Discussion about this post

User's avatar
gbrown's avatar

just stumbled on this post...

"You *must* use `app_metadata` and NOT `user_metadata`. The former is secure and cannot be modified by the user, where the latter can be"

What prevents a user from hacking an api call to change their tenant ID to one that they aren't supposed to have access to?

It seems that the only safe way is to set the tenant ID in user_metadata when the user is created

Expand full comment
Tarkan Corak's avatar

Nice pragmatic solution.

I would like to share with everyone my final solution.

Create a function to automatically add the tenant_id when inserting a new row or updating an existing ro in a table:

create or replace function set_tenant_id()

returns trigger

language plpgsql

as $$

begin

-- Setzt den Wert von auth.tenant_id() in die tenant_id-Spalte, falls diese NULL ist

if NEW.tenant_id is null then

NEW.tenant_id := auth.tenant_id();

end if;

return NEW;

end;

$$;

And the trigger for the table "article" as an example:

create trigger set_tenant_id_before_insert_or_update

before insert or update on article

for each row

execute function set_tenant_id();

Expand full comment
3 more comments...

No posts