Best way to allow backend access for certain functions? #3387
-
I'm wondering if there is a suggested pattern for allowing backend access to specific functions using the For context, we decided to implement the schema isolation design discussed here whereby we have a private In a frontend scenario, I am running ownership checks based on Given that Supabase (last checked) only exposes the My first impression is that it could be as simple as only allowing Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
What's the context your backend operations will be running in? Are they also meant to use the authenticated user context? You could run your backend exclusively with the When using the service_role key, you would need to evaluate authorization within your backend logic. E.g. you can use Here an example of getting the user from their token: https://github.com/supabase/supabase/blob/master/examples/nextjs-with-supabase-auth/pages/api/getUser.js |
Beta Was this translation helpful? Give feedback.
-
If you check the service key contents, it has a
Yes, that would work, you could create another role and do GRANT EXECUTE on your functions on it. Keep in mind that there's a gotcha right now for adding extra roles #1925.
If your new role can EXECUTE the function then the DEFINER property will work as usual.
By creating a custom JWT with a "role"claim equal to your new postgres role and passing that as a header(postgrest-js has a function for that).
As long as you test your role can only execute whitelisted functions and not read/write tables/views, etc - it should be a safe pattern. |
Beta Was this translation helpful? Give feedback.
If you check the service key contents, it has a
role
claim which is mapped to aservice_role
postgres role(you can check this withauth.role()
). So yes, it should be similar with the difference that anauth.uid()
is not present becauseservice_role
is not a web user(not mapped to a row inauth.users
).Yes, that would work, you could create another role and do GRANT EXECUTE on your functions on…