Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

Hey guys, I've got a question: I've got a table in the public schema with RLS enabled and I'd like for `SELECT`, `INSERT` and `UPDATE` to be publically accessible with the Anon key, but only if the user knows either the `deviceId` or `userId`. I can't use `auth().id` because I want the API to be accessible even for users that have not yet registered. I just want people to prevent from querying the entire DB. How would I implement this using a policy?

There's no way to prevent someone from querying the entire table without RLS in place.

I would do the following:

 - Create RLS policies for (`insert` , `update`, `delete` and `select`) with the policy value simply set to `false`. This will prevent all operations against the table for anyone except admin or secret key, or postgres functions

 - Create some postgres functions which accept `userId` and `deviceId` parameters which will perform the query.

If you specify `SECURITY DEFINER` for the function when creating it, it will be able to bypass RLS.

Then, you would call those functions with `.rpc()`

<@!336983535074279444> thanks for the guidance, I'll look into it!

Another option is to pass your deviceId as a header (set when you init Supabase) and then use RLS to check that.   See the marked as answer here: https://github.com/supabase/supabase/discussions/4755