How we developed domain-based access for Basedash
s Basedash grows and moves toward serving larger teams and enterprise-level organizations, we found that our customers need a highly secure, yet quick and seamless way to gain authorization to their workspaces.
Here’s that flow:
- An Admin user would specify an email domain for their workspace
- All users with that domain and with verified emails would automatically be added to the workspace as a member
First, we created a simple UI component that would allow an Admin
user to set the email access domain for their workspace. We also ensured that an Admin
user could disable domain-based access and remove their saved email access domain, through this same UI component.
With this, a user can simply navigate to the settings page of their workspace, and if they are an Admin of that workspace, this component, which is showed above, would be displayed. We tested all the edge cases and form validation issues, to make sure nothing funky could happen.
After this was complete, we needed to create a simple endpoint that would update the workspace’s access domain, and provide the necessary validations. Below is an example with explanations, leveraging utility functions you can implement with any ORM and tooling.
https://gist.github.com/tomjohndesign/056f2f5eb5cb66cac4d384b16a1cb085
const updateWorkspaceAccessDomain = async (req: Request, res: Response) => { const { userId, workspaceId, accessDomain } = req.body; // Get user const user = await getUserById(userId); // Get workspace const workspace = await getWorkspaceById(workspaceId); // Check that the accessDomain is valid, otherwise return an Error if (!isValidAccessDomain(accessDomain)) { return res.status(400).json({ title: 'Access domain is invalid' }); } try { // If the access domain is null, this means that the user // requested to Remove the access domain / email domain if (accessDomain === null) { // Remove the access domain await removeAccessDomain(workspace); // If all goes well return a status of 200! return res.sendStatus(200); } // Update the workspace's access domain await updateWorkspaceAccessDomain(workspace); // Find all users with the matching access domain const usersWithMatchingDomain = await getUsersWithMatchingDomain( accessDomain ); // Filter out users who are not already members of the workspace const usersToAddToWorkspaces = await getUsersWhoAreNotMembers( usersWithMatchingDomain, workspace ); // Iterate through array of users who are not already members for (const user of usersToAddToWorkspaces) { // Add the user as a collaborator member to the workspace await addUserAsCollaborator(user, workspace); // Send an email notification that they have been added to // the workspace as a collaborator member await sendAddedToWorkspaceEmailNotification(user); } // If all goes well return a status of 200! return res.sendStatus(200); } catch (error) { if (error instanceof Error) { // Catch and return any errors return res.status(400).json({ title: error.message }); } } };
Perfect! The only thing left to account for is to use this logic when a user verifies their email. This follows the same pattern as previously, but instead we find and iterate through all workspaces that have a matching domain instead of users. Let’s take a look!
const verifyEmail = async (req: Request, res: Response) => { const { userId } = req.body; const user = await getUserById(user.id); // ... verify email logic ... // Extract the domain from the user's email const accessDomain = extractDomain(user.email); try { // Get all workspaces with a matching access domain const workspacesWithMatchingAccessDomain = await getWorkspacesWithMatchingAccessDomain(accessDomain); // Filter out workspaces which user is already a member of const workspacesToAddUserAsMember = await getWorkspacesWhereUserIsNotMember( user, workspacesWithMatchingAccessDomain ); // Iterate through array of workspaces to add user as new member to for (const workspace of usersToAddToWorkspaces) { // Add the user as a collaborator member to the workspace await addUserAsCollaborator(user, workspace); // Send an email notification that they have been added to // the workspace as a collaborator member await sendAddedToWorkspaceEmailNotification(user); } // If all goes well return a status of 200! return res.sendStatus(200); } catch (error) { if (error instanceof Error) { // Catch and return any errors return res.status(400).json({ title: error.message }); } } };
And there you have it! This is a high level overview of how built domain-based access ****for workspaces. Yes, there are a lot of validation and security issues we had to address, but those are details it would be unwise to post publicly on the internet, and more importantly, would probably be extremely boring to most readers!
I’ll leave you with something to think about, in the same vein of “if a tree falls in a forest...“ type thought puzzles :
If a workspace gives a team domain-based access but nobody from the team signs up for Basedash, does the team really have domain based access?
My answer is simple. Give Basedash a try for your team! Apart from striving to build well-designed and seamless software, it just breaks our hearts when a workspace gets lonely, especially if that means your databases get lonely—just like people working in tech, they need human friends too!
Invite only
We're building the next generation of data visualization.