https://supabase.com/ logo
Join Discord
Powered by
is there any way to use RLS without using the auth...
# help
m
is there any way to use RLS without using the auth object? Why? because I'm building a store... so users don't want to sign up, they want to see all the products (table products is free to read) and add those products to the cart (table cart ??? ) this table cart is what I don't know how to do it, because at first I was giving the user a uuid through a cookie, and then using that cookie in every call but I realized that anyone with my public supabase key could start reading / deleting others people cart because I don't have a policy in the cart because I don't have signed users yet... any ideas?
n
Hello @malaleche! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the 
/title
command! We have solved your problem? Click the button below to archive it.
m
by the way I'm doing all the calls from the client not the server
this could be solved if I had 2 key apis, one for table products, another one for the table carts fetching directly from the client to products and fetching from the server to carts But I assume I can't have different api keys for each table
f
what if u enable the policy on the cart table?
n
malaleche (2022-04-04)
m
the problem fernando is that if I enable policy people that haven't sign up can't add items to that table
f
but u need an identifier for those users
s
what is the purpose of saving the cart? do you want to send them abandon cart emails?
if you dont want to do any operation, then you can save it in local storage and when they visit again you can show them the cart data -- if you want to send them emails then you can svae them in cart table and run a cron job hourly to send emails
m
yes, my scenario is: I would like to use the benefits of calling supabase directly from the client when possible, for example reading products... But as this is a store an not the typical case of that the user has to sign up first to start "writing" in the database... ... this is a store, so there are no signups... I want visitors to add items to their carts (from the client if possible) but if not... I will have to do it from the server but seems to me that I will have to do all the calls from the server of the whole application because if I want any user be able to write in the cart table... if they have access to the public key they could delete all or read others...
s
as mentioned in my earlier message --- if you dont want to do any operation, then you can save it in local storage and when they visit again you can show them the cart data -- if you want to send them emails then you can svae them in cart table and run a cron job hourly to send emails ---
this is how shopify does, i believe
f
@User firebase had anonymous auth but that feature is still pending on gotrue https://github.com/supabase/gotrue/issues/68
m
yeah preferible cookies in case they close the browser... that's an option too I guess...
s
correct
m
I will have a read thanks
yes I guess I can add the cart later in the database... using the private key...
I want to be able to send them emails abandoned carts...
s
that you can send them, once you have collected contact info, right
m
yes but they need to upload an image in their cart
s
which you can enable RLS, and store in cart table
you can store entire object in json. / JsonB in a single column,
f
an image on the cart that's weird, what's the reason?
m
we want the to customize the product
like when you upload an image to customize your mug
s
like customize Tshirts
m
yes
f
oh gotcha
m
I don't know why but the apps I'm asked to build are normally the weird scenarios xD
I know I can do everything through the server not sharing the public api key of supabase in the browser... But then came to my mind can I reduce the latency quering directly from the browser? they I saw reading products was reduced to 100ms from 400ms that was earlier through my server api endpoint... but then I arrived to the problem of, wow, wait, products i can add a policy to only read, but for carts... if they haven't signup yet and I'm allowing them from the client add cart items... they could read other peoples carts... or even deleting...
I think I'm going to just do everything in the server... it's more secure, if I could request to signup to start adding items to the cart could be easy but ....
I've been thinking about creating a randomIDuser@random.com users... and saving that randomId in the cookie and signin them secretly... but that's weird and probably high costs
what the first comment says that you mentioned @User
f
yep another option could be to use firebase
to create the anonymous user id
firebase will load that user session on the browser every time the user access to your web but i think then u need a hack to parse the header
before send it to supabase backend
m
thank you
yeah, but at this point I prefer to stick with Supa and bypass all calls through my API, 200ms-400ms per call is not that bad... I guess...
I'm learning a lot, thank you guys
PreviousNext
Powered by