How we developed domain-based access for Basedash

March 14, 2022

Dalyan Parker
Full Stack Developer

As Basedash grows and moves toward serving larger teams and enterprise-level organizations, we found that our customers need a highly secure, yet quick and seamless way to gain authorization to their workspaces.

Here’s that flow:

  1. An Admin user would specify an email domain for their workspace
  2. All users with that domain and with verified emails would automatically be added to the workspace as a member

First, we created a simple UI component that would allow an Admin user to set the email access domain for their workspace. We also ensured that an Admin user could disable domain-based access and remove their saved email access domain, through this same UI component.

With this, a user can simply navigate to the settings page of their workspace, and if they are an Admin of that workspace, this component, which is showed above, would be displayed. We tested all the edge cases and form validation issues, to make sure nothing funky could happen.

After this was complete, we needed to create a simple endpoint that would update the workspace’s access domain, and provide the necessary validations. Below is an example with explanations, leveraging utility functions you can implement with any ORM and tooling.

const updateWorkspaceAccessDomain = async (req: Request, res: Response) => {
	const { userId, workspaceId, accessDomain } = req.body;

	// Get user
	const user = await getUserById(userId);
	// Get workspace
	const workspace = await getWorkspaceById(workspaceId);

	// Check that the accessDomain is valid, otherwise return an Error
	if (!isValidAccessDomain(accessDomain)) {
		return res.status(400).json({ title: 'Access domain is invalid' });
	}

	try {
		// If the access domain is null, this means that the user
		// requested to Remove the access domain / email domain
		if (accessDomain === null) {
			// Remove the access domain
			await removeAccessDomain(workspace);
			// If all goes well return a status of 200!
			return res.sendStatus(200);
		}

		// Update the workspace's access domain
		await updateWorkspaceAccessDomain(workspace);

		// Find all users with the matching access domain
		const usersWithMatchingDomain = await getUsersWithMatchingDomain(
			accessDomain
		);

		// Filter out users who are not already members of the workspace
		const usersToAddToWorkspaces = await getUsersWhoAreNotMembers(
			usersWithMatchingDomain,
			workspace
		);

		// Iterate through array of users who are not already members
		for (const user of usersToAddToWorkspaces) {
			// Add the user as a collaborator member to the workspace
			await addUserAsCollaborator(user, workspace);

			// Send an email notification that they have been added to
			// the workspace as a collaborator member
			await sendAddedToWorkspaceEmailNotification(user);
		}

		// If all goes well return a status of 200!
		return res.sendStatus(200);
	} catch (error) {
		if (error instanceof Error) {
			// Catch and return any errors
			return res.status(400).json({ title: error.message });
		}
	}
};

Perfect! The only thing left to account for is to use this logic when a user verifies their email. This follows the same pattern as previously, but instead we find and iterate through all workspaces that have a matching domain instead of users. Let’s take a look!

const verifyEmail = async (req: Request, res: Response) => {
	const { userId } = req.body;
	const user = await getUserById(user.id);

	// ... verify email logic ...

	// Extract the domain from the user's email
	const accessDomain = extractDomain(user.email);

	try {
		// Get all workspaces with a matching access domain
		const workspacesWithMatchingAccessDomain =
			await getWorkspacesWithMatchingAccessDomain(accessDomain);

		// Filter out workspaces which user is already a member of
		const workspacesToAddUserAsMember = await getWorkspacesWhereUserIsNotMember(
			user,
			workspacesWithMatchingAccessDomain
		);

		// Iterate through array of workspaces to add user as new member to
		for (const workspace of usersToAddToWorkspaces) {
			// Add the user as a collaborator member to the workspace
			await addUserAsCollaborator(user, workspace);

			// Send an email notification that they have been added to
			// the workspace as a collaborator member
			await sendAddedToWorkspaceEmailNotification(user);
		}

		// If all goes well return a status of 200!
		return res.sendStatus(200);
	} catch (error) {
		if (error instanceof Error) {
			// Catch and return any errors
			return res.status(400).json({ title: error.message });
		}
	}
};

And there you have it! This is a high level overview of how built domain-based access ****for workspaces. Yes, there are a lot of validation and security issues we had to address, but those are details it would be unwise to post publicly on the internet, and more importantly, would probably be extremely boring to most readers!

I’ll leave you with something to think about, in the same vein of “if a tree falls in a forest...“ type thought puzzles :

If a workspace gives a team domain-based access but nobody from the team signs up for Basedash, does the team really have domain based access?

My answer is simple. Give Basedash a try for your team! Apart from striving to build well-designed and seamless software, it just breaks our hearts when a workspace gets lonely, especially if that means your databases get lonely—just like people working in tech, they need human friends too!

What is Basedash?

Ship your product faster.
Worry about internal tools less.

No credit card required.

More posts like this