SShortSingh.
TopTechnologyAI & MLStartupsProgrammingScienceBusinessFinanceCrypto & Web3World
Back to feed
Programming

Multi-Tenant Apps Should Derive Tenant Context from User Identity, Not Requests

0
·1 views

A common security flaw in multi-tenant SaaS applications involves resolving the active tenant from client-controlled inputs such as subdomains or HTTP headers, rather than from the authenticated user's organization membership. This approach makes the client the source of truth for tenant scoping, creating a risk that users could access data belonging to tenants they are not part of. The recommended fix is to derive tenant context exclusively from the authenticated user's server-side organization record inside a dedicated middleware, rejecting requests with no valid organization with a 403 error. This ensures tenant resolution fails closed — meaning access is denied rather than guessed when context is missing. A single automated test that verifies a user cannot be scoped to a foreign tenant, regardless of request headers, is advised to prevent silent regressions.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Developer Shares 100 Python Automation Scripts to Eliminate Repetitive Daily Tasks

A developer has published a collection of 100 Python scripts designed to automate time-consuming manual tasks that drain productivity each day. The scripts are organised into ten thematic groups covering areas such as file management, inbox handling, calendar prep, data cleaning, and system maintenance. Examples include scripts that auto-rename downloads, OCR and index PDFs, mute Slack during focus periods, and prune old Docker images. The guide is aimed at developers who want to replace repetitive micro-tasks with locally run, scheduled automations using tools like cron and systemd. The author advocates for owning automations locally rather than relying on third-party cloud services, framing the approach as compounding time savings over weeks and months.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

agentx-mcp Proxy Blocks Destructive AI Agent Calls and Guides Self-Recovery

A new open-source tool called agentx-mcp acts as a lightweight stdio proxy that intercepts every tool call made by AI agents running through MCP servers before execution. The proxy deterministically blocks dangerous operations such as DROP TABLE queries, unscoped deletes, shell teardown commands, and SSRF attempts without requiring an API key or any external service. When a harmful call is blocked, the proxy returns a structured coaching error that describes what was unsafe and suggests a safer alternative, allowing the agent to revise and retry on its own. This self-correction loop means an autonomous agent run can survive a blocked call and still complete its task, rather than failing on a hard error. The tool is installed via pip and configured with a single line change in the mcp.json file, making it compatible with any MCP-speaking client such as Claude Code or Cursor.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

Developer launches free browser-based film photo editor after 4 months of solo work

A developer has built and released Polaroma, a free browser-based photo editor that replicates the look of analog film stocks, VHS, Polaroid, and other retro formats. The tool features over 20 hand-crafted presets and full manual controls, with all image processing handled locally in the browser without cloud uploads. The creator spent four months studying real film stock characteristics and translating them into deterministic color math, deliberately avoiding AI-based processing. Preset calibration proved the most time-consuming part of the project, taking longer than anticipated to achieve authentic results. Polaroma is available at polaroma.online, and the developer is seeking feedback from other developers on the rendering and color science approach.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

Developer builds self-improving code pipeline using three collaborative AI agents

A developer has created a multi-agent AI pipeline in which one AI agent writes Python code, a second scores it, and a third refines it based on structured feedback — all running in an automated loop. The system uses Anthropic's Claude models, with the generator and refiner powered by claude-opus-4-8 and the scorer using the faster, cheaper claude-haiku model. Code is accepted only when it scores 9.6 or above out of 10, with a maximum of three refinement attempts before the pipeline exits with an error. A key design insight was passing the full history of previous attempts to the scorer to prevent it from penalising changes it had already rewarded in earlier rounds. Once the code clears the threshold, it is written to a temporary file and executed as a child subprocess, completing the automated cycle.

0 comments Read more at DEV Community
Multi-Tenant Apps Should Derive Tenant Context from User Identity, Not Requests · ShortSingh