P
Prisma•3w ago
Eugen

Prisma + Supabase RLS

Conceptual question: is there a way to pass the user access token (JWT from supabase auth) when connecting from prisma ORM JS (or prisma-postgres) to Supabase to restrict the connection the user's authenticated role and enable RLS policies that use supabase's auth.uid() etc?
3 Replies
Prisma AI Help
Prisma AI Help•3w ago
You opted for speed from this bot. Let's conjure up an answer right now! Yes, it is possible to pass the user access token (JWT) from Supabase auth when connecting from Prisma ORM to Supabase to enable Row Level Security (RLS) policies. This can be achieved using Prisma Client Extensions. Here's a conceptual overview of how this can be implemented: 1. Create a Prisma Client Extension that sets the JWT claims for each database query. 2. Use this extension to wrap your Prisma queries, ensuring that the RLS policies are applied. Here's an example of how this might look: 
const useSupabaseRowLevelSecurity = (options) => {
  return Prisma.defineExtension((client) =>
    client.$extends({
      query: {
        $allModels: {
          async $allOperations({ args, query }) {
            const claims = options.claimsFn ? JSON.stringify(options.claimsFn() || {}) : '';
            const [, result] = await client.$transaction([
              client.$executeRaw`SELECT set_config(${options.claimsSetting}, ${claims}, TRUE)`,
              query(args),
            ]);
            return result;
          },
        },
      },
    })
  );
};
const useSupabaseRowLevelSecurity = (options) => {
  return Prisma.defineExtension((client) =>
    client.$extends({
      query: {
        $allModels: {
          async $allOperations({ args, query }) {
            const claims = options.claimsFn ? JSON.stringify(options.claimsFn() || {}) : '';
            const [, result] = await client.$transaction([
              client.$executeRaw`SELECT set_config(${options.claimsSetting}, ${claims}, TRUE)`,
              query(args),
            ]);
            return result;
          },
        },
      },
    })
  );
};
This extension sets the JWT claims in the database session before executing each query, allowing the RLS policies to use auth.uid() and other Supabase auth functions. To use this extension: 1. Create an extended Prisma client with the RLS extension. 2. Use this extended client for your database operations. It's important to note that this approach requires careful implementation to ensure security. You should also be aware of potential performance implications of setting session variables for each query. For more detailed information and implementation examples, you can refer to these discussions: Support for row-level security (RLS) Supporting session-dependent queries like Postgres' SET across queries of a request Keep in mind that while this solution is workable, it's not an officia l feature of Prisma, and you should thoroughly test and validate it for your specific use case.
Nurul
Nurul•3w ago
Hey 👋 I am checking to see if the response from Prisma AI Help was helpful and also if you have any follow up questions
Eugen
EugenOP•3w ago
It was partially helpful. I couldn’t get an end to end example working though so I gave up for now. If you have an example how to use claims obtained from supabase RLS and set it up with prisma I‘d be happy to give it another try.

Did you find this page helpful?