Learn how to integrate Nile Auth with your Express.js application. The integration allows the application to interact with Nile’s APIs and databases, providing tenant-aware data management.

This guide provides an overview of how to use Nile-Auth core functionality with an Express.js application. We’ll cover the following topics:

  • Authentication, cookies, sessions
  • Tenant isolation
  • Securing endpoints
It is important to note that the Auth service is designed to work with actions a user would take in the context of your B2B web application.

Authentication

1

Create a new app

mkdir express-app
cd express-app
npm init -y
2

Install Dependencies

npm install @niledatabase/server @niledatabase/react express dotenv --save
3

Obtain Database Credentials

  1. If you haven’t signed up for Nile yet, sign up here and follow the steps to create a database.
  2. Navigate to Database Settings in your database’s UI at console.thenile.dev.
  3. Go to Connection settings.
  4. Select the CLI icon, and click Generate credentials
  5. Copy the required credentials and store them in an .env file so they can be used in the application to connect to the Nile auth service. 
    NILEDB_USER=niledb_user
NILEDB_PASSWORD=niledb_password
NILEDB_API_URL=https://us-west-2.api.thenile.dev/v2/databases/<database_id>
NILEDB_POSTGRES_URL=postgres://us-west-2.db.thenile.dev:5432/<database_name>
4

Implement server

Create a new file called server.mjs and add the following code:

server.mjs
import "dotenv/config";
import express from "express";
import { Nile } from "@niledatabase/server";
import { NileExpressHandler } from "@niledatabase/server/express";

const startServer = async () => {
    try {
        const app = express();
        const nile = await Nile();
        const { paths, handler } = await NileExpressHandler(nile);
        

        app.use(express.json());
        app.use(express.urlencoded({ extended: true }));

        app.get(paths.get, handler);
        app.post(paths.post, handler);
        app.put(paths.put, handler);
        app.delete(paths.delete, handler);

        const PORT = process.env.PORT || 3040;
        app.listen(PORT, () => {
            console.log(`Server is running on port ${PORT}`);
        });
    } catch (error) {
        console.error("Error starting server:", error);
        process.exit(1);
    }
};

startServer();
5

Run the server

node server.mjs
6

Obtain user credentials

Nile auth uses cookies to store session information. To obtain them via cURL, create a file called get_cookies.sh and add the following code:

get_cookies.sh
#!/bin/bash

# Ensure EMAIL and PASSWORD are provided
if [ $# -lt 2 ]; then
  echo "Usage: $0 <EMAIL> <PASSWORD> [API_URL]"
  exit 1
fi

EMAIL="$1"
PASSWORD="$2"
API_URL="${3:-http://localhost:3040}"  # Default to localhost if not provided

# Define cookie file names
csrf_cookie_file="csrf_cookies.txt"
login_cookie_file="login_cookies.txt"

# Define API endpoints
CSRF_URL="$API_URL/api/auth/csrf"
LOGIN_URL="$API_URL/api/signup"

# Fetch CSRF token and store cookies
csrf_token=$(curl -s -X GET "$CSRF_URL" -c "$csrf_cookie_file" | jq -r '.csrfToken')

# Exit if CSRF token is missing
[ -z "$csrf_token" ] || [ "$csrf_token" == "null" ] && { echo "Failed to retrieve CSRF token"; exit 1; }

# Perform login request using CSRF token and cookies
curl -s -X POST "$LOGIN_URL" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -b "$csrf_cookie_file" \
  --cookie-jar "$login_cookie_file" \
  --data-urlencode "csrfToken=$csrf_token" \
  --data-urlencode "email=$EMAIL" \
  --data-urlencode "password=$PASSWORD" >/dev/null

# Output login cookie file info
echo "Login successful. Use $login_cookie_file for authenticated requests:"
echo "curl \"$API_URL/api/me\" -b $login_cookie_file"

Set the permissions to be executable

chmod +x get_cookies.sh

Run the command with the required params

./get_cookies.sh spongebob@squarepants.com no-this-is-patrick

# You should see the following output
# Login successful. Use login_cookies.txt for authenticated requests:
# curl "http://localhost:3040/api/me" -b login_cookies.txt

You can then curl the API with the cookies

curl "http://localhost:3040/api/me" -b login_cookies.txt

# You should see the following output
# {"email":"spongebob@squarepants.com","name":"Spongebob Squarepants","tenantId":"0192830912830912"}

Tenant Isolation and Secure Endpoints

Since Nile-Auth is designed to work with B2B applications, it is important to understand how to work with tenants, their access to data, and how to secure endpoints.

