As Basedash grows and moves toward serving larger teams and enterprise-level organizations, we found that our customers need a highly secure, yet quick and seamless way to gain authorization to their workspaces.
Here’s that flow:
An Admin user would specify an email domain for their workspace
All users with that domain and with verified emails would automatically be added to the workspace as a member
First, we created a simple UI component that would allow an Admin user to set the email access domain for their workspace. We also ensured that an Admin user could disable domain-based access and remove their saved email access domain, through this same UI component.
With this, a user can simply navigate to the settings page of their workspace, and if they are an Admin of that workspace, this component, which is showed above, would be displayed. We tested all the edge cases and form validation issues, to make sure nothing funky could happen.
After this was complete, we needed to create a simple endpoint that would update the workspace’s access domain, and provide the necessary validations. Below is an example with explanations, leveraging utility functions you can implement with any ORM and tooling.
const updateWorkspaceAccessDomain = async (req: Request, res: Response) => {
const { userId, workspaceId, accessDomain } = req.body;
// Get user
const user = await getUserById(userId);
// Get workspace
const workspace = await getWorkspaceById(workspaceId);
// Check that the accessDomain is valid, otherwise return an Error
if (!isValidAccessDomain(accessDomain)) {
return res.status(400).json({ title: 'Access domain is invalid' });
}
try {
// If the access domain is null, this means that the user
// requested to Remove the access domain / email domain
if (accessDomain === null) {
// Remove the access domain
await removeAccessDomain(workspace);
// If all goes well return a status of 200!
return res.sendStatus(200);
}
// Update the workspace's access domain
await updateWorkspaceAccessDomain(workspace);
// Find all users with the matching access domain
const usersWithMatchingDomain = await getUsersWithMatchingDomain(
accessDomain
);
// Filter out users who are not already members of the workspace
const usersToAddToWorkspaces = await getUsersWhoAreNotMembers(
usersWithMatchingDomain,
workspace
);
// Iterate through array of users who are not already members
for (const user of usersToAddToWorkspaces) {
// Add the user as a collaborator member to the workspace
await addUserAsCollaborator(user, workspace);
// Send an email notification that they have been added to
// the workspace as a collaborator member
await sendAddedToWorkspaceEmailNotification(user);
}
// If all goes well return a status of 200!
return res.sendStatus(200);
} catch (error) {
if (error instanceof Error) {
// Catch and return any errors
return res.status(400).json({ title: error.message });
}
}
};
Perfect! The only thing left to account for is to use this logic when a user verifies their email. This follows the same pattern as previously, but instead we find and iterate through all workspaces that have a matching domain instead of users. Let’s take a look!
const verifyEmail = async (req: Request, res: Response) => {
const { userId } = req.body;
const user = await getUserById(user.id);
// ... verify email logic ...
// Extract the domain from the user's email
const accessDomain = extractDomain(user.email);
try {
// Get all workspaces with a matching access domain
const workspacesWithMatchingAccessDomain =
await getWorkspacesWithMatchingAccessDomain(accessDomain);
// Filter out workspaces which user is already a member of
const workspacesToAddUserAsMember = await getWorkspacesWhereUserIsNotMember(
user,
workspacesWithMatchingAccessDomain
);
// Iterate through array of workspaces to add user as new member to
for (const workspace of usersToAddToWorkspaces) {
// Add the user as a collaborator member to the workspace
await addUserAsCollaborator(user, workspace);
// Send an email notification that they have been added to
// the workspace as a collaborator member
await sendAddedToWorkspaceEmailNotification(user);
}
// If all goes well return a status of 200!
return res.sendStatus(200);
} catch (error) {
if (error instanceof Error) {
// Catch and return any errors
return res.status(400).json({ title: error.message });
}
}
};
And there you have it! This is a high level overview of how built domain-based access ****for workspaces. Yes, there are a lot of validation and security issues we had to address, but those are details it would be unwise to post publicly on the internet, and more importantly, would probably be extremely boring to most readers!
I’ll leave you with something to think about, in the same vein of “if a tree falls in a forest...“ type thought puzzles :
If a workspace gives a team domain-based access but nobody from the team signs up for Basedash, does the team really have domain based access?
My answer is simple. Give Basedash a try for your team! Apart from striving to build well-designed and seamless software, it just breaks our hearts when a workspace gets lonely, especially if that means your databases get lonely—just like people working in tech, they need human friends too!
