https://supabase.com/ logo
Join Discord
Powered by
like i asked before how do i implement rate limiti...
# off-topic
h
like i asked before how do i implement rate limiting ?
s
like i asked before how do i implement rate limiting ?
b
Do you have a specific use case in mind? I'd like to find this out too.
πŸ‘€
s
It would certainly be possible to do with a dedicated table (or a column on the public users table), but more specifics on why you want to limit it, as well as your specific use case, would be helpful.
h
No i meant is there a solution for this from supabase itself ? i dont want to waste time setting everything up only to discover i cud have done that in a more simple way
Uhh for rate limiting lmao
I want to limit all requests
but the exact no. of operations / min will vary depending on operation
for eg:
User can send 150 messages / min
User can join 1 room / min
Something like that
for everything
or most things
And what about caching responses?
Actually my use case wudnt need caching since i want to display everything realtime
but wud be nice to know
s
Since requests can be done through either the REST endpoints (i.e. via the library), or to the database (e.g. via 
rpc()
or something like Prisma, Sequelize, etc), it's not something that's built in as part of the stack.
h
mhm
But is creating a new table, adding triggers the most elegant way to do this?
maybe
s
Rate limiting will be possible through Kong. Check this previous discussion: https://github.com/supabase/supabase/discussions/1524#discussioncomment-746106
h
Omg yes
Thank you!
Wait πŸ€”
If the client has access to the database they can also view the credentials of anon user right
Then cant they connect to the database from another client and avoid the rate limits
i mean outside of my website like say pgAdmin
s
If a regular user is able to connect directly to your database with pgAdmin, you've got bigger problems than rate limiting
h
Uh?
anon user is available publicly right
is it not database credentials?
or just credentials for kong endpoints
Am sorry i thought they cud be used to directly connect to the database
s
The anon group isn't able to login, and it includes the 
authenticator
user which is able to login (which belongs to the 
anon
, 
authenticated
and 
service_role
groups). Ergo, there's no actual anon user, but there is a group that includes a single user. I believe it acts as a way of allowing a session to be authenticated against the correct user once credentials are validated - essentially a way of transitioning users from not-authed to either a regular 
authenticated
user, or the 
service_role
if it's using the service key.
h
Ahh
Perfect then
b
So what's the status of this now? How do we implement rate limiting with Kong?
s
@User Correct! You got it. Btw, this auth sequence is documented on https://postgrest.org/en/v8.0/auth.html#authentication-sequence
c
πŸ˜‚πŸ˜‚πŸ˜‚πŸ˜‚πŸ˜‚
h
We just send our config in http requests
?
it's in the link
b
So where is this done as part of my app? I’m confused.
s
Based on that doc, I believe that the integration would need to be done at the Kong level, which can't be customised to this degree unless you're self-hosting. I'm certainly open to the idea that I might be wrong about that though πŸ™‚
h
isnt rate limiting a very common feature
kinda suprised if it wont work with hosted solution
@User there is something called supabase-admin-api
I created the jwt token as it said and tried to connecting to GET /config/kong
Says no routes match
so idk
b
So what do I do with supbase-admin-api? I built the binary and it works... so where does it run? Where do I install it?
s
Based on this source, I'd guess it's designed to run alongside a local hosted version of Supabase. Since 'RestartServices' function in 
api/service.go
calls systemctl, I don't believe you'd be able to run it externally.
h
Wait its not included with supabase?
That doesn't make any sense tho
So we cant configure any of the services?
Am going to open an issie
b
I’m not familiar with it - will need to ask Div or Inian
h
There's no mention of admin api in supabase docs
b
Yeah I’m pretty sure it’s not a stock component
s
Chances are that they do use it on the hosted platform, but don't expose completely custom configuration via the dashboard, either for security or performance reasons (perhaps both)
h
The security is just the same as the rest api for database
i dont think there will be any impact on performance idk what u mean
s
If you're exposing custom configuration for the routing aspect (i.e. Kong), you're allowing someone to potentially break their own service because they misconfigured it. Even if rate limiting for one project may not directly affect the performance of others, exposing custom config could lead to situations where users use a config which results in a performance hit for others. Maybe they just haven't got around to building out the UI to support it. Maybe there's another reason I'm not thinking of. It's also possible I'm completely wrong. You have to think beyond the scope of just your project because it's still a platform run on servers that are shared with other users.
h
Bruh if they dont know what they are doing they shudnt do it
Then the SQL query section doesnt make any sense either?
