{"id":24935175,"url":"https://github.com/chrisorei/multitenancy-rbac-supabase-template","last_synced_at":"2025-03-28T15:15:12.001Z","repository":{"id":274847276,"uuid":"923712093","full_name":"chrisorei/multitenancy-rbac-supabase-template","owner":"chrisorei","description":"A production-ready template for implementing Multi-Tenancy and Role-Based Access Control (RBAC) using Supabase.","archived":false,"fork":false,"pushed_at":"2025-01-29T17:46:24.000Z","size":11,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-29T18:34:29.075Z","etag":null,"topics":["audit-log","backend","frontend","multitenancy","multitenant-applications","multitenant-architecure","security","security-audit","sql","supabase"],"latest_commit_sha":null,"homepage":"","language":"PLpgSQL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chrisorei.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-28T18:09:00.000Z","updated_at":"2025-01-29T17:46:27.000Z","dependencies_parsed_at":"2025-01-29T18:45:15.584Z","dependency_job_id":null,"html_url":"https://github.com/chrisorei/multitenancy-rbac-supabase-template","commit_stats":null,"previous_names":["chrisorei/multitenancy-rbac-supabase-template"],"tags_count":0,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrisorei%2Fmultitenancy-rbac-supabase-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrisorei%2Fmultitenancy-rbac-supabase-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrisorei%2Fmultitenancy-rbac-supabase-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrisorei%2Fmultitenancy-rbac-supabase-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chrisorei","download_url":"https://codeload.github.com/chrisorei/multitenancy-rbac-supabase-template/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246049633,"owners_count":20715511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-log","backend","frontend","multitenancy","multitenant-applications","multitenant-architecure","security","security-audit","sql","supabase"],"created_at":"2025-02-02T15:21:44.369Z","updated_at":"2025-03-28T15:15:11.970Z","avatar_url":"https://github.com/chrisorei.png","language":"PLpgSQL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Supabase Multi-Tenant RBAC Template\n\nA production-ready template for implementing Multi-Tenancy and Role-Based Access Control (RBAC) using Supabase.\n\n## Overview\n\nThis template provides a robust foundation for building multi-tenant applications with comprehensive role-based access control. It's designed to be minimal yet production-ready, allowing developers to extend it based on their specific needs.\n\n### Features\n\n- 🏢 **Multi-Tenancy**: Full isolation between different tenants\n- 🔐 **Role-Based Access Control**: Flexible permission system\n- 🔑 **Row Level Security**: Secure data access patterns\n- 🌍 **System-wide and Tenant-specific Roles**: Granular access control\n- 📝 **Comprehensive Audit Logging**: Track all system events\n- ⚡ **Ready-to-use**: Just clone and deploy\n\n## Architecture\n\n### Multi-Tenancy Implementation\n\nThe system implements multi-tenancy through:\n\n1. **Tenant Isolation**: Each tenant has its own isolated space\n2. **Member Management**: Users can belong to multiple tenants\n3. **Role Assignment**: Both system-wide and tenant-specific roles\n\n### RBAC Structure\n\nThe RBAC system consists of:\n\n#### 1. Permissions\nGranular actions users can perform:\n- **System-level**\n  - `system.all`: Full system access\n  - `system.users.manage`: Manage system users\n  - `system.roles.manage`: Manage system roles\n- **Tenant-level**\n  - `tenants.create`: Create new tenants\n  - `tenants.read`: View tenant details\n  - `tenants.update`: Update tenant settings\n  - `tenants.delete`: Remove tenants\n  - `tenants.members.assign`: Manage tenant members\n  - `tenants.roles.edit`: Modify tenant roles\n\n#### 2. Roles\nCollections of permissions:\n- **System Roles**\n  - `system_admin`: Full system access\n  - `basic_user`: Can create tenants\n- **Tenant Roles**\n  - `administrator`: Full tenant access\n  - `member`: Basic