hey guys, i'm trying to create an app where an adm...
# helpg
gel
01/13/2022, 1:22 PMhey guys, i'm trying to create an app where an admin can invite other users to their group page from the UI. i see that there's a function https://supabase.com/docs/reference/javascript/auth-api-inviteuserbyemail inviteuserbyemail but i don't understand the note "This function should only be called on a server. Never expose your service_role key in the browser."
c
chipilov
01/13/2022, 1:40 PMwhen you init the supabase client, you provide to it an API key
chipilov
01/13/2022, 1:41 PMif you look into your settings in the dashboard
chipilov
01/13/2022, 1:41 PMyou will see that you have 2 keys
chipilov
01/13/2022, 1:41 PM"anon" (a.k.a. "public"), which is OK to put in the code that you ship to the browser
chipilov
01/13/2022, 1:42 PMand you also have a "service_role" (a.k.a. "servert") API key
chipilov
01/13/2022, 1:42 PMsome Supabase client methods, such as inviteUserByEmail(), will ONLY work if you initialized your client with the secret key
chipilov
01/13/2022, 1:43 PMand the point here is that you should NEVER do that in code that you ship to the browser, because then users can read your secret key and can do many things against your DB that would NOT be desirable (e.g. they can bypass RLS)
chipilov
01/13/2022, 1:44 PMso by "server" they mean any code that IS NOT shipped to the user's browser (this could be a Node.jS server you are running yourself, serverless functions from providers like Firebase/AWS/Vercel), PostgreSQL stored procedures, etc
chipilov
01/13/2022, 1:45 PMdoes this make sense?
g
gel
01/13/2022, 1:47 PMthis makes sense, yes, thank you. i have some complex roles in my db currently and maybe i need to find a better way to authenticate a user to a group
l
Lavka
01/13/2022, 2:13 PMI'm currently working on workspace implementation for my project in supabase and I'm doing member invites on the server (API route in Next.js app).
1. I check if the user already exists by email and just add them as a workspace member
2. If the user doesn't exist, then I invite them and add them as a workspace member
g
gel
01/13/2022, 2:45 PMwhere exactly in the app is that happening?
gel
01/13/2022, 2:45 PMthats basically my use case
s
silentworks
01/13/2022, 6:35 PMMy app is not using NextJS but using SvelteKit and is doing exactly this, you can have a look at its repo here https://github.com/silentworks/waiting-list
silentworks
01/13/2022, 6:36 PMThe inviteUserByEmail happen inside of this file https://github.com/silentworks/waiting-list/blob/main/src/routes/api/invite.json.js, which is an API route, so server side only.