They can break their tables or grant access to public
How is giving an option going to be a bad thing? Yes not every project is going to require that but having the option is soo much better than not having one right..?
Am not trying to ride on supabase i cud have just built my own api am just giving suggestions
I dont think rate limiting , caching and etc is uncommon at all
Its a really sweet feature just saying
And one config won't affect others'
s
"If they don't know what they are doing, they shouldn't do it" - Not knowing how to do something doesn't stop people from trying. The SQL query editor negates much of the need for a dedicated SQL tool, but doesn't completely replace it. You can recreate a table with SQL if you 'break' it (though, I'm not sure how you'd break a table exactly, other than dropping it entirely). You can recreate RLS policies if you mess them up, and some projects may want public tables. There's a lot of documentation on SQL. By comparison, there's significantly less resources out there on configuring Kong. You mess that up, and you either fix it, or you're left with a service that might be completely unusable. I'm not disagreeing that it would be nice to have rate limiting, or exposing more options for the architecture, but a line has to be drawn on what you allow, and you've got to be careful about how you integrate it precisely because it can have an effect on other users. If you let people just configure everything, they'll take as many resources as they can, and potentially starve other projects.
h
Hmm
I guess supabase isnt for me then
Am just saying tho won't most production environments benefit from this
i still think that your argument that if we gave devs a tool they might mess up so let's not is a really weak one
But idk much
j
Sticking to the specific feature: Surely rate limiting can be exposed without needing to expose complete configuration of Kong?
h
Hm yeah ig
s
Let's say they allow rate limiting at Kong level. Your example was something like 150 messages per minute. If the rate limit was exposed at the routing level, that could end up limiting it to 150 requests per minute. Not just inserts, but selects, deletes, and updates. What if a user wants to delete 150 messages? They're then prevented from sending any new messages for the next minute. Maybe it's unlikely a user will want to delete that many messages at once, but it's not impossible. Additionally, if the rate-limit config policy is set to 
local
, it'll store these settings in memory. This increases memory usage, so could have a detrimental impact on an individual server.
Again, I agree it'd be nice to have, but I don't think it's as simple as 'plz just enable it guys'. Maybe I'm wrong.
h
I just don't get it
The supabase team made that
idk why they spent their time and didnt include it lol
Maybe it is on track to be added later
Maybe its not simple am not saying it shud be added period saying just consider it
And that too wud add more complications like u said it has to be stored somewhere
and local is a no go
maybe ratelimting cant be added πŸ˜”
I just remembered that we can still create a table for that and use it in rls
But that probably won't be the best performing solution
s
Something like this might work (untested, but should give you a rough idea of how to proceed):
Copy code
sql
SELECT CASE WHEN (
    SELECT COUNT(*)
    FROM public.messages
    WHERE inserted_at >= NOW() - INTERVAL '1 minutes'
    AND sender_id = auth.uid()
) <= 150
then true
else false
That's assuming your table is called 
messages
and the column you're checking is 
inserted_at
, and the user ID is stored in a column called 
sender_id
. This example assumes you want a maximum of 150 messages every minute. If you've got hundreds of thousands of messages being inserted every minute, it might be slow, but indexes and partitioned tables can help with that.
h
Mhm
b
supabase-admin-api
is already installed on KPS instances by default, so we can use it. I just don't understand how to implement rate limiting with it yet, but I will find out.
j
Looks like a juicy thread
h
What's kps?
Anyway someone from team said they didn't add it for security reasons and that they wud consider after a few months
In the github issue
b
kong - postgrest - supabase
Copple told me Supabase-admin-api was installed by default
I haven’t had time to play with it yet tho or test it.
h
Ohh 🀣
It says 404
And someone from the team said they didn't add it
Are u talking abt the hosted solution or ?
b
Yes I’m told it’s already running on every instance.
h
Hmm that's weird
b
You must set the apikey header to be a valid JWT token, signed by JWT_SECRET and with a claim of: role: supabase_admin
h
Do tell me if you find something out
I did
But there was no route
b
Yeah I’ll try to find out tomorrow how to call it.
