https://supabase.com/ logo
Join Discord
Powered by
Hi, all! πŸ‘‹ Question about getting Realtime to wor...
# help
k
Hi, all! πŸ‘‹ Question about getting Realtime to work for a table that has RLS policies enabled – In my app, Stripe fires off a webhook to my 
/api/stripe-webhooks
endpoint, then I make an update to my 
profiles
table using the data I receive. Even though I have Realtime turned on for that table and my client-side app has subscribed to receive `UPDATE`s, no Realtime events are received. This is because I have row-level security (RLS) enabled for the 
profiles
table, and when my 
/api/stripe-webhooks
endpoint handler function is called, no user is authenticated, so the RLS checks fail. How can I keep RLS activated to lock down access to my 
profiles
table, but still receive Realtime updates in my client-side app when the current user's row in the 
profiles
table gets updated? More Details: - I'm using username/password auth. - The RLS policy on my 
profiles
table is 
uid() = id
for all CRUD operations. - I'm using SvelteKit the supabase-js client the for the client-side app. Thanks in advance for any help you can give! πŸ™Œ
n
Hello @Kellen Mace! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the 
/title
command! We have solved your problem? Click the button below to archive it.
g
Your discussion is somewhat confusing to me. I'm not sure where realtime comes in as the issue yet. If I read it correctly, it sounds like your issue is with your api doing the update of the profile table because of RLS. If your endpoint is on a server you can use service key to do the update operation.
n
Kellen Mace (2022-03-14)
k
Thanks for the reply @User πŸ‘
I'll frame it differently to hopefully provide more clarity –
When I have RLS disabled, everything works flawlessly, like this: 1. Stripe fires off the webook 2. My API endpoint handler function uses the service key to perform the update to the 
profiles
table 3. Supabase Realtime sends the change event to the frontend JS app, and the UI re-renders
As soon as I enable RLS for the 
profiles
table, #3 stops happening
That's because before sending the Realtime 
UPDATE
event, Supabase checks to see if the user is authenticated and has the permissions necessary. Since no user is logged in, the Realtime update is never sent.
g
Realtime looks only at who subscribed to the event, not who did the insert. Are you saying your client is not logged in?
If you want to subscribe as anon, then you would have to create a non-RLS table and use a trigger on profiles to update it.
k
Hmm, ok
My client is logged in via username/password auth in the browser
I don't think they're authenticated on the other end, when requests are sent to Supabase, though
g
Basically realtime gets a copy of any table updates you have replication turned on for, no matter how they were updated. Then if there is a subscriber to that table it will run RLS check on that user.
k
(my auth is not cookie-based, though. It looks like username/password auth saves the auth token to localStorage)
g
The websocket should like something like this for a logged in user (notice the tokens):
Are you calling supabase realtime from the server based on a client call to the server?
If so, then yes you will need to pass at least the user token to your server api. Then use setAuth(token) and possibly getUser(token) if you need the uuid for a filter.
Sorry setAuth(token).
k
I'm doing this:
So you can see that immediately after the user signs in, I'm attempting to subscribe to realtime updates
That works fine when RLS is disabled, but not when it's enabled.
Since ^ that code is running client-side, do you think I need to do anything differently to make the server "aware" of the currently logged in user?
g
No. If that is running client side it should work if user meets RLS.. Supabase.js/realtime.js take care of sending the tokens as I showed. You are on the latest drivers?
k
Ok, thanks
Sorry, what do you mean by "drivers"?
g
supabase.js
k
Gothca. I'm on 
1.22.6
, so not the latest. I can bump it.
Looks like the latest is 1.31.1
g
If you are really on 1.22 that is a problem. That was way before the new RLS realtime stuff was added.
k
Oh, yikes. Thanks for the heads up πŸ‘
@User Circling back to this– I updated the supabase-js NPM package and tried the realtime stuff out again, and it is now working great!
So it ended up being that simple
Thanks so much for your help! I really appreciate you taking the time to talk through it with me! πŸ™Œ
PreviousNext
Powered by