User authentication with RLS receive an empty response when requested via Postman

[jesedugal]

I create a supabase database with user authentication. When Auth user is created the same user is automatically created in my internal table users, where the auth_user_id is also added in a column for reference (link). Everything works as intended.

By default I set RLS plocies disabled for users table and to test this I use Postman by doing the following actions:

1. I request an access token (JWT) for a given user via POST and using the anon public Key from supabase in header

• POST https://.supabase.co/auth/v1/token?grant_type=password

Headers:  apikey=anon_public_key  &  Content-type=application/json
Params: grant_type=password
Body:
{
  "email": "dev@mail.com",
  "password": "test"
}

2. I use the access token (JWT) via GET to consult the data for a user, like signing in.

• GET https://.supabase.co/rest/v1/users

Headers:  apikey=anon_public_key  &  Authorization=Bearer access_Token
Body: <empty>

or

• GET https://.supabase.co/rest/v1/users?select=*

Headers:  apikey=anon_public_key  &  Authorization=Bearer access_Token
Body: <empty>

The response received in Postman depends on the status of the only RLS policy I have defined in sudabase for table users. Below the RLS policy being used:

alter policy "Users can view their own user data"
on "public"."users"
to authenticated
using (
  (auth_user_id = (current_setting('request.jwt.claim.sub'::text, true))::uuid)
);

or even

create policy "Enable users to view their own data only"
on "public"."users"
for select
to authenticated
using (
  (select auth.uid()) = user_id
);

When RLS policy is disabled
Response receive after GET in Postman:
Postman receive a successfull response (200) containing the list of all existing users in my database

When RLS policy is enabled
Response receive after GET in Postman:
Postman receive a successfull response (200) but empty.
In this case I was expecting to receive data only for the user with email=`dev@mail.com' for which the access_token was created.

I already tried to adjust the RLS Policy in different ways but always receive an empty response when requesting it via Postman.
Is there any missing configuration somewhere in supabase (users table, auth user, policy, ...) ? or any missing setup/parameters when GET via Postman?

[GaryAustin1]

What is your id column in public users? You show auth_user_id in one policy and user_id in the 2nd policy. The 2nd policy looks correct IF you have a column called user_id.
Does that column have the user id from the sub claim of the JWT in it?
Check the JWT you get back from sign in with jwt.io to see if it is the user you expect.

[jesedugal]

Hi,

Thanks for your feedback, it provides enough info. I see it was a rookie mistake variable names were not correctly written. I just updated the policy as follows (via SQL Editor) and now it is working.

DROP POLICY IF EXISTS "Allow users to read their own data" ON public.users;

CREATE POLICY "Allow users to read their own data"
ON public.users
FOR SELECT
TO authenticated
using (
(select auth.uid()) = auth_user_id
);

Thanks a lot man!
Cheers.