We are going to extend the previous example with new functionality. We’ll add a new table to the database, and a new endpoint that queries the data, making sure the endpoint is both secure and isolated to the tenant.

1

Create a Tenant

You do not need a new endpoint in order to extand your application with tenant functionality. Nile’s SDK includes generated routes for managing tenants. We just need to call them:

curl -X POST 'localhost:3040/api/tenants' \
  -H 'Content-Type: application/json' \
  -d '{"name":"my first customer"}' \
  -b login_cookies.txt
2

Extract the tenant ID from the request params

There are multiple ways to pass the current tenant to the web app on each request. You can pass it as a param, a header, or a cookie. In this example we’ll pass it as a param.

Add the following code to your server.mjs file, just after the app.use(express.urlencoded({ extended: true })); line. This will extract the tenant ID from the request params, and configure the nile client to use it as the current tenant before handling any request.

server.mjs

app.param("tenantId", (req, res, next, tenantId) => {
  nile.tenantId = tenantId;
  next();
});
3

Create a Tenant-Aware Todos Table

In Nile console or another database client of your choice, run the following SQL to create a new table called todos and populate it with some example tasks.

CREATE TABLE IF NOT EXISTS todos (
    id uuid DEFAULT (gen_random_uuid()),
    tenant_id uuid,
    title varchar(256),
    estimate varchar(256),
    embedding vector(768),
    complete boolean
);

-- Insert sample data. Make sure you replace the tenant_id with the one you created in the previous step.
INSERT INTO todos (tenant_id, title, estimate, complete)
VALUES
  ('019637b6-6d72-774b-9796-8c35813f9f78', 'Finish Express integration', '2h', false),
  ('019637b6-6d72-774b-9796-8c35813f9f78', 'Write documentation', '1h', false);
4

Add route

Add a route that takes a tenant Id and queries the database. if app.param is set (as we did in the previous step), the query will automatically be isolated to the current tenant. See how it returns data onlyfor the tenant we requested even if there are multiple tenants in the database and even though the query does not include a tenant_id filter.

Add the following code to your server.mjs file, just after the app.delete(paths.delete, handler); line:

server.mjs

// Get all tasks for tenant
app.get("/api/tenants/:tenantId/todos", async (req, res) => {
  try {
    // the nile.tenantId is set in the previous `app.param`
    const todos = await nile.db.query(`SELECT * FROM todos ORDER BY title`);
    res.json(todos.rows);
    return;
  } catch (error) {
    console.log("error listing tasks: " + error.message);
    res.status(500).json({ message: "Internal Server Error" });
    return;
  }
});
5

Securing Routes

The route we created is isolated to a specific tenant, however at this point, any user can call it. It is not secure. Lets protect it by checking if the user is authenticated. Add the following code to your server.mjs file, just after the app.get("/api/tenants/:tenantId/todos", async (req, res) => { line:

  const session = await nile.api.auth.getSession(req);
  if (!session?.user) {
    res.status(401).json({ message: "Unauthorized" });
    return;
  }

You can add this logic in a middleware function, so it will be applied to all routes that need to be protected.

6

Run the server

If you haven’t already, run the server:

node server.mjs
7

Test the route

First, lets try to access the route without authentication. Make sure you replace the tenantId with the one you created in the previous step.

curl "http://localhost:3040/api/tenants/019637b6-6d72-774b-9796-8c35813f9f78/todos"

# You should see the following output
# {"message":"Unauthorized"}

Now, lets try to access the route with authentication. Make sure you replace the tenantId with the one you created in the previous step.

# First, authenticate the user
./get_cookies.sh spongebob@squarepants.com no-this-is-patrick 

# Then, access the route, using the cookies we got in the previous step
curl "http://localhost:3040/api/tenants/019637b6-6d72-774b-9796-8c35813f9f78/todos" -b login_cookies.txt

# You should see the following output
# [{"id":"019637b6-6d72-774b-9796-8c35813f9f78","title":"Finish Express integration","estimate":"2h","complete":false},{"id":"019637b6-6d72-774b-9796-8c35813f9f78","title":"Write documentation","estimate":"1h","complete":false}]