Is Postgres RLS a must have?
Hi guys, if I'm using TRPC's protectedProcedure in my routers, is it recommended to enable and set up row-level-security for my Postgres DB? Or do protected routers in TRPC make RLS redundant? Thanks!
4 Replies
Hi!
Any thoughts you had after 1 year of asking this?
I think its a good question and i'm still contemplating this myself :S
My thoughts would be that RLS is needed to secure from accidental errors in queries you made to the DB where you forgot to isolate for orgId and userId or something.
But would be interested in hearing other people thoughts on this
I honestly still don’t have a definitive answer but I think for most use cases RLS is not required
Hey Tim Apple, if you already have everything planned and well organized, RLS makes things simpler. You can just
SELECT * everywhere safely without worrying about having the right WHERE all the times. Also means you can’t accidentally return things to unauthorized users.
Also means if you build another backend later in any language or framework, RLS covers that too.
Protected procedures protect your database access, but it doesn’t protect specific tables or rows, which means more room for creating bugs and more code to write.
TLDR; RLS is better but with more code upfront. Protected procedures require more code, but is more flexibleIt's not required, unless you forget to authorize the currently authenticated user correctly.
E.g.: I am "logged in", but able to access someone elses information because you're not properly filtering it.