tenant access\n\n#### 3. Role Assignment\nManaged through the `tenant_user_roles` table:\n- System-wide roles (null tenant_id)\n- Tenant-specific roles\n\n### Audit Logging System\n\nThe system includes a comprehensive audit logging mechanism that tracks all important events:\n\n#### Event Types\n- **User Events**\n  - User creation, updates, and deletion\n  - Authentication events (login/logout)\n  - Role assignments and removals\n- **Tenant Events**\n  - Tenant creation, updates, and deletion\n  - Member additions and removals\n  - Role assignments within tenants\n- **Role Management**\n  - Role creation and deletion\n  - Role permission updates\n  - System and tenant-level role changes\n\n#### Audit Log Features\n- **Secure Logging**: Only the system can write logs\n- **Rich Metadata**: Each log entry includes:\n  - Timestamp\n  - Event type\n  - Actor (user who performed the action)\n  - Tenant context (if applicable)\n  - Detailed event description\n  - Additional metadata\n- **Access Control**: Logs are accessible based on user permissions\n- **Querying**: Supports filtering by date, event type, tenant, and actor\n\n## Getting Started\n\n### Prerequisites\n\n- [Supabase CLI](https://supabase.com/docs/guides/cli)\n- Node.js 18+ (for example implementation)\n\n### Local Development\n\n1. **Clone the repository**\n   ```bash\n   git clone https://github.com/yourusername/supabase-multi-tenant-rbac\n   cd supabase-multi-tenant-rbac\n   ```\n\n2. **Start Supabase locally**\n   ```bash\n   supabase start\n   ```\n\n3. **Apply migrations**\n   ```bash\n   supabase migration up\n   ```\n\n4. **Seed the database**\n   ```bash\n   supabase db reset\n   ```\n\n### Development Workflow\n\nThe recommended workflow using Supabase CLI:\n\n1. **Create new migrations**\n   ```bash\n   supabase migration new your_migration_name\n   ```\n\n2. **Test locally**\n   ```bash\n   supabase db reset\n   ```\n\n3. **Push to production**\n   ```bash\n   supabase db push\n   ```\n\n## Framework Integration\n\n### Next.js (App Router)\n\n```typescript\n// utils/supabase.ts\nimport { createClient } from '@supabase/supabase-js'\n\nexport const createServerClient = () =\u003e {\n  return createClient(\n    process.env.NEXT_PUBLIC_SUPABASE_URL!,\n    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!\n  )\n}\n\n// Example: Check permissions\nasync function hasPermission(permission: string, tenantId?: number) {\n  const supabase = createServerClient()\n  \n  const { data, error } = await supabase\n    .rpc('authorise', { \n      requested_permission: permission,\n      tenant_id: tenantId \n    })\n    \n  if (error) throw error\n  return data\n}\n```\n\n### Example Usage\n\n```typescript\n// Create a new tenant\nconst { data: tenant } = await supabase\n  .from('tenants')\n  .insert({ name: 'acme' })\n  .select()\n  .single()\n\n// Assign a role to a user\nconst { data: role } = await supabase\n  .from('tenant_user_roles')\n  .insert({\n    tenant_id: tenant.id,\n    user_id: 'user-uuid',\n    role: 'member',\n    role_type: 'default'\n  })\n```\n\n## Example Implementation\n\nCheck out the `/examples` directory for a full implementation using:\n- Next.js 14 (App Router)\n- shadcn/ui\n- Tailwind CSS\n- TypeScript\n\nThe example demonstrates:\n- User authentication\n- Tenant creation and management\n- Role and permission management\n- Member invitation system\n- Profile management\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n## License\n\nMIT License - feel free to use this template in your own projects.\n\n### Planned Features\n\n- [x] Audit logging system where only system can write logs, authorised users can read logs\n- [ ] Invite users to join tenants using SMTP and role assignment in the invite\n- [ ] Custom roles?","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchrisorei%2Fmultitenancy-rbac-supabase-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchrisorei%2Fmultitenancy-rbac-supabase-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchrisorei%2Fmultitenancy-rbac-supabase-template/lists"}