DEV Community: MATT ROSE The latest articles on DEV Community by MATT ROSE (@matt_rose_9d0fe88d3533a4f). https://dev.to/matt_rose_9d0fe88d3533a4f https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3982058%2Fc39a74ad-1d88-421d-8b59-a0df94ec5373.jpg DEV Community: MATT ROSE https://dev.to/matt_rose_9d0fe88d3533a4f en The Multi-Tenant Fortress: Bank-Grade Data Isolation in PostgreSQL MATT ROSE Sat, 13 Jun 2026 01:55:00 +0000 https://dev.to/matt_rose_9d0fe88d3533a4f/the-multi-tenant-fortress-bank-grade-data-isolation-in-postgresql-1f6i https://dev.to/matt_rose_9d0fe88d3533a4f/the-multi-tenant-fortress-bank-grade-data-isolation-in-postgresql-1f6i <p>In a multi-tenant B2B platform, data leakage is an extinction-level event. If Property A logs into your dashboard and accidentally sees the guest data or revenue metrics for Property B, your platform's trust is permanently broken.</p> <p>Most developers handle data isolation at the application layer. They rely on their Node.js middleware or ORM to append <code>WHERE property_id = X</code> to every single database query. </p> <p>This is a massive security risk. All it takes is one junior developer forgetting a <code>WHERE</code> clause in a new endpoint, and you have exposed cross-tenant data. </p> <p>To build a truly secure, enterprise-grade architecture, you must push security down to the database layer. Here is how to build a multi-tenant fortress using PostgreSQL Row-Level Security (RLS).</p> <h2> The Concept: Database-Enforced Isolation </h2> <p>Row-Level Security (RLS) is a PostgreSQL feature that acts as a bouncer at the table level. </p> <p>When RLS is enabled, the database evaluates a specific policy before returning any rows. Even if a compromised API sends a malicious <code>SELECT * FROM guests</code> query, the database itself will intercept the request and only return the rows that the current user is explicitly allowed to see.</p> <p>The application layer becomes blind to data it shouldn't access. </p> <h2> Step 1: The Schema and Anchor Keys </h2> <p>First, every table in your database that contains tenant-specific data needs an anchor key. In a B2B platform, this is usually the <code>tenant_id</code> or <code>property_id</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create our base properties table</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">properties</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> <span class="c1">-- Create a guests table anchored to a specific property</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">guests</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">property_id</span> <span class="n">UUID</span> <span class="k">REFERENCES</span> <span class="n">properties</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">full_name</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">email</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> </code></pre> </div> <p>Next, we enable RLS on the <code>guests</code> table. Once you run this command, the table defaults to "deny all." If you query it right now, it will return zero rows, even for the database administrator.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">guests</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> </code></pre> </div> <h2> Step 2: Passing the Execution Context </h2> <p>For the database to know <em>which</em> rows to return, our Node.js middleware needs to tell PostgreSQL exactly who is making the request before executing the query. </p> <p>Instead of passing the <code>property_id</code> in a <code>WHERE</code> clause, we inject it into the database session configuration. </p> <p>Here is how you set the context in a Node.js transaction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Example using the 'pg' module in Node.js</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getGuestsForProperty</span><span class="p">(</span><span class="nx">client</span><span class="p">,</span> <span class="nx">propertyId</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">BEGIN</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 1. Inject the tenant context securely into the database session</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">`SELECT set_config('app.current_property_id', $1, true)`</span><span class="p">,</span> <span class="p">[</span><span class="nx">propertyId</span><span class="p">]);</span> <span class="c1">// 2. Execute a naive query (No WHERE clause needed!)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM guests</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">COMMIT</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">ROLLBACK</span><span class="dl">'</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notice that our <code>SELECT * FROM guests</code> query has no filtering logic. The application doesn't need to know how to filter the data.</p> <h2> Step 3: Writing the RLS Policy </h2> <p>Now we write the rule inside PostgreSQL that connects the session context to the anchor key.</p> <p>We create a policy that tells the database: <em>"Only allow reads, inserts, and updates if the <code>property_id</code> on the row matches the <code>app.current_property_id</code> currently set in the session."</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">tenant_isolation_policy</span> <span class="k">ON</span> <span class="n">guests</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="c1">-- Applies to SELECT, INSERT, UPDATE, DELETE</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">property_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_property_id'</span><span class="p">)::</span><span class="n">UUID</span> <span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">property_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_property_id'</span><span class="p">)::</span><span class="n">UUID</span> <span class="p">);</span> </code></pre> </div> <ul> <li> <strong>USING:</strong> Determines which existing rows are visible to the query.</li> <li> <strong>WITH CHECK:</strong> Ensures that any new rows being <code>INSERT</code>ed or <code>UPDATE</code>d also adhere to the rule. (You cannot insert a guest for Property B if your session is scoped to Property A).</li> </ul> <h2> The Failsafe Advantage </h2> <p>Let’s look at why this is so powerful. </p> <p>Imagine a developer writes a reporting script and makes a catastrophic error:<br> <code>DELETE FROM guests;</code></p> <p>In a standard SaaS architecture, this deletes the entire database. </p> <p>In an RLS-backed architecture, this query does <strong>nothing</strong>. If the session context <code>app.current_property_id</code> isn't explicitly set, the query fails safely. If the session <em>is</em> set to Property A, it only deletes Property A's guests. Property B's data remains untouchable.</p> <h2> Conclusion </h2> <p>Application-layer security is fragile because it relies on developers never making a mistake in their SQL syntax or ORM logic. </p> <p>By utilizing PostgreSQL Row-Level Security, you decouple authorization from your application code. You create a multi-tenant fortress where cross-contamination is mathematically impossible at the database layer. For enterprise SaaS handling sensitive client records, this is the only acceptable standard.