I want to create a row level security policy that checks if the number of rows with the

id

field doesn't exceed 3 upon INSERT in my table

apps

. I was trying to use this (supabase converted my policy to this):

sql
(( SELECT count(*) AS count
   FROM apps apps_1
  WHERE (apps_1.owner = uid())) <= 3)

But that didn't work, it bypassed it every time and I can create as many apps as I want. Original policy was (not converted by supabase):

sql
(
  (
    SELECT count(*) FROM apps WHERE (apps.owner = auth.uid())
  ) <= 3
)

Hi, I have a supabase instance which I am using for product demos. Twice, the DB has appeared to go "offline" mid afternoon UK time in the middle of a demo. Looking through the logs, the autovacuum worker kicked off at 2:31pm UK time today and somehow got stuck with a string of "worker took too long to start" warnings until 2:45pm. During this time, the product was effectively "down" and unusable. Reading through the Platform Management docs, I can see the autovacuum jobs are setup automatically and there are linked to how to tune them, but I can't see how I manage the timing of them - i.e. is it possible to change the timing to 2AM not 2PM UK time when the product is not being used? Thx

Hello everyone! I need to store user data (more exactly paid subscription details) so that it can be changed only through a Supabase function (using the administrator's SERVICE_KEY), yet it needs to be visible to its user. I see two places in which I can tentatively do so: 1. In the auth.users table, under the user_metadata column. Will this be editable by the user? 2. In a dedicated "userdata" table, made read-only to the user through RLS. Which one would you suggest? If it is the 2nd option, why then the auth.users table includes metadata fields? Thanks for any assistance!

I have a Zoom.us app already published in the Zoom Marketplace which lets our users host webinars (it creates webinar events in their Zoom account and then other users can sign up for those webinars directly from our app). Ideally, I'd like to continue using the same Zoom app for OAuth purposes when we're now migrating to NextJS/Supabase, but I need access to the

access_token

and

refresh_token

for each webinar host so that we can create the webinars in their Zoom account and add attendees. Is this data stored somewhere? I had a quick look in the

auth

schema, but didn't spot it there. If it's not stored and accessible server-side, is it possible to "intercept" it somehow when users sign up or sign in with the Zoom OAuth provider (so I can manage the tokens elsewhere)?

It doesn't make sense that whenever I setup a local environment for a project, I have to redownload the supabase services that is used by docker when the files are not specific to a project. Can't it download once and reuse the files for subsequent local environment instances? The files are 1GB+ and its a bit annoying having to download that everytime I want to setup a local environment because my internet is trash.

I'm trying to figure out how I can setup a custom auth with MetaMask and I thought maybe I could use it to create a pseudo email/password that's unique to each user and go that route but I'm not sure what security implications could arise from this. Looking for thoughts from others... 1. Use the

moralis

SDK to sign a message through MetaMask and it returns a

profileId

(66 character) and the

walletAddress

(42 character) from Moralis Auth. 2. Use this address to generate a unique email that is only used for login - e.g. - ${walletAddress}@domain.com 3. Generate a password from a JWT using a payload of:

{ 
  walletAddress,
  profileId: profileId+${randomShortSecret}
}

Then sign the JWT with another secret so technically the password should always be the same every time its generated when someone clicks the "Connect" button. 4. In the connect() function, check if a user exists in the Supabase database with this unique email and profileId (user_meta). If user exists use signInWithPassword(), if not then use signUp() to create the user.

Hello I was using normally til yesterday, today i'm receiving this error, can you help me?

44     const users = await prisma.users.findMany(
Error querying the database: db error: FATAL: remaining connection slots are reserved for non-replication superuser connection

I have been trying to find a solution for this online, but without luck. I have followed the quickstart tutorial (which was incorrect in many places) but so far, I've managed to send a magic link to my email account, and I've managed to redirect it back to my app, but it doesn't redirect to the profile page after. How can I ensure that step?

In a project, to ensure users' roles are secured with some RLS policies, I have my user data organized thoughout a

public.users

table and a

public.users_roles

table like so:

sql
create table public.users (
  "id" uuid not null unique primary key,
  "first_name" text,
  "last_name" text,
  ...
);
create table public.users_roles (
  "user_id" uuid not null unique,
  "role" public.user_role not null default 'visitor'::public.user_role,
  "updated_by_id" uuid not null references public.users(id)
  primary key (user_id, role)
);

Where

public.user_role

is an enum. I also have a

public.user_role_details

table with some human-readable info about the roles, that is seeded by default:

sql
create table public.user_role_details (
  "role" public.user_role not null unique primary key,
  "label" text not null,
  "description" text not null
);

Now, with this setup I'd expect to be able to use postgrest (with the js client) to join

public.user_role_details

when selecting a user from

public.users

because of the 2-step fkey-pkey relation allowed by the composite fkey of

public.users_roles

public.users(id)
  ↓
public.users_roles(user_id, role)
  ↓
public.user_role_details(role)

...but instead I get a warning that no relation is found. I think this might be due to the fact that to join

public.users_roles

to

public.users

I need to disambiguate which column to use in the former (

user_id

vs

updated_by_id

). But from trying and reading the docs, I can't find a syntax for doing that when using an intermediary join table 😦 I know how to disambiguate when doing a first-order join, but here I'm interested about a second-order join. Is this a thing or will I have to resort to using a view/two queries?

