I’m curious how others would implement the following…
- Users can belong to more than one tenant
- Users could have a different roles per tenant
- Role authorization should be derived from the selected tenant
- User can select tenant on login
- The role from the selected tenant should then flow through authorization
I’ve messed around with multiple variations on this but haven’t successfully implemented any. That’s usually means I trying an anti-pattern or overlooking a simple solution.
Should I…
- Just add a currentTenant & currentRole field to the user model and manage via login/logout/change tenant
- add the selected tenant as a client cookie, pass as a header and consume in redwood auth flow? If so… how?
- Update the session/global context onSelectTenant and plug into the auth flow? <— this is where I started but I don’t see a way to persist the selected tenant…
- Do something I’m overlooking?
A a simplified schema looks something like like…
model User {
id Int @id @default(autoincrement())
createdAt DateTime @default(now())
name String
tenantMemberships TenantMember[]
}
model Tenant {
id Int @id @default(autoincrement())
name String
type TenantType @default(ORGANIZATION)
members TenantMember[]
}
enum TenantType {
INDIVIDUAL
ORGANIZATION
}
model TenantMember {
id Int @id @default(autoincrement())
userId Int
user User @relation(fields: [userId], references: [id])
tenantId Int
tenant Tenant @relation(fields: [tenantId], references: [id])
role TenantRoles @default(TENANT_MEMBER)
@@unique([userId, tenantId])
}
enum TenantRoles {
TENANT_OWNER
TENANT_ADMIN
TENANT_MEMBER
}