Hello, I am implementing Supabase with Angular and...
# helpa
alejojm1201
06/19/2022, 2:24 AMHello, I am implementing Supabase with Angular and I use the Supabase API from Typescript, the problem that I am seeing is that when I want to use a Postgresql function that receives parameters, since the format of the parameters is a JSON, I observe that in the payload of the call to the API end-point that data is totally visible, therefore totally insecure... do you know if there is something that can be done so that it travels encrypted or something similar. Thanks for your time
n
Needle
06/19/2022, 2:24 AMHello @alejojm1201!
This thread has been automatically created from your message in #843999948717555735 a few seconds ago.
We have already mentioned the @User so that they can see your message and help you as soon as possible!
Want to unsubscribe from this thread?
Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates.
Want to change the title?
Use the ``/title`` command!
We have solved your problem?
Click the button below to archive it.
g
garyaustin
06/19/2022, 2:37 AMIs https encryption not enough for the data transfer from client to SB and back? You could encrypt your parameters and return data with rpc functions further if you desired.
a
alejojm1201
06/19/2022, 2:42 AMIf I encrypt my parameters, how do I decrypt it in the postgresql function?
alejojm1201
06/19/2022, 2:43 AMthat is the beginning of my function
alejojm1201
06/19/2022, 2:44 AMand that is the JSON that I sent in the parameter... in the Angular App I have an AES cipher... but how do I implement it on the Postrgresql side?
alejojm1201
06/19/2022, 2:46 AM@User I need your help
g
garyaustin
06/19/2022, 2:54 AMYou don't need to call out support here, it is poorly named as SB support is not directly connected to this Discord, this is mainly users helping users with some SB staff jumping in.
garyaustin
06/19/2022, 2:55 AMThe only thing I know of is pgcrypto on the postgres side.
garyaustin
06/19/2022, 2:57 AMI've only seen some users trying to store encrypted info from client back to client, mainly so it is not visible on database side. I've not seen anyone trying to do more that https for network encryption. What are you trying to protect from?
a
alejojm1201
06/19/2022, 2:59 AMsorry i didn't know i couldn't call support
g
garyaustin
06/19/2022, 2:59 AMNot your fault, it is poorly named...
a
alejojm1201
06/19/2022, 3:03 AMI am concerned about this situation... when uploading my Angular App to netlify.com (it uses HTTPS) to test how it behaves... I go to the functionality that makes use of the call of the function via API from Supabase to Postrgresql and I observe in the Chrome DevTools what I show in the image
alejojm1201
06/19/2022, 3:04 AMI am concerned that anyone with the knowledge to do F12 and go to the Network tab, can see the information... and for now it is not sensitive, but it will be in future new functions that I must continue to implement
g
garyaustin
06/19/2022, 3:07 AMI don't know anything about Angular, but with browser code like javascript, anything in your code is visible to someone on the client with effort. It is not just in the developer console.
garyaustin
06/19/2022, 3:09 AMDevtools just shows what the browser has before it encrypts and sends out with https. You would have to look at your router or some such to see the encryption leaving the client.
a
alejojm1201
06/19/2022, 3:11 AMyes, you are right and I understand that, that is why in almost all the Typescript code in Angular that is later transcribed to obfuscated javascript, I add an encryption layer and in turn obfuscate it using variable and function naming methods.
Before I was doing the same project but using FIrebase as BaaS and at no time did I detect that the data travels in a visible way...
alejojm1201
06/19/2022, 3:12 AMI honestly didn't know this, I don't have much knowledge about what happens in https and all that stuff.
g
garyaustin
06/19/2022, 3:14 AMYou could also try asking on Supabase github discussions. Or wait if others have answers for you. I don't recall Firebase being any different. I assume any data on the client is the users data and if they want to hack or see it that is fine. I just don't want someone not that user/client to see it once it leaves and https does that. That was the big push for https and why banks went to it first. Also, that is part of why SB uses jwt's for security info so the user/client can not change it.
a
alejojm1201
06/19/2022, 3:17 AMThank you very much for your time and comments, I am clearly realizing that I need to do more research on how JWT and SB work together.