I would like to know if if bypass the authentication step by Supabase #off-topic

I would like to know if if bypass the authenticati...

PapyElGringo

08/06/2021, 2:26 PM

I would like to know if if bypass the authentication step by generating JWT directly inside an Mobile App is fine to do to make a public database usable only by our mobile app?

Scott P

08/06/2021, 2:37 PM

In order to generate a verifiable JWT, you'd have to store the secret in the front-end. If you're doing that, there's absolutely nothing stopping someone from reverse-engineering your code and misusing the secret. Rule #1 of development: Never implicitly trust the client

Scott P

08/06/2021, 2:44 PM

Realistically, you could create a project with RLS policies which only allow select, insert, update, or delete (or any combination), and that way you wouldn't have to 'bypass' auth

PapyElGringo

08/06/2021, 2:45 PM

Thanks for the reply

PapyElGringo

08/06/2021, 2:49 PM

I would like offer to my user the capability of creating some sort of "bucket" where the user would be the only one capable of adding data on it

PapyElGringo

08/06/2021, 2:49 PM

My idea was to generate some sort of private key locally on the mobile app when creating the "bucket"

PapyElGringo

08/06/2021, 2:50 PM

while storing this secret_key in a secure storage localy

PapyElGringo

08/06/2021, 2:51 PM

then generate a JWT with the secret_key inside to access supabase database

PapyElGringo

08/06/2021, 2:51 PM

With having a RLS rule to only allow access to "bucket" related to the

secret_key

PapyElGringo

08/06/2021, 2:52 PM

this way having the

secret_key

would be the only way to access thoses data

PapyElGringo

08/06/2021, 2:53 PM

Is that feasable?

PapyElGringo

08/06/2021, 2:54 PM

I don't know if my usecase is understandable ^^

Scott P

08/06/2021, 2:59 PM

Why not generate it inside the DB when the user creates the bucket, using something like https://github.com/geckoboard/pgulid/blob/master/pgulid.sql You could then have a different column,

belongs_to_user

which contains the UUID of the user it belongs to. An RLS policy which checks

(uid() = belongs_to_user)

would allow you to restrict buckets to a specific user

PapyElGringo

08/06/2021, 3:01 PM

the

secret_key

would also be used to make e2ee and shared between devices trough webRTC

PapyElGringo

08/06/2021, 3:02 PM

I said that the bucket would belong to an "user" but the bucket would be more related to the

secret_key

PapyElGringo

08/06/2021, 3:03 PM

and everyone carrying the

secret_key

would have access to this bucket

PapyElGringo

08/06/2021, 3:05 PM

The concept is still WIP

Previous Next