I am using Vue 3. Below is my code: const { error } = await supabase .from('companies') .insert({ name: 'Twilight Sonata Studio' }) Please help me, thank you.

There is an open issue in the supabase/postgres repo that I've been waiting on for a while. There is a commit that fixes the issue, but no pull request has been made. I've never contributed to open source, so I'm looking for guidance on creating a pull request. I didn't write the code for the commit, so is it kosher if I create the pull request for it? Issue: https://github.com/supabase/postgres/issues/135 Commit: https://github.com/supabase/postgres/commit/4dd26f5108ef151f5c4328f806007c69dc29f944

I'm experimenting with inviting users and I've noticed that a user who has confirmed an invitation only gets an entry in the users table, but not the identities table. Since I'm not sure what the identities table is truly used for, I can't judge whether this is a problem or not. The user appears to be functioning OK, but I thought this was a bit inconsistent. Can anyone shed light on this? Thanks

Whenever i try to copy anything (id from a table, image url, wherever i see "copy to clipboard" button, it just doesnt work). This would be an issue for me since some non tech people will be using my supabase studio

Hi! I'm using the supabase submodule for integration with Next.js (here: https://supabase.com/docs/guides/auth/auth-helpers/nextjs) I'm also using the Server-side data fetching as described there. However, I do not want to have my backend to do the query as the authenticated user, to escape the RLS policies. But at the same time, I don't want the supabase api to be initiated with the secret key because it's used in the front end for oauth aswell... How can I keep the public key for the client but give the secret key for my api route? PS: I guess I would still need to do `auth.getUser()` to be sure that the user has the right permissions to call the route.

I've followed the instructions here (https://supabase.com/docs/guides/auth/overview#redirect-urls-and-wildcards) to setup wildcards for my Vercel Preview deployements and they work for the signin methods. However, I'm using the

auth.inviteUserByEmail

method as described here (https://supabase.com/docs/reference/javascript/auth-admin-resetpasswordforemail) and it seems to be ignoring the

options.redirectTo

setting with my dynamic URL and only using the Site URL. How can I resolve this?

Hi guys, I'm building a Supabase app with NextJS 13 (using app directory), and Supabase's auth. Each page is SSR initially, then subscribed to for any future updates. There are 3 pages, and all three make a call to a different table in the database. I'm expecting three API calls to be made: 1: To check Auth 2: To get the initial data from the DB 3: To subscribe to the database for any future updates I've had a look at the API Edge Network tab, and it looks like the calls are being made 3 times per page load (3 * 3 = 9 calls)! Is anyone able to help out on this one please? My app takes around 1000ms to load each page, which feels slow. On a side-note, I'm also having an issue where if I navigating around the pages 2-3 times, the load is almost instantaneous. A hard refresh causes the longer load again. Likely client side caching, but could be related to the issue above? Thanks in advance. 🙂

Hello all! I have an app where users can join a room and talk to each other and there's a max of 2 people per room. When a user joins a room, they are subscribed to that table where the room id matches the room they're in. My understanding is this counts as 1 connection. If a second person joins a room then there are now 2 connections, correct? Does this mean I can only have a max of 250 conversations happening in real time due to Supabase's rate limiting? I'd like to believe that my app will eventually hit a point where there are going to be 500 people messaging each other at the same time, what happens then?

I’ve been working on this bug for a while and would love some help. When attempting to insert a record into my Supabase database I get: {code: '42501', details: null, hint: null, message: 'new row violates row-level security policy for table "comments”'} I’ve set 4 different policies on my table: CREATE TABLE comments ( id BIGINT generated BY DEFAULT AS IDENTITY PRIMARY KEY, user_id uuid REFERENCES auth.users NOT NULL, title TEXT, comment TEXT, user_email TEXT, inserted_at TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::TEXT, NOW()) NOT NULL ); ALTER TABLE comments ENABLE ROW LEVEL SECURITY; CREATE policy "Users can create comments." ON comments FOR INSERT WITH CHECK (auth.uid() = user_id); CREATE policy "Users can update their own comments." ON comments FOR UPDATE USING (auth.uid() = user_id); CREATE policy "Users can delete their own comments." ON comments FOR DELETE USING (auth.uid() = user_id); CREATE policy “Comments are public" ON comments FOR SELECT USING (TRUE); I have confirmed that I have a registered user as my User object/library in Next.js returns expected values. I have 2 other tables in my schema so far but they’re just lookup tables, not sure if they’re relevant to this table or not. Anyone have any suggestions? Also I’m very new to Discord and I did a search for this issue already but did not see any relevant solutions. Also I’m still learning how to get around Discord please don’t yell at me I’m learning. I really appreciate your help

