I'm working on a web app using a Node.js backend and a React frontend, with Supabase/Postgres as my database. Right now, I'm using the Supabase service key in my backend API for database access, which skips Row Level Security (RLS). My Node.js middleware ensures security, allowing access only to logged-in users and restricting certain features to admin users based on my custom authentication table. I'm considering creating my own Postgres role and implementing RLS but I'm unsure if it's necessary since my API handles authentication. Any thoughts?
4 Answers
Just remember to enable RLS to block unauthorized access from the `anon` role via the public APIs that Supabase provides.
RLS is really useful if you're directly allowing users to hit your database from the frontend, which is generally not a good practice. Since you're using a backend API, just rely on the service key, but ensure you have solid checks to prevent unauthorized access.
Thanks for clarifying! I’ve heard mixed feedback about using the service key in production but wasn’t sure why. I only use it as a backend .env variable to access the database.
If you’re just using the Supabase service key from your backend and have good authentication checks in place, you technically don’t need RLS right now. Your backend is essentially your security layer. But it's risky to rely solely on this. If there are bugs or future changes, your API could be bypassed. It’s advisable to implement RLS as an additional safety measure—think of it like having both a door and a gate. Stick to your backend checks, but also set up RLS for crucial tables, especially those tied to user info.
It definitely makes sense to implement RLS gradually, especially for critical data. Don’t hesitate to start simple and improve security as you go!
Thanks for the insights! I’m still thinking about adding RLS and creating a new Postgres role soon. Do you think it’s too much risk to release an MVP with RLS enabled without rules and just the service key? I’m not a professional developer, and I worry that I might make mistakes with RLS and roles.
Absolutely, this could be risky since decisions made at the frontend could slip through if RLS isn't applied directly. It's best to enforce security via RLS in tandem with your backend checks for robustness.
But isn’t the data API made by Supabase just hitting PostgREST to communicate with the database? So, it's not like I’m directly exposing my database to the frontend, right?
Yes, I have RLS enabled on all tables, without rules applied, which I believe means that access is not allowed by default. I only bypass this with the service key.