</p> architecture database postgres security The Catch and Release Pattern: Handling High-Volume Webhooks in Node.js MATT ROSE Sat, 13 Jun 2026 01:38:15 +0000 https://dev.to/matt_rose_9d0fe88d3533a4f/the-catch-and-release-pattern-handling-high-volume-webhooks-in-nodejs-17d2 https://dev.to/matt_rose_9d0fe88d3533a4f/the-catch-and-release-pattern-handling-high-volume-webhooks-in-nodejs-17d2 <p>If you are building an API that integrates with third-party vendors, you will eventually face the webhook flood. </p> <p>When an external service sends a massive spike of webhook events, the standard approach of processing the data and inserting it into a database synchronously will block the Node.js event loop. Your API will time out, the vendor will assume the delivery failed, and you will drop critical data.</p> <p>To survive unpredictable traffic spikes, you need to decouple the HTTP response from the data processing. Here is how to implement the "Catch and Release" pattern using Node.js, Express, and BullMQ.</p> <h2> Prerequisites </h2> <ul> <li>Node.js and Express installed.</li> <li>A running instance of Redis (required for BullMQ).</li> <li>Basic understanding of asynchronous JavaScript.</li> </ul> <h2> The Synchronous Trap (What Not to Do) </h2> <p>Most developers write their first webhook receiver like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook/inventory</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// ❌ Anti-pattern: Heavy processing before responding</span> <span class="kd">const</span> <span class="nx">normalizedData</span> <span class="o">=</span> <span class="nf">heavyDataTransformation</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="k">await</span> <span class="nx">database</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">normalizedData</span><span class="p">);</span> <span class="c1">// Vendor waits for the database to finish...</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Success</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>The problem:</strong> If the vendor sends 500 webhooks a second and your database takes 200ms to insert a record, the database connection pool will max out. Requests will queue up, memory will spike, and the connection will close. The data is gone forever.</p> <h2> Step 1: Implementing "Catch and Release" </h2> <p>The golden rule of webhook ingestion is to acknowledge receipt immediately. We want to return a <code>200 OK</code> or <code>202 Accepted</code> status back to the vendor <em>before</em> we do any heavy lifting.</p> <p>To do this safely without losing the data in memory if the server crashes, we push the raw payload to a persistent background queue.</p> <p>First, install BullMQ and Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>bullmq ioredis </code></pre> </div> <p>Next, configure the queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Queue</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bullmq</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Redis</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ioredis</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Connect to Redis</span> <span class="kd">const</span> <span class="nx">redisConnection</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span><span class="p">);</span> <span class="c1">// Create the ingestion queue</span> <span class="kd">const</span> <span class="nx">webhookQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span><span class="dl">'</span><span class="s1">webhook-ingestion</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">redisConnection</span> <span class="p">});</span> </code></pre> </div> <p>Now, rewrite the Express route to catch the payload, queue it, and release the connection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook/inventory</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// 1. Push raw data to Redis immediately</span> <span class="k">await</span> <span class="nx">webhookQueue</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">process-inventory</span><span class="dl">'</span><span class="p">,</span> <span class="nx">payload</span><span class="p">,</span> <span class="p">{</span> <span class="na">attempts</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">backoff</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">exponential</span><span class="dl">'</span><span class="p">,</span> <span class="na">delay</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// 2. Release the vendor connection instantly</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">202</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Accepted for processing</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to queue webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Internal Server Error</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>With this pattern, your Express server can handle thousands of requests per second. The route does nothing but write JSON to Redis, which is incredibly fast.</p> <h2> Step 2: Processing the Queue Safely </h2> <p>Now that the data is safely persisted in Redis, we can process it at our own pace using a BullMQ Worker. This worker runs on a separate thread (or an entirely separate server) so it never blocks our Express API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Worker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bullmq</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Worker</span><span class="p">(</span><span class="dl">'</span><span class="s1">webhook-ingestion</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="nx">job</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">job</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="c1">// Now we can safely perform heavy processing</span> <span class="kd">const</span> <span class="nx">normalizedData</span> <span class="o">=</span> <span class="nf">heavyDataTransformation</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="c1">// If the database is locked, it throws an error, </span> <span class="c1">// and BullMQ automatically retries based on our backoff strategy.</span> <span class="k">await</span> <span class="nx">database</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">normalizedData</span><span class="p">);</span> <span class="p">},</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">redisConnection</span> <span class="p">});</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">completed</span><span class="dl">'</span><span class="p">,</span> <span class="nx">job</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Job </span><span class="p">${</span><span class="nx">job</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2"> processed successfully`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">job</span><span class="p">,</span> <span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Job </span><span class="p">${</span><span class="nx">job</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2"> failed:`</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Conclusion </h2> <p>By implementing the Catch and Release pattern, you separate the HTTP transport layer from your business logic. </p> <ol> <li> <strong>Express</strong> acts purely as a lightning-fast catcher's mitt.</li> <li> <strong>Redis/BullMQ</strong> acts as the shock absorber, holding the data safely.</li> <li> <strong>The Worker</strong> acts as the engine, processing data only as fast as your database can handle it.</li> </ol> <p>This architecture ensures zero data loss, prevents database exhaustion, and keeps external vendors happy with lightning-fast response times.</p> api architecture javascript node