Is it possible to authenticate with supabase, but ...
# helph
honkstyle
02/11/2022, 10:22 PMIs it possible to authenticate with supabase, but prevent any database queries without adding RLS to each table to disable it? Basically I plan on doing all db queries from the backend.
s
Scott P
02/11/2022, 10:41 PMNo. If you don't add RLS, the only security you would have would be security through obscurity - essentially hoping that no one figures out your public key (which would be impossible if you have people logging in)
If someone is able to figure out your public key (or it gets leaked somehow), then you've lost all semblance of security.
Scott P
02/11/2022, 10:43 PMYou could use the auth aspects for things like allowing users to generate an API key to access your API.
Users would send this API key as a header in all requests for example, and then you could use the service key on the server to map that key to a specific user to e.g. update their usage stats, check if they've hit some predefined allowances, etc.
h
honkstyle
02/11/2022, 10:47 PMHi Scott, thanks for replying. So essentially i it sounds like if I want to proceed with my plan, I should just go ahead and enable RLS on all my tables, and have a policy like
... on table_name for select using ( false );s
Scott P
02/11/2022, 10:54 PMYeah, that's the route I'd recommend.
It takes a bit of the pain out of the process since you have RLS policies which are as simple as can be, but the trade-off is that you have to deal with generating unique keys (if you go down the route of using a traditional API key approach), handling the mapping against specific users, and making sure any queries or functions you're running aren't at risk of changing records that they're not meant to.
h
honkstyle
02/11/2022, 10:56 PMGreat, that all makes sense. Thanks for the help!