You’re using the api url?
h
Yep
BASE_URI/config/kong right
base uri is the one that ends with supabase.co
?
I used GET which shud give me the current config
b
It’s listed in the dashboard under settings.
h
but it said No matching routes or somethng similar
Yes ik
b
Don’t know if you need Kong
h
Am just confirming
b
Look at the source code it should help
Maybe it’s on a different port
h
Oh yea i didnt think of that
b
Port 8085
h
yep just saw lol
Lets try
It's not there
If its included It's probably listening in localhost but the port is probably not exposed
b
could be, are you still getting 404 or scanning for the port?
h
Not a 404
Timeout
this time
b
It's running on localhost on kps, I see that: tcp 0 0 127.0.0.1:8085 0.0.0.0:* LISTEN 967/supabase-admin-
but you're right, it doesn't look like it's exposed
h
That's sad
I don't get how this is a security concern it uses the same exact security measure that everything currently uses in supabase rest endpoints
Lmao
How'd u connect to ur instance?
b
I have admin access to ssh into my instance as supabase staff.
h
Ah nvm then
b
I'll try to get more info on this.
h
Thanks!
Anyway i wont be able to use supabase for the current project because realtime is insecure
Oh right, i cud Hasura subscriptions to connect to supabase that way rls will still work right but how do i get auth.uid() to work? It refers "request.jwt.claim.role" and stuff like that
Is it possible for me to inject it? @User
b
I don't understand the question
h
I mean can i use Hasura
for realtime subscriptions
b
I'm not familiar with Hasura, sorry 😦
h
and then forward the jwt cookie
Hasura is not a problem anyway leave it
Let's say i have the jwt cookie of a user
how do i get auth.uid() to work from that?
b
auth.uid() just checks the uid inside the token
h
yes
but how do i say that this is the token to use
if am not using postgrest
b
Copy code
CREATE FUNCTION auth.uid() RETURNS uuid
  select nullif(current_setting('request.jwt.claim.sub', true), '')::uuid;
h
Yes i saw that 😭
How do i set request.jwt to my token
no way?
b
if you're not using postgrest, then you'd have to do the auth yourself -- you're connecting directly to PostgreSQL?
h
Yes
i was hoping there wud be a way to inject the token into "request.jwt" so that everything will work fine as intended
b
maybe you can use the same token -- 
current_setting
should read it? but i'm not sure
you might need to ask Inian, Steve, or Gurjeet
They know more about deep Postgres
j
I read most of this thread
It looks like there's not a clear solution
h
nice
Yes there is not
j
I'm not really super pumped about hacks
b
Is there any way you could secure Realtime using GRANT (table level access) and not RLS?
j
and from what I've read, I think the cleanest/non hack is to have a simple table and trigger
h
Nope
Lmao yea
b
so that's indirect realtime?
j
I'm sure supabase will add some configuration in the dashboard at some point
h
Ye
seems like it
but that wud use RLS
right?
Dk for sure
b
RLS on the actual table you want to protect
no RLS on the indirect table
makes sense
h
hmm
anyway we will see
I can't wait for functions and realtime to be released 😩
j
what's functions and real time?
those two things together?
h
Nope
Functions are serverless functions u can call
like aws lambda, google cloud run
And realtime - u can listen to realtime changes in ur database from the client for eg if messaging app where client instantly sees new messages without having to reload
j
so cloud functions would be configurable in the dash board in some language like node, got it.
real time already exists, no?
It works for me
h
It does
But it bypasses RLS
j
oh, i see what you mean
Any movement on this?
I’m just dreading creating a table for this
s
Features like this normally get launched in launch week, this happens every few months, I do't have an exact date on when the next one is but that's when major features get released.
j
@silentworks sweet! Is this an item the team is aware of?
PreviousNext
Powered by