https://supabase.com/ logo
Join Discord
Powered by
(also no clue how to "add a role to the jwt")
# javascript
m
(also no clue how to "add a role to the jwt")
g
Are you using your jwt with the client now?
m
I've got the client created with the anon key. I've tried enabling RLS and adding policies to allow anon to read, but no dice.
I've tried to look at the JWT auth but not sure how to do that properly
Sorry if I'm probably being dumb
g
https://supabase.com/docs/learn/auth-deep-dive/auth-deep-dive-jwts Shows the role being added to a jwt, but if you are using the anon key without signing in that might be enough. I need to find the discussion here or github where a user had an issue with custom jwt and needed to add role. BUT it should work with anon key only. Do you have a websocket running
There is an issue on some instances right now, but it shows up with a working websocket, no error, and no entry in realtime.subscriptions table. Where are you getting your error?
m
Gimme a sec, i'll get you a snippet and some better screenshots
g
If unauthorized then that sounds like the error with custom jwt and realtime the user had. I'll look for that thread.
m
Copy code
js
supabase
  .from('*')
  .on('*', console.log)
  .subscribe();
Basic sub, then when sending a message which inserts into a table that I have replication enabled for I get this error. I'm only doing anon auth for the supabase client here. But that should work since I have this policy
g
https://github.com/supabase/supabase/issues/7440 Is the outcome of a discussion here I was in.
Are you setting your custom jwt also in the client?
m
So far, no, because it looked like the anon should be able to read with the policies we have in place
I don't mind going thru and adding that role, but I'd also like to know why the anon is getting that error if the policy should allow for it
g
I agree, I would think anon key would work IF you don't set the jwt also with your own
Are you using supabase.js?
Sorry I see your code now.
m
My instantiation is just:
Copy code
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
export const supabase = createClient(supabaseUrl, supabaseAnonKey);
g
Can you see the actual websocket try to start up?
m
With the two values coming from these two boxes
WS seems to connect fine
g
I'm a bit confused on your screen showing the error. The unauthorized is coming back with an actual insert event?
m
yes
With 
Error 401: Unauthorized
(which my dumbass cutoff in the screenshot)
g
Does realtime.subscriptions have entries when you have a connection?
This is different, if I recall correctly, from the case I dealt with last time in that their websocket errored with somesort of unauthorized.
m
Well that message had an api key oops
g
You don't need to repost it
m
Well anyways yeah, earlier my ws failed too. sadly, I don't recall what fixed that.
But now I'm just getting ws connected -> 401 errors on inserts (which are being triggered by real inserts at least)
g
I'm going to suggest you either contact SB support or generate an issue in github realtime. We could go around in circles on this without understanding if something is wrong with your instance. One of the SB team on realtime may need to look at this. The thing I don't get is if you are not setting your jwt in the supabase client with a setAuth or some such thing then not sure how your jwt is involved at all.
I guess you could look at the websocket first message and see if it is your anon jwt going up to the server in token.
m
Doing supabase.getSubscriptions() returns:
g
This is an anon realtime start up and the first heartbeat.
The user_token is the anon key and the access_token is null for anon key only
Is your access_token null? it does not show in your pix.
m
Yep
g
So if user token is anon key, then it is something on the server side. I got nothing else for you at the moment.
I assume your insert succeeded.
Is there anything special about how you created your tables? 401 is a privilege error accessing a table, not a RLS not met.
m
the insert is being done via our api which uses prismajs
Atm just using RT for reading
We assumed we could just insert into the db and then have the RT send us the added rows.
We're not using the 
supabase.from(...).insert(...)
just using RT for receiving updates atm
@garyaustin If you like we could hop into vc and I can screenshare and maybe that'll stop some back n forth?
g
I think the problem might be your prisma setting up the tables. I don't know much about it, but I believe you have to set up a number of user/role grants as part of the process. That would match with realtime generating a 401 when it reads the table as user anon. A call from supabase.from.select probably won't work either without those grants. No camera and about to head out, but there might be documentation already on the grants needed for prisma, or at least a github issue with them
I'll do a quick search.
I actually think it is a recent change for realtime to even report the error 401. It used to just fail silently on Prisma created table.
PreviousNext
Powered by