Hello, I've made a simple admin app with next.js and supabase. Because it's an admin app I only have protected routes here. The app uses the magic links guide for auth that is in the next.js starter guide, and it works very well. The problem now is that I only want to have x static set of users being able to get these magic links. Right now anyone can put in their e-mail and they get a magic link and is authed. To the question, do I have to start working on RLS and stuff or can I somehow just choose x set of static users that are allowed to get the magic links and get authed? This is the _apps.js in next.js.

function MyApp({ Component, pageProps }) {
  const [session, setSession] = useState(null);

  useEffect(() => {
    setSession(supabase.auth.session());

    supabase.auth.onAuthStateChange((_event, session) => {
      setSession(session);
    });
  }, []);

  return (
    <>
      {!session ? (
        <Login />
      ) : (
        <SideBarProvider>
          <Layout>
            <Component {...pageProps} key={session.user.id} session={session} />
          </Layout>
        </SideBarProvider>
      )}
    </>
  );
}

I was wondering if there was a way to link auth providers to an account after signing in? For example if a user signs in with Twitter, it would be great if they could then link their Discord account as well.

I've got a function that's going to only be invoked by a database webhook and want to ensure that only the service-role key can invoke it. I've copied the service-role key into an Authorization header in the database webhook and everything is working fine on that front. My question is, is there a way to ensure an edge function can only be invoked by a service-role key? This seems like something that should happen at the Kong (API gateway) level and not in the edge function itself. I'm sure I can parse the token and check the role in javascript/the edge function, just wanted to make sure I'm not missing some setting somewhere to do it at the API gateway.

Hello, is it possible to use rls with a custom auth implemnted with something like a user table, without supabase auth?

Hello, I have

profiles

table which has

points

column when an authenticated user buy an item inside the app I need to subtract the item

price

from

points

and then add item

id

to

users_items

table. If has less points he can't get that item. How could I do that from a security prospect? Because if I do it from frontend he could add it directly from POSTMan or any post request. Thank you.

This is the error I get: ../../../flutter/.pub-cache/hosted/pub.dartlang.org/supabase_flutter-1.0.0-dev.3/lib/src/supabase_auth.dart:109:68: Error: The getter 'data' isn't defined for the class 'GotrueSessionResponse'. - 'GotrueSessionResponse' is from 'package:gotrue/src/gotrue_response.dart' ('../../../flutter/.pub-cache/hosted/pub.dartlang.org/gotrue-1.0.0-dev.3/lib/src/gotrue_response.dart'). I can't seem to force an older version of gotrue

I'm trying to inner join a parent which will always be a single value but it represents an array, is there an easy way to return a single value? here's the match currently, children will be fine as an array but the parent will always be singular.

const match = `
      *, 
      children:contact_and_type!parent_id(
        id,
        type, 
        contact:child_id(id, full_name, profile_image)
      ),
      parent:contact_and_type!child_id(
        id,
        type,
        contact:parent_id(id, full_name, profile_image)
      )`

I currently just get the first value but I don't really like this approach:

contact.parent = contact.parent[0]

error on loading website. @User

I would like to have users login with Notion using the integration I've built and then call Notion API with the access token Supabase receives. I could not find how to retrieve the upstream Notion access token generated after Notion redirects to Supabase OAuth

https://<app>.supabase.co/auth/v1/callback?code=...&state=...

. Is this stored in the DB? I would like to avoid forcing users to go through Notion OAuth flow twice, once for supabase auth and another time for API access. Thanks in advance!

I have been following the instructions here https://deno-postgres.com/#/?id=ssltls-connection to connect to Postgres with an enforced TLS connection, but it seems to not work with the cert issued by Supabase. I get an invalid certificate exception. Any ideas?

I've tested a URL from Supabase Storage vs. my current CDN (DigitalOcean Spaces) and there is a huge difference. I've got the URL from Storage dashboard > Copy URL and it looks like this:

https://abghekjureweajqqcvks.supabase.co/storage/v1/object/public/public/foo.jpg

I've run the test several times using this tool: https://speedvitals.com/ttfb-test The difference for example from Los Angeles is huge: 1.3s Supabase Storage VS 96ms DigitalOcean Spaces. It's slower significantly on average across all other test locations. Am I doing something wrong? Is there a different URL for CDN? Like via

from.list()

in JS client?

I want to enable signup with github and I've followed the steps from https://supabase.com/docs/guides/auth/auth-github. Whenever I execute

client.auth.signUp({ provider: 'github' })

in JS, it throws a 422 saying

Signup requires a valid password

. I don't need to provide a password when using github signup right?

i get this error following this guide here https://nextdev1111.hashnode.dev/how-to-use-supabase-storage-upload-file-easily-and-quickly#heading-error

i have table 'profiles' i added by function every user signup i want to check if the user name is exist in this table before signup .. is the a way rather than select profiles table and check if column user name is match input or not ?

hi! I would like to auth with a js in html, and I get this error: Cannot read properties of undefined (reading 'signIn')

select title from songs where not exists (select * from songs_composers where songs_composers.song_id = songs.id) I have this working SQL query that queries songs that do not have a composer. How do I convert this to a supabase.js statement? I tried a few things but can't get it right.

