Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

I know by default that when you use the supabase client with public api key... you can do joins example is User table -> Account Table

Hello <@704246240384122980>!
This thread has been automatically created from your message in <#843999948717555735> a few seconds ago.

We have already mentioned the <@&951828363943759883> so that they can see your message and help you as soon as possible!

**Want to unsubscribe from this thread?**
Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates.

**Want to change the title?**
Use the ``/title`` command!

**We have solved your problem?**
Click the button below to archive it.

The problem with this i dont want anyone from the app do the join operation and retrieve the account table (in case of if the use doesn't own the record)

i think this goes to both postgrest and pggraph

I want to secure the account table from unauthorized access

What you seem to describe is a basic RLS situation where you would lock the account table with select policy for only user_id record matching auth.uid().

Does supabase can handle things like for example in user table you have an email field then always omit in returned response in client? i just want to think that i dont want to expose the email value depends on the role. (maybe if not an admin)

omit email field (as security) if not an admin role

Probably the easiest thing to do is put the "secure" columns in another table.  Postgres does have column security but it is based on Postgres roles and not auth.  Views can also not show a column. You can also block the table with RLS and then use an rpc call to a security definer function to just return the rest of the row.