https://supabase.com/ logo
Trying to insert data with authenticated user to a table with RLS enabled doesn't work.
d

Delyanskiiii

05/25/2023, 3:58 PM
I have a user that is authenticated but can only insert data into a table when the RLS expression is set to true and the target roles are all public. Changing either of these results in an error. The same table works with other clients that have been registered for months. The difference is they are running on supabase python sdk==0.5.3 and the one I am currently trying to get to work is on the newest python one==1.0.3. I can also send the code but it is identical between the two versions. There are policies for inserting updating and selecting, I am also using returning='minimal' and have tried every iteration possible. It seems like the user can't access auth.uid() and doesn't count as authenticated but when getting the session it says it is and checking through the dashboard also proves it is. I have no more ideas how to debug this so any help would be appreciated.

https://cdn.discordapp.com/attachments/1111322380472680578/1111322381277991003/image.png

https://cdn.discordapp.com/attachments/1111322380472680578/1111322381693223022/image.png

https://cdn.discordapp.com/attachments/1111322380472680578/1111322382062325852/image.png

g

garyaustin

05/25/2023, 4:07 PM
Seems like for some reason the Authorization header is not getting set. Usually that means there is no session when the call is made so the Authorization header stays anon. The aud claim is not involved, role is what is used. You could try anon for RLS policy role and true policy and if that works then it confirms the header is the anon key still.
To clarify, just reread your description, you have only a single user with this issue? If so what is the role claim in the jwt/session/access token?
d

Delyanskiiii

05/25/2023, 4:18 PM
All the new users I set up with the new version have this problem. Indeed setting target roles to anon allows operations. How can I inspect and fix the header?
g

garyaustin

05/25/2023, 4:20 PM
I don't know python or that client. Seems like session is not getting into the client when you make the call. You should also look at both the main python client and postgrest client associated with it for issues similar to this. If you can see network requests you can see the header, but that is not root cause and really only confirms what setting anon in the policy confirmed.
d

Delyanskiiii

05/25/2023, 4:34 PM
This fixes the problem. Thank you for the quick response.