I'm attempting to add a trigger for the deletion of a row. So there is a pages tables. If a page is deleted, grab the storyId and then decrement the page number for everything above the deleted page number.

DECLARE
   deleted_page_number INTEGER;
   story_id INTEGER;
BEGIN
   -- Get the page number and story id of the deleted page
   WITH deleted_page AS (
      DELETE FROM pages
      RETURNING pageNumber, storyId
   )
   SELECT pageNumber, storyId INTO deleted_page_number, story_id
   FROM deleted_page;

   -- Update the page numbers of all pages with the same story id
   UPDATE pages
   SET pageNumber = pageNumber - 1
   WHERE storyId = story_id AND pageNumber > deleted_page_number;
END;

If you spot anything in this function that looks stupid then please shout it out to me. My issue here is that I created this function: @picture #1 And it was saved to my functions: @picture#2 But when I go to create the trigger, the function doesn't show up: @picture#3 Does anyone have some insight as to what I may have done wrong?

Can i create a "foreign key relation" between a bucket file and a table column?

I have a GeoJSON object that looks like this:

{
  "type": "Point",
  "crs": {
    "type": "name",
    "properties": {
      "name": "EPSG:4326"
    }
  },
  "coordinates": [
    152.21575417252868,
    -31.964690337055764,
    0
  ]
}

I would like to insert it into auth.users.raw_user_meta_data using the signUp function:

const { data: userData, error: errorSignUp } = await supabaseClient.auth.signUp({
        email: email!,
        password: password,
        options: {
            data: {
                principaladdresssiteoid: parseInt(oid),
                addresspointcrs: pointcrs,
                addresspoint: pointgeometry    /// this is the JSON
            },
            emailRedirectTo: `${supabaseRedirectBase}/auth/redirect`
        }
    });

and then be able to query the coordinates in a trigger function. If I add the JSON directly I get

[object Object]

as the value, if I stringify first I get a mess. Can anyone tell me what I'm missing?

I can't seem to fix this error

Hi, I'm using the following snippet to protect routes, based on the Supabase documentation:

ts
export const getServerSideProps = async (ctx: GetServerSidePropsContext) => {
  const supabase = createServerSupabaseClient(ctx);

  const {
    data: { session },
  } = await supabase.auth.getSession();

  if (!session)
    return {
      redirect: {
        destination: '/login',
        permanent: false,
      },
    };

  return {
    props: {
      initialSession: session,
      user: session.user,
    },
  };
};

This approach works seamlessly, however, when the browser tab is inactive for some time, the app takes a very long time to load the next page, which is also a protected route. Is there any hack to this use case where the SSR protected route could be updated to work better?

This question was asked before in this server but got no substantial answer https://discord.com/channels/839993398554656828/1041086326558175365. So I am asking again and opened a bug here https://github.com/supabase/auth-helpers/issues/422 I want to use Supabase auth-helpers with the

getStaticProps()

but there is no way to create the client because

getStaticProps()

doesn't have a context param. I checked the docs and it doesn't mention it either, there is only documentation on `getServerSideProps()`: https://supabase.com/docs/guides/auth/auth-helpers/nextjs#server-side-rendering-ssr

Just to prevent side-effect, is deleting

supabase_migrations

schema okay if I don't do migrate-related things?

I'm looking to let users add more OAuth providers to their account irrespective of whether those accounts have the same email address as the logged-in user. E.g. a user is logged in to our app with email xxx@email.com, and they want to add their LinkedIn profile which has the email yyy@email.com. I tried adding OAuth buttons on the account management page for logged-in users, but clicking these and adding say the account with email yyy@email.com in the above example just logs them out and creates a new user with the email yyy@email.com. Is it possible to achieve this so that an OAuth provider with email yyy@email.com can be added to an account with email xxx@email.com?

Can't seem to find how to properly import twilio in my Edge function.

I wonder, is it possible to retrieve an access token for the user using the user's uuid? I want to log in the user behind the scenes.

should I use supabase storage for optimized images or is it not 'baked' enough? this is for a prod app with lots of images

I'm trying to follow the documentation. I exported the types from my database but I get this error when I try to add types to my project.