RLS policies, proven - auto-generated pgTAP tests and auto seeded data (rlsautotest) #47191
munaf-khatri
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hey all 👋
RLS is the security boundary of a Supabase app, but writing pgTAP tests for it by hand is tedious — you fake each identity, seed matching rows for every policy, and assert who can do what — so it usually gets skipped, and a wrong policy ships as a silent data leak.
I built rlsautotest to close that gap.
You point it at your database and it:
The key idea: a generated test only means something if the data behind it matches the policy and the identity. So it works backward from each policy to the exact rows that satisfy and violate it ("reverse-predicate seeding"). "Owner can see their row" is checked against a row that's actually theirs; "another tenant can't" against a real, different tenant.
bash
pip install rlsautotest
quick check — access report in your browser, nothing saved
rlsautotest --db-url "$DATABASE_URL" --schema public --html rls-report.html
or generate a pgTAP suite to commit + run in CI
rlsautotest --db-url "$DATABASE_URL" --schema public --emit supabase/
It's free and open source (Apache-2.0), built on pgTAP and the basejump test helpers (thank you 🙏). It's beta — I've run it against real Supabase schemas and a multi-tenant corpus, and it's built to never emit a false-passing test: anything it can't prove soundly is marked, not faked.
A deeper write-up on testing RLS with pgTAP: https://unitautogen.com/blog/most-postgres-rls-ships-untested.html
Would love feedback — especially policies/edge cases it doesn't handle well. Happy to dig into any schema you throw at it.
Repo: https://github.com/unitautogen/rlsautotest
Beta Was this translation helpful? Give feedback.
All reactions