https://supabase.com/ logo
#off-topic
Title
# off-topic
s

sudo killall windows

10/03/2021, 10:34 PM
Sure
So basically every time something get's inserted into my db, it triggers a dm to a user in discord
And I don't want people spamming submit with edited supabase auth credentials
And being able to dm spam through my bot
I could do this through my bot
Have it check the id and if there are to many delete some
But I'd rather have the db handle it for me
s

silentworks

10/03/2021, 10:39 PM
I'm not sure what you mean by spamming submit with edited supabase auth credentials
s

sudo killall windows

10/03/2021, 10:39 PM
I've seen multiple threads that the devs plan to add rate limiting soon
supabase.auth.session().user.user_metadata.provider_id = personYouWantToSpamDiscordID
Then spam the submit button which uses supabase.js to insert a row into my db
Which triggers a function hook to my discord bot which dm's that id
s

silentworks

10/03/2021, 10:40 PM
You are definitely missing some further detail in your explanation
I don't know what exactly you are missing but the supabase.auth.session() only holds information for that logged in user
How would that allow anyone to spam your bot?
s

sudo killall windows

10/03/2021, 10:42 PM
> supabase.auth.session().user.user_metadata > Object { avatar_url: "https://cdn.discordapp.com/avatars/633434170596786186/85b80f9321da4fb560380ce01c6d1672.png", full_name: "sudo killall windows", provider_id: "633434170596786186" } > > supabase.auth.session().user.user_metadata.full_name = "not sudo" > "not sudo" > supabase.auth.session().user.user_metadata > Object { avatar_url: "https://cdn.discordapp.com/avatars/633434170596786186/85b80f9321da4fb560380ce01c6d1672.png", full_name: "not sudo", provider_id: "633434170596786186" } > > ​
s

silentworks

10/03/2021, 10:42 PM
Isn't this behind a user login?
s

sudo killall windows

10/03/2021, 10:42 PM
Because a function hook calls my bot
Yup. Sign in with discord
Through supabase auth
s

silentworks

10/03/2021, 10:42 PM
You can't actually update that data that way, so not sure how this would be an issue
I think there are some assumptions here that don't actually work the way you are assuming
s

sudo killall windows

10/03/2021, 10:43 PM
When I make a new row one of the items is the Discord Id, and it get's it from supabase auth session
s

silentworks

10/03/2021, 10:43 PM
supabase.auth.session() is read only
s

sudo killall windows

10/03/2021, 10:44 PM
Well It let me modify it
s

silentworks

10/03/2021, 10:44 PM
That data will not be saved in the database
You should be reading data from the database using the currently logged in user's information
Not using the supabase.auth.session() function
s

sudo killall windows

10/03/2021, 10:44 PM
Ah
Got my head stuck in do it on the client world lol
s

silentworks

10/03/2021, 10:45 PM
If you are passing this data along then this can definitely be spammed
No never do stuff like that in the client world
Hence why I mention RLS to you earlier, it can save you a world of pain
s

sudo killall windows

10/03/2021, 10:45 PM
all hail the RLS gods
s

silentworks

10/03/2021, 10:45 PM
lol
Remember inside of functions you can write sql queries
so you could do a select based on the
auth.id()
to get the user information to get the
user_metadata.provider_id
This is probably stored in the db under a jsonb column type, so you would access it using
raw_user_meta_data->>'provider_id'
Let me know how you get on tomorrow, I'm going bed now, it's late here.
s

sudo killall windows

10/03/2021, 10:48 PM
GN!
I just wish I could log in a RLS query so I could see what I was dealing with
well... i could make a logs table