MULTI-TENANT PROPERTY TEST

multi-tenant-property-test.ts

Property-based isolation test: for any orgs A,B, A's writes never appear in B's reads. The test that survives every refactor.

Stark

WHAT THIS PATTERN TEACHES

Why regression tests are insufficient for multi-tenant isolation (they lock known cases, not the property). How to generate random org pairs and write payloads to surface unknown cross-tenant leaks.

WHEN TO USE THIS

Every project with org_id (or tenant_id, workspace_id) scoping. Run in CI on every PR. Caught 10 multi-tenant bugs in Caroline's first-user-test that prior gauntlets missed.

AT A GLANCE

test('writes by org A never appear in reads by org B', async () => {
  await fc.assert(fc.asyncProperty(
    fc.constantFrom(...readEndpoints),
    randomPayload(),
    async (endpoint, payload) => { /* leak check */ },
  ));
});

FRAMEWORK IMPLEMENTATIONS

TypeScript

import { describe, test, beforeEach } from 'vitest';
import fc from 'fast-check';

// Harness contract — your project provides:
declare const harness: {
  createOrg(): Promise<{ id: number; apiKey: string; userId: string }>;
  writeAsOrg(org: { apiKey: string }, endpoint: string, payload: unknown): Promise<{ id: string }>;
  readAsOrg(org: { apiKey: string }, endpoint: string): Promise<Array<{ id: string }>>;
  listAllReadEndpoints(): string[];
  listAllWriteEndpoints(): string[];
  resetDb(): Promise<void>;
};

describe('multi-tenant isolation property', () => {
  beforeEach(async () => harness.resetDb());

  test('writes by org A never appear in reads by org B', async () => {
    await fc.assert(
      fc.asyncProperty(
        fc.constantFrom(...harness.listAllWriteEndpoints()),

← All Patterns