# PostgREST-Lite: Auth & RLS Demo

POC SQLite PostgREST with Auth + Row-Level Security

- **Unauthenticated users**: Can only see published posts
- **Authenticated users**: Can see all posts (published + unpublished)

## Setup

1. Install: `pip install supabase`
2. Start server: `npm run dev:auth-demo`
3. Run this notebook!

In [1]:
from supabase import create_client, Client
from IPython.display import JSON, display

BASE_URL = "http://localhost:3000"

# Get this from the server output when you run: npm run dev:auth-demo
ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzYxNTAwODE1LCJleHAiOjIwNzcwNzY4MTV9.wV0xv6p6bzdGctV9d8FdQ7GqVuZIZW--fG-hANbYrmY"

# Initialize Supabase client
supabase: Client = create_client(BASE_URL, ANON_KEY)

print("✅ Supabase client initialized!")
print(f"🌐 Server: {BASE_URL}")

✅ Supabase client initialized!
🌐 Server: http://localhost:3000


## Unauthenticated - Read Posts

Without authentication, you can **only see published posts**.

RLS Policy blocks unpublished posts.

In [2]:
# Query posts without authentication
response = supabase.from_('posts').select('*, comments(id, content)').execute()

print(f"📖 Found {len(response.data)} posts:")
display(JSON(response.data, expanded=True))

print("\n💡 Only published posts are visible (id=1, id=2)")
print("   The draft post (id=3) is hidden by RLS")

📖 Found 2 posts:


<IPython.core.display.JSON object>


💡 Only published posts are visible (id=1, id=2)
   The draft post (id=3) is hidden by RLS


## Sign Up

Create a new user account using Supabase client.

In [3]:
# Sign up a new user
signup_response = supabase.auth.sign_up({
    "email": "alice@example.com",
    "password": "password123"
})

if signup_response.user:
    print("✅ User created successfully!")
    print(f"   User ID: {signup_response.user.id}")
    print(f"   Email: {signup_response.user.email}")
else:
    print("⚠️  User may already exist - try logging in!")

✅ User created successfully!
   User ID: d46776dd-03a6-458b-9376-9da302fb237f
   Email: alice@example.com


## Login

Login to get an authenticated session.

In [4]:
# Login with email and password
login_response = supabase.auth.sign_in_with_password({
    "email": "alice@example.com",
    "password": "password123"
})

if login_response.user:
    # Extract token and explicitly set it for PostgREST requests
    token = login_response.session.access_token
    supabase.postgrest.auth(token)
    
    print("✅ Login successful!")
    print(f"   User ID: {login_response.user.id}")
    print(f"   Token: {token[:50]}...")
    print("\n💡 The Supabase client is now authenticated!")
    print("   All subsequent requests will use your JWT token")
else:
    print("❌ Login failed")

✅ Login successful!
   User ID: d46776dd-03a6-458b-9376-9da302fb237f
   Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkN...

💡 The Supabase client is now authenticated!
   All subsequent requests will use your JWT token


## Authenticated - Read All Posts

Now that you're authenticated, you can see **ALL posts** (including unpublished).

In [5]:
# Query posts WITH authentication
response = supabase.from_('posts').select('*').execute()

print(f"📖 Found {len(response.data)} posts:")
display(JSON(response.data, expanded=True))

print("\n💡 Now you can see ALL posts (id=1, id=2, id=3)")
print("   Including the draft post that was hidden before!")

📖 Found 3 posts:


<IPython.core.display.JSON object>


💡 Now you can see ALL posts (id=1, id=2, id=3)
   Including the draft post that was hidden before!


## Migrate Schema - SQLite to Postgres

In [None]:
from sqlalchemy import create_engine, MetaData, Table, Integer, Identity, insert, select
from sqlalchemy.engine.reflection import Inspector

# Connection strings
sqlite_url = ""
pg_url = "postgresql+psycopg://user:pass@host:5432/dbname"

# Engines
e_sqlite = create_engine(sqlite_url)
e_pg     = create_engine(pg_url)

# Reflect sqlite
src_md = MetaData()
src_md.reflect(bind=e_sqlite)  # optionally: only=['t1','t2']

# Clone into new MetaData for postgres
dst_md = MetaData()
tbl_map = {}  # sqlite Table -> new Table

# Minimal Pre-processing
for t in src_md.sorted_tables:
    # copy columns with minimal tweaks
    cols = []
    for c in t.columns:
        newc = c.copy()  # copies name, type, nullability, defaults, etc.

        # Example: drop sqlite-only onupdate
        if hasattr(newc, "onupdate"):
            newc.onupdate = None

        cols.append(newc)

    # copy constraints
    new_t = Table(t.name, dst_md, *cols, *[c.copy() for c in t.constraints], *[i.copy() for i in t.indexes])
    tbl_map[t] = new_t

# Create schema in postgres
dst_md.create_all(bind=e_pg)

## Migrate Data

In [None]:
with e_sqlite.connect() as sconn, e_pg.begin() as ptx:
    for t in src_md.sorted_tables:
        rows = sconn.execute(select(t)).yield_per(1000)
        if rows.returns_rows:
            p_tbl = tbl_map[t]
            # column order match
            cols = [c.name for c in p_tbl.columns]
            batch = []
            for r in rows:
                batch.append({k: r[k] for k in cols if k in r._mapping})
                if len(batch) == 1000:
                    ptx.execute(insert(p_tbl), batch)
                    batch.clear()
            if batch:
                ptx.execute(insert(p_tbl), batch)