https://supabase.com/ logo
Join Discord
Powered by
how do you select a user from the users table? ```...
# help
n
how do you select a user from the users table?
Copy code
const userRes = await supabase
        .from('users')
        .select();
Trying to write a little auth middleware which maps a token -> user. I've tried 
users
, 
auth.users
, etc, it seems there is no table for it. "relation "public.auth.users" does not exist"
Hm I'm starting to wonder if supabase may simply be more complicated than another solution for this task. I want to generate API keys for users who can then pass their API key along with their request, then I can map their key -> their user object and grant access to my api according to various attributes of their profile/payment history/etc
I don't see how to get a user object in the first place, per my question that began this article, but then even once I do I suspect I'll quickly end up with RLS violations
Ah I suppose I can bypass the RLS side of this using the upgraded secret key since this will be happening server side
although it would be great if I could map API key -> user -> temporarily adopt the RLS permissions of that user -> query database
is that doable?
g
First you can't access auth.users table from js. Normally if you need stuff from that you use a trigger to set up a users table in public when a user row is created/updated. You could also access it with an rpc function.
Second RLS can use your own functions and other privileged tables, it does not have to use uid. It is also possible to read header info that your server provides which might work well as long as you have something in the RLS to only except with the service key. A client could fake the header.
n
Thanks @User . I'm not sure I follow you here in terms of RLS
g
I'm really not sure what your API key thing is. I'll certainly say using Supabase is easier to use if you use the UID as a users ID as it gets handled by the JWT and is reasonable secure either from client or from server. You can use to limit users to certain tables or individual rows, including if you want a public.users table you create and prepopulate with uid as key when a user is created in the auth.users table. If you need some other key what I said above is that you can potential pass it in a http header and use that as part of your RLS. There may be other ways also using custom JWT's, but that is beyond my pay grade. I have mainly been working with a static app, so no server code involved.
n
Ok got it, thanks very much for your help
m
@garyaustin hey i'm doing the same as @Nick i need to auth my user with apikey instead of email/password. i'm not sure how to get headers in RLS, i don't find it in the doc, my other solution is to forge a JWT server side and send it back the the use with special role, but it doesn't seem to work for now
g
@Martin INDIE MAKERS https://postgrest.org/en/stable/api.html#http-context getting headers
m
thanks 😇
@garyaustin do you have any idea why
Copy code
is_allowed_apikey((((current_setting('request.headers'::text, true))::json ->> 'capgo_apikey'::text)), '{read}'::key_mode[])
don't work but for exemple if i put any apikey in the RLS like that
Copy code
(((current_setting('request.headers'::text, true))::json ->> 'capgkey'::text) = 'r5aeP4zHdKt9LhC7k7hErgYn385C'::text)
It work
my posgress function seems to work when i call it from SQL
Copy code
Create function is_allowed_apikey(apikey text, keymode key_mode[])  
returns boolean  
language plpgsql
as  
$$
Declare  
 is_found integer;
Begin
  SELECT count(*)
  INTO is_found
  FROM apikeys
  WHERE key=apikey
  AND mode=ANY(keymode);
  RETURN is_found;
End;  
$$;
ok seems not related to headers in sql console 
select is_allowed_apikey('r5aeP4zHdKt9LhC7k7hErgYn385C'::text, '{read}'::key_mode[])
return true but the same in RLS don't 😆
g
Is your apikeys table protected by RLS?
If so you would need to make your function "security definer" (after language plpsql works).
m
Yes they are !
not sure what you mean
g
m
OMG thanks a lot
that solve my issue !
@garyaustin ❤️
g
security definer says the function runs with permissions of the user that created it versus calling it, so bypasses RLS.
PreviousNext
Powered by