Ash multi-tenant umbrella app project

Ash Forum Ash Questions / Help
, ,
1

I was wondering if it’d make sense and how feasible it is to have a multi-tenant project composed of 2 phoenix apps.

One app is just an API with ash_json_api to serve the end-users, and the other is a dashboard on top of the same database, for the tenants.
The dashboard app with a AshAuthentication set up for the main users (magic link login) and the API app another AshAuthentication setup with email/password.

Both apps use the same database with schema-based multitenancy, but the dashboard also operates on the public schema for the main users (for user creation and login).

This way I could cleanly separate the 2 sides of the system, but then it’d be a mess having to keep in sync the shared domain and resources. In one I’d have to put json api routes and in the other no.

I bet there is something I’m missing and I could be able to derive the 2 apps from the same resources. Right now it’s one single otp_app that offers both json api routes and html dashboard routes. One problem is that Ash authentication is picking up both the main-user and end-user resources when accessing the dashboard (it shows both magic link and email/pass at login, and the conn has both current_user and current_end_user).

I’d like to avoid that. Also what if I need to start scaling and replicate the API? The dashboard side won’t need to scale up, probably , while the api side might receive a lot of traffic. For instance I could have 1 single user that in turn has 1 million end-users. The dashboard is used by 1 and the api is used by 1 million.

So, my question is basically how to organize such project. Would it be possible to separate the project into a multi app monorepo project or an umbrella project where I have:

  • 1 otp_app with all the shared domain and resource (with both dashboard-specific actions and json api routes);
  • 1 app for the dashboard with the router for the dashboard routes + the main accounts domain and resource with ash authentication on top;
  • 1 app for the API which has a very simple router to just redirect to the AshJsonApi Router in the shared app, plus its own end-user domain+resource with another ash authentication.

I didn’t try anything yet and it might be a silly idea that won’t work. I’d like to know from more experienced people how to organize a project like that with ash.

2

We often don’t tend to split Ash apps up in that way, but there shouldn’t be any reason you can’t do it :slight_smile:

As for the question about it displaying bot h user resources, IIRC there is an option you can use to restrict which user resources get their authentication strategies displayed. pretty sure its an option in the router code.

2 Likes
3

@zachdaniel could you point me to the docs where I can restrict the user resources in the router? I can’t manage to find how to do it :frowning:

4

Looks like you’re right, and there is not a way to manually select the resources. I don’t have time to fully test this out myself, but I’ve pushed the changes required to support this to a branch, the PR is here: improvement: allow setting a subset of resources on sign in by zachdaniel · Pull Request #593 · team-alembic/ash_authentication_phoenix · GitHub

You would use this as sign_in_route ...., resources: [A.Specific.Resource]

2 Likes
5

Awesome! I think it will be a nice addition. I believe I saw around the forum other people needing something like this, too. I’ll try the branch out as soon as I can

1 Like
6

I finally had the time to try the branch out and works as expected :slight_smile: