Skip to content

ChamHerry/multi-tenant-saas

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

50 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Multi-Tenant SaaS Platform Template

License: AGPL v3 Go Version React PostgreSQL Docker

Production-ready GoFrame + React template for building multi-tenant SaaS applications.

Start building your SaaS product today β€” with authentication, multi-tenancy, RBAC, and audit logging already solved.

Quick Start Β· Documentation Β· Roadmap Β· Contributing


What is this?

A batteries-included SaaS control-plane that handles everything every multi-tenant application needs β€” so you can focus on your product's unique value instead of rebuilding auth, tenants, permissions, and audit trails from scratch.

The problem: Every SaaS product needs the same foundation: user registration, tenant isolation, role-based access control, API key management, audit logging. Rebuilding this for each new product wastes weeks.

This solution: Clone this template, add your business tables (bound to tenant_id), and you have a working SaaS product in hours, not months. It's intentionally stripped of billing, quotas, and package management β€” you add your own commercial model on top.

Table of Contents

✨ Features

Authentication & Sessions

  • Password login with bcrypt-hashed credentials
  • Session management with secure HTTP-only cookies
  • CSRF protection via double-submit cookie pattern
  • Login attempt tracking with configurable account lockout
  • Password reset flow with time-limited tokens
  • Email verification workflow

Multi-Tenancy

  • Tenant context resolution β€” automatic tenant detection from request headers, path, or query parameters
  • Tenant membership β€” invite users, manage roles (Owner, Admin, Member, Viewer)
  • Tenant isolation β€” all queries scoped by tenant, enforced at the middleware layer
  • Lazy tenant creation β€” tenants are created on first meaningful action, not at registration
  • Tenant lifecycle jobs β€” automated provisioning and cleanup

Access Control

  • Tenant-level RBAC β€” 4 built-in roles with granular permissions
  • Platform-level RBAC β€” separate admin roles (Super Admin, Support, Auditor) for managing the platform itself
  • Permission middleware β€” declarative RequirePermission checks on every endpoint
  • API key management β€” personal API keys with tenant-scoped grants

Audit & Observability

  • Comprehensive audit logs β€” every write operation is recorded with actor, target, action, and metadata
  • Tenant-scoped audit trail β€” tenants can view their own audit history
  • Platform audit view β€” admins can search across all tenants
  • OpenTelemetry tracing and Prometheus metrics endpoints
  • Structured logging with request ID propagation

Platform Administration

  • System configuration UI β€” manage platform settings without touching code
  • Setup wizard β€” guided first-time installation flow
  • User management β€” platform admins can view and manage users across tenants
  • CLI tooling β€” 12+ CLI commands for tenant/user/admin lifecycle management

Developer Experience

  • Docker Compose β€” one-command startup for the full stack
  • Database migrations with up/down support (60+ versioned migrations)
  • Go E2E test framework β€” full HTTP-level integration tests
  • TypeScript frontend with lazy-loaded routes and TanStack Query
  • Internationalization β€” built-in i18n with Chinese support

πŸ— Architecture

graph TB
    subgraph "Frontend"
        REACT[React 19 SPA<br/>Vite + Tailwind CSS]
    end

    subgraph "API Layer"
        AUTH[Auth Middleware<br/>Session / API Key]
        CSRF[CSRF Middleware]
        TENANT[Tenant Resolver<br/>Header / Path / Query]
        RBAC[RBAC Middleware<br/>Permission Check]
        ADMIN[Platform Admin<br/>Middleware]
    end

    subgraph "Service Layer"
        AUTH_SVC[Authentication]
        USER_SVC[User Management]
        TENANT_SVC[Tenant & Members]
        INVITE_SVC[Invitations]
        APIKEY_SVC[API Keys]
        AUDIT_SVC[Audit Logging]
        TOTP_SVC[TOTP 2FA]
        SETUP_SVC[Setup Wizard]
        CONFIG_SVC[System Config]
    end

    subgraph "Data"
        PG[(PostgreSQL 16<br/>Control Plane DB)]
        REDIS[(Redis<br/>Cache & Sessions)]
    end

    REACT -->|HTTP| AUTH
    AUTH --> CSRF --> TENANT --> RBAC --> ADMIN
    RBAC --> AUTH_SVC & USER_SVC & TENANT_SVC & INVITE_SVC & APIKEY_SVC & AUDIT_SVC & TOTP_SVC & SETUP_SVC & CONFIG_SVC
    AUTH_SVC & USER_SVC & TENANT_SVC & INVITE_SVC & APIKEY_SVC & AUDIT_SVC --> PG
    AUTH_SVC --> REDIS
Loading

Request flow: Rate Limit β†’ Auth β†’ CSRF β†’ Tenant Resolver β†’ RBAC β†’ Platform Admin β†’ Controller β†’ Logic β†’ DAO

Design principles:

  • Tenant is the security, audit, and data isolation boundary
  • Platform admins manage the platform but cannot bypass tenant audit
  • Business tables only need a tenant_id column + a foreign key β€” isolation is automatic
  • The template deliberately excludes billing, quotas, subscriptions β€” you add your commercial model

πŸ›  Tech Stack

Layer Technology Version
Backend Framework GoFrame v2.10
Language Go 1.25
Frontend React + TypeScript 19
Build Tool Vite latest
CSS Tailwind CSS v4
Routing React Router v7
Data Fetching TanStack Query latest
State Zustand latest
Validation Zod latest
Charts Recharts v3
Icons Lucide React latest
i18n i18next v26
Database PostgreSQL 16
Cache Redis 7
Migrations golang-migrate v4
2FA pquerna/otp v1
OAuth2 golang.org/x/oauth2 latest
Telemetry OpenTelemetry latest

πŸš€ Quick Start

Prerequisites

  • Docker and Docker Compose
  • Or: Go 1.25+, Node.js 22+, PostgreSQL 16+, Redis 7

Option 1: Docker (Recommended)

# Clone and start everything
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas
scripts/manage-docker.sh start

# The app is at http://127.0.0.1:8000
# PostgreSQL is on localhost:55432 (inside Docker network only by default)

Option 2: Docker Dev Mode (with hot-reload)

# Start dev environment with source mounting
scripts/manage-docker.sh dev

Option 3: Manual Setup

# Clone the repo
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas

# Start infrastructure
docker compose up -d postgres redis

# Install frontend dependencies and build
cd web && npm install && npm run build && cd ..

# Run the server (serves both API and SPA)
go run .

# Or use Makefile targets
make dev          # go run .
make web          # npm run dev (frontend dev server)
make build        # npm build + Go build

The app will be available at http://127.0.0.1:8000.

On first launch, the Setup Wizard guides you through creating the initial platform admin account. Once set up, you can start creating tenants and inviting users.

Docker Management Commands

scripts/manage-docker.sh help      # Show all commands
scripts/manage-docker.sh start     # Start all services
scripts/manage-docker.sh stop      # Stop all services
scripts/manage-docker.sh logs      # View logs
scripts/manage-docker.sh psql      # Open PostgreSQL shell
scripts/manage-docker.sh clean     # Stop and remove containers/volumes
scripts/manage-docker.sh status    # Show service status

πŸ’» Usage

API Overview

All tenant-scoped endpoints require authentication and pass through the middleware chain.

# Authentication
POST /api/v1/auth/register          # Register new user
POST /api/v1/auth/login             # Login with password
POST /api/v1/auth/logout            # End session
POST /api/v1/auth/forgot-password   # Request password reset
POST /api/v1/auth/verify-email      # Verify email address

# Current User
GET  /api/v1/me                     # Get current user profile
GET  /api/v1/me/sessions            # List active sessions

# Tenants
GET    /api/v1/tenants              # List my tenants
POST   /api/v1/tenants              # Create a tenant
GET    /api/v1/tenants/{id}         # Get tenant details
PATCH  /api/v1/tenants/{id}         # Update tenant

# Members (tenant-scoped)
GET    /api/v1/tenants/{tenant}/members        # List members
POST   /api/v1/tenants/{tenant}/members        # Add member

# Invitations
POST   /api/v1/tenants/{tenant}/invitations    # Invite user
GET    /api/v1/me/invitations                  # My pending invitations

# API Keys
POST   /api/v1/api-keys                        # Create personal API key
GET    /api/v1/api-keys                        # List my API keys

# Audit Logs
GET    /api/v1/tenants/{tenant}/audit-logs     # View tenant audit trail

# Platform Admin
GET    /api/v1/admin/tenants                   # List all tenants
GET    /api/v1/admin/users                     # List all users
GET    /api/v1/admin/audit-logs                # Cross-tenant audit view
GET    /api/v1/admin/system-config             # System configuration

CLI Commands

The binary includes management commands for scripting and operations:

# Tenant management
repomind tenant-create --name "Acme Corp" --slug "acme-corp"
repomind tenant-member-add --tenant-id <id> --user-id <id> --role admin
repomind tenant-member-list --tenant-id <id>
repomind tenant-lifecycle-run

# User management
repomind user-upsert --email user@example.com --name "Jane Doe"
repomind user-password-set --user-id <id> --password <pw>
repomind user-session-revoke --user-id <id>
repomind user-tenant-list --user-id <id>

# Platform admin
repomind platform-admin-grant --user-id <id> --role super_admin

# Context debugging
repomind tenant-context-resolve --host example.com --header "X-Tenant-ID: acme-corp"

Testing

make test             # Unit tests + integration tests
make test-unit        # Unit tests only (~1s)
make test-integration # Integration tests (requires PostgreSQL)
make test-e2e         # Full end-to-end tests (starts Docker, runs test suite)

πŸ“ Project Structure

.
β”œβ”€β”€ api/                    # API request/response struct definitions
β”‚   β”œβ”€β”€ auth/               #   Auth endpoints (register, login, reset, verify)
β”‚   β”œβ”€β”€ tenant/             #   Tenant CRUD endpoints
β”‚   β”œβ”€β”€ member/             #   Membership management
β”‚   β”œβ”€β”€ invitation/         #   Invitation flow
β”‚   β”œβ”€β”€ apikey/             #   Personal API key management
β”‚   β”œβ”€β”€ audit/              #   Audit log queries
β”‚   β”œβ”€β”€ admin/              #   Platform admin endpoints
β”‚   β”œβ”€β”€ me/                 #   Current user endpoints
β”‚   β”œβ”€β”€ setup/              #   Setup wizard endpoints
β”‚   └── totp/               #   2FA endpoints
β”œβ”€β”€ internal/
β”‚   β”œβ”€β”€ controller/         # HTTP controllers (thin, delegates to logic)
β”‚   β”œβ”€β”€ middleware/         # Middleware chain (auth, csrf, tenant, rbac, ...)
β”‚   β”œβ”€β”€ service/            # Service interfaces (GoFrame DI)
β”‚   β”œβ”€β”€ logic/              # Business logic implementations
β”‚   β”œβ”€β”€ dao/                # Data access objects (auto-generated)
β”‚   β”œβ”€β”€ table/              # Database table structs (auto-generated)
β”‚   └── cmd/                # CLI commands + server entry point
β”œβ”€β”€ web/                    # React 19 SPA
β”‚   └── src/
β”‚       β”œβ”€β”€ features/       # Domain modules (auth, tenants, audit, ...)
β”‚       β”œβ”€β”€ pages/          # Route-level page components
β”‚       β”œβ”€β”€ shared/         # Shared utilities, UI kit, API client
β”‚       β”œβ”€β”€ layouts/        # App shell, auth shell, menu config
β”‚       └── app/            # Router, providers, auth guards
β”œβ”€β”€ manifest/
β”‚   β”œβ”€β”€ config/             # Application config (YAML)
β”‚   β”œβ”€β”€ migration/          # Database migrations (up/down SQL)
β”‚   β”œβ”€β”€ docker/             # Docker runtime config
β”‚   └── deploy/             # Kubernetes Kustomize manifests
β”œβ”€β”€ docs/                   # Full documentation (architecture, DB, API, ...)
β”œβ”€β”€ scripts/                # Docker management and dev scripts
β”œβ”€β”€ test/e2e/               # Go E2E test framework and test suites
β”œβ”€β”€ hack/                   # GoFrame CLI tooling config
β”œβ”€β”€ utility/                # Shared utilities (crypto, redis, uuid)
β”œβ”€β”€ Makefile                # Build, test, dev commands
β”œβ”€β”€ docker-compose.yml      # Production-like Docker stack
β”œβ”€β”€ docker-compose.dev.yml  # Development Docker stack (source mounts)
└── LICENSE                 # GNU AGPL v3.0

πŸ“– Documentation

Document Description
Overview Project overview and core capabilities
Architecture Four-layer architecture and design principles
Database Design Table schemas, relationships, and migration guide
Multi-Tenancy Tenant context resolution and isolation explained
API Design API grouping, middleware chain, and endpoint reference
Extending the Platform How to add your own tenant-bound business tables
Deployment Production deployment guide and health endpoints
Roadmap Planned features across 6 phases
Platform Admin & Roles Two-tier RBAC system deep-dive
Lazy Tenant Creation Default organization and tenant materialization

πŸ—Ί Roadmap

See docs/roadmap.md for the full plan. Key upcoming milestones:

  • Phase 1 β€” Auth completion: Password reset, email verification, TOTP 2FA, OAuth/social login, session management
  • Phase 2 β€” Security hardening: CAPTCHA, login notifications, password policies, audit enhancements
  • Phase 3 β€” Organization: Custom roles, teams/groups, tenant branding
  • Phase 4 β€” Integration: Webhooks, email templates, file upload, bulk import/export
  • Phase 5 β€” Monetization: Billing/subscriptions, usage metering, quotas
  • Phase 6 β€” Enterprise: SAML/OIDC SSO, SCIM provisioning, GDPR compliance

🀝 Contributing

Contributions are welcome! Here's how to get started:

Development Setup

# Clone and start dev environment
git clone https://github.com/ChamHerry/multi-tenant-saas.git
cd multi-tenant-saas

# Start infrastructure
docker compose up -d postgres redis

# Terminal 1: Go backend
go run .

# Terminal 2: React frontend dev server
cd web && npm install && npm run dev
# Frontend at http://127.0.0.1:5173, proxies API to :8000

Before Submitting

  1. Write tests for your changes
  2. Run make test to ensure nothing breaks
  3. Run make test-e2e for full integration validation
  4. Follow existing code style β€” the project uses GoFrame conventions and React/TypeScript best practices
  5. Keep PRs focused β€” one feature or fix per pull request

Commit Convention

This project uses structured commit messages with sections: What, How, Why, Details, and Impact.

πŸ“„ License

This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0) β€” see the LICENSE file for details.

What this means:

  • βœ… You can use, modify, and distribute this software
  • βœ… You can use it for commercial purposes
  • ⚠️ If you modify the code and provide it as a network service (SaaS), you must make your modifications publicly available under the same license
  • ⚠️ Any derivative works must also be licensed under AGPL-3.0

For alternative licensing (e.g., commercial closed-source use), contact the copyright holder.


Built with GoFrame, React, and PostgreSQL

About

No description, website, or topics provided.

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors