#off-topic
Title
# off-topic
s
sudo killall windows
10/03/2021, 10:34 PMSure
So basically every time something get's inserted into my db, it triggers a dm to a user in discord
And I don't want people spamming submit with edited supabase auth credentials
And being able to dm spam through my bot
I could do this through my bot
Have it check the id and if there are to many delete some
But I'd rather have the db handle it for me
s
silentworks
10/03/2021, 10:39 PMI'm not sure what you mean by spamming submit with edited supabase auth credentials
s
sudo killall windows
10/03/2021, 10:39 PMI've seen multiple threads that the devs plan to add rate limiting soon
supabase.auth.session().user.user_metadata.provider_id = personYouWantToSpamDiscordID
Then spam the submit button which uses supabase.js to insert a row into my db
Which triggers a function hook to my discord bot which dm's that id
s
silentworks
10/03/2021, 10:40 PMYou are definitely missing some further detail in your explanation
I don't know what exactly you are missing but the supabase.auth.session() only holds information for that logged in user
How would that allow anyone to spam your bot?
s
sudo killall windows
10/03/2021, 10:42 PM> supabase.auth.session().user.user_metadata
> Object { avatar_url: "https://cdn.discordapp.com/avatars/633434170596786186/85b80f9321da4fb560380ce01c6d1672.png", full_name: "sudo killall windows", provider_id: "633434170596786186" }
>
> supabase.auth.session().user.user_metadata.full_name = "not sudo"
> "not sudo"
> supabase.auth.session().user.user_metadata
> Object { avatar_url: "https://cdn.discordapp.com/avatars/633434170596786186/85b80f9321da4fb560380ce01c6d1672.png", full_name: "not sudo", provider_id: "633434170596786186" }
>
>
s
silentworks
10/03/2021, 10:42 PMIsn't this behind a user login?
s
sudo killall windows
10/03/2021, 10:42 PMBecause a function hook calls my bot
Yup. Sign in with discord
Through supabase auth
s
silentworks
10/03/2021, 10:42 PMYou can't actually update that data that way, so not sure how this would be an issue
I think there are some assumptions here that don't actually work the way you are assuming
s
sudo killall windows
10/03/2021, 10:43 PMWhen I make a new row one of the items is the Discord Id, and it get's it from supabase auth session
s
silentworks
10/03/2021, 10:43 PMsupabase.auth.session() is read only
s
sudo killall windows
10/03/2021, 10:44 PMWell It let me modify it
s
silentworks
10/03/2021, 10:44 PMThat data will not be saved in the database
You should be reading data from the database using the currently logged in user's information
Not using the supabase.auth.session() function
s
sudo killall windows
10/03/2021, 10:44 PMAh
Got my head stuck in do it on the client world lol
s
silentworks
10/03/2021, 10:45 PMIf you are passing this data along then this can definitely be spammed
No never do stuff like that in the client world
Hence why I mention RLS to you earlier, it can save you a world of pain
s
sudo killall windows
10/03/2021, 10:45 PMall hail the RLS gods
s
silentworks
10/03/2021, 10:45 PMlol
Remember inside of functions you can write sql queries
so you could do a select based on the
auth.id()user_metadata.provider_idThis is probably stored in the db under a jsonb column type, so you would access it using
raw_user_meta_data->>'provider_id'Let me know how you get on tomorrow, I'm going bed now, it's late here.
s
sudo killall windows
10/03/2021, 10:48 PMGN!
I just wish I could log in a RLS query so I could see what I was dealing with
well... i could make a logs table