Hey i am stuck in an endless design loop. I have a...
# off-topic
p
Hey i am stuck in an endless design loop. I have a data model in db and two frontends for the app. One is a web/cli, the other is a discord bot. on web frontend I can use RLS and policies + triggers to implement the business logic into the DB (because the app user authenticates via supabase) but then if i want to provide the same functionality (i.e. user can update their own task) via the discord bot (which is a server side process) i can't find a way to do it without duplicating the business logic i.e. in a discord user runs
/update task id1234 text:learn foo
, I receive this data with their discord_id so i know on behalf of what user to create the task. If i use master key i have to re implement the logic that user can update only their task If i use anon key i would have to authenticate the users via discord interaction and store their access token server side? Or is there a way to impersonate the user from the backend?
y
So just brainstorming here. You could ask the user to "login" from the discord DMs. Maybe provide a token from the UI so you don't leak sensitive data (passwird). If it matches, you can add their discordId as an "authorized" user
I don't know how the
users
work in Supabase since I never used that feature (yet). But conceptually what I mentioned feels enough
p
hmm now i am thinking making a wrapper function
auth.my_uid()
which defaults to
auth.uid()
but if there is a session variable
INJECTED_UID
it takes that? server side before each query i would inject the uid
every user is authorized by default if they are in the discord server. The problem is how to pass the current authorized user context to the query (so RLS can check
auth.uid()=something
y
Oh I see. Can't help with that sorry I don't know the auth system at all :/
g
@User Using a wrapper function for different ids is good as long as a user can't be in both sets... You probably can use session var or a custom header, but if you are using the service_role key, RLS is bypassed, so I think you would have to set up a "user" somehow that respects RLS to pass the uuids in. Here are a couple of discussion on minting JWT's as an approach to what I think you are trying to do: https://medium.com/@gracew/using-supabase-rls-with-a-custom-auth-provider-b31564172d5d4 https://github.com/supabase/supabase/discussions/3899
p
ah so auth seems like yet another rabit hole to go down. Thank you for the links, will do my research!
first link seems dead
g