How to get an entity by ID using REST endpoints generated by supabase? I tried something like this "supabase-url.com/entity?id=some-id"

I'm having a problem with the RLS for my sveltekit app from the node endpoints It works perfectly with client-side JS, but fails when I use the new auth-helpers approach from the endpoints I'm following the

sveltekit-magic-link

example My query looks like this

ts
export const POST = async ({ request, locals }: RequestEvent) =>
  withApiAuth({ user: locals.user }, async () => {
    const data = await request.formData();
    const title = data.get('title') as string;
    supabaseServerClient(request).from('projects').insert([{ title }]);
    return {
      body: { user: locals.user }
    };
  });

I get a 403 back from the endpoint with error

js
{
  ...
  message: 'new row violates row-level security policy for table "projects"',
  ...
}

I print out locals.user just before the call and it is authenticated. I can't find any API documentation on the auth-helpers project, just the example in the README and the examples folder. But I'm guessing the withApiAuth({ user: locals.user }, ... ) call is setting the user from there, so don't know why my RLS isn't working there is a note in the user object

js
  'supabase-auth-helpers-note': 'This user payload is retrieved from the cached JWT and might be stale. If you need up to date user data, please call the getUser method in a server-side context!',

but none of the examples do that ... they just use locals.user. So I tried

getUser

... it returns an authenticated user and all looks good, but I still get the same RLS error. Any ideas?

I will have two different websites connected to one supabase. One will be normal users who can create their portfolio Second will be recruiters who can see portfolios. I would like to give them different access using RLS. What would be the correct/best approach?

Hi all, I am currently creating an app with Supabase. I understand the use case and ease of use to query supabase's data with the supabase client directly from the client. However I just can't wrap my head around how inserting data can be safe. Let's say I have a table called 'profiles', within this profile table I store username::string, avatar_url::string and a settings::jsonb column. Now, lets say the user wants to update its username, easy right? I call supabase.insert on the table and only supply the username, since the user passes the rls auth.uid()=profile_user_id its allowed to do so. Now let's say the user is a developer and finds out I am using supabase, extracts the jwt token and initializes the supabase client with the anon key. Now, he can also insert random avatar_url strings within the avatar_url and even a random JSONB within the settings column. This is all allowed since RLS only secure rows. I am aware of views, but views can't solve this problem, since views inherit it's RLS from the underlaying table so this table is still insertable by the user, so the developer can just insert into the table directly. Anything I am missing here?

When I attempt to reset DB password, I get a "Failed to reset password" notification. And the password I was previously using to connect to the supabase DB no longer authenticates.

When an edge function fails, I cannot seem to find an error message returning. It only gives a "Failed to fetch" error. Additionally, it doesn't seem like console.log's are working (unless there is a specific place to view them that I have not found?) Just curious how people are debugging their edge functions.

I'm creating a UI component to my next.js app , and it's supposed to edit the data to a supabase table row. There's 19 columns in this table. Let's say the user only changes one of these 19, but I still insert 19 values where 18 is the same as the existing row, does it still update all rows regardless, or just the data that is changed? And, is this concidered very bad practice? The operation to sort out on the client what values that has changed, and then make a custom insert for only those values is a bit more tricky, but maybe it's the only way?

I have a function like this:

sql
create or replace function search_items(lang regconfig, query text)
  returns table (id uuid, title text, location point, price numeric(16,2), currency_id bigint, thumbnail text)
  language plpgsql
  as
  $$
declare
  query_vector tsquery = to_tsquery(lang, query);
begin
  return query
    select 
      a.id,
      a.title, 
      a.location,
      a.price,
      a.currency_id,
      a.thumbnail
    from item a,
    lateral create_fts_vector(a.title, a.description, lang) weighted_fs_vector
    where weighted_fs_vector @@ query_vector
    order by ts_rank(weighted_fs_vector, query_vector) 
    desc;
end;
$$;

I'm trying call my function and join it with currency table which has id and value:

dart
    return _client 
        .rpc('search_items', 
              params: {'lang': 'italian', 'query': queryText})
        .select(
            'id, title, location, price, currency(id, value), thumbnail')
        .execute()

I'm getting error: Could not find a relationship between 'pgrst_source' and 'currency' in the schema cache. What am I doing wrong? How can I join table based on id I get in rpc call? Currency table has primary key id.

Hi, super excited about the CLI release. I initialised a local project via

supabase init

and

supabase start

and after it started, it exposed some of the environmental secrets in my terminal. However, I can't find a JWT secret value anywhere? Is it available in the local instance?

Upgrading to latest NextJS release breaks

getUserByCooke

and shows cookie not found even when authenticated. This is due to updates made to the

NextRequest

type. Not a huge deal since you can use the

auth-helpers-nextjs

getUser

in it's place, but thought I should share this. I know

auth-helpers-nextjs

does not currently support NextJS 12.2.X, but I have a PR open with the required updates.

I'm looking for a way to listen to an event fired after a user first does a "signUp/signIn" with an Auth provider, Discord in this instance. I am using the guilds scope, and have written a function that will use the provider token returned by the sign in function, to request a users discord guilds but I would like to store some data based on what roles a user has in my discord guild and have that periodically update as their roles could change from time to time. Any suggestions?

Wanted to try out type generation using the CLI from the announcement today. I'm running the following command

supabase gen types typescript --db-url MY_DB_URL

and I get the following message:

Error: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

. I figured that docker is only needed for local projects but is it actually required for generating types for remote instances as well?

I'm having great success using the Supabase Postgrest integration for most of my DB interaction. I've run into an edge case where I need to run some complex data manipulation, and will do so with with Python on cloud run. Question is what is the safest way to make a custom authenticated endpoint? Will the JWT work on another subdomain? ie: user is logged in at app.domain.com -- custom endpoint that will need to be authenticated hopefully with the same JWT session is at api.domain.com

i am not able to post messages to any of the changes anymore. please give me access.