videos

View all videos

Introducing the OpenSearch Query Wizard
Search And Data Processing

Introducing the OpenSearch Query Wizard

Zip Files in Xano - How to Read, Process, and Create Zip Files
File Management

Zip Files in Xano - How to Read, Process, and Create Zip Files

Introducing Middleware: Enhanced API Efficiency and Flexibility with Reusable Logic
Api And Debugging

Introducing Middleware: Enhanced API Efficiency and Flexibility with Reusable Logic

Sign up for XanoSign up for Xano

Build without limits on a secure, scalable backend.

Unblock your team's progress and create a backend that will scale for free.

Start building for free