Better Auth•2mo ago

integrating with postgres rls (supabase)

hi. i'm trying to migrate off of supabase auth so i wanted to go with better-auth. my question is, how could i correctly use the JWT integration to setup RLS auth? do i need to always fetch the endpoint to get the JWT token, or could i get it auto-provided every time? that would be much simpler for setup i need to setup RLS for maybe two days with supabase and then i'm migrating to neon (want auth and db to be staggered, don't want a big screwup to hit all at once)

21 Replies

bekacru•2mo ago

@daveycodez might help but check the jwks plugin https://www.better-auth.com/docs/plugins/jwt

JWT | Better Auth

Authenticate users with JWT tokens in services that can't use the session

oof2win2OP•2mo ago

yeah i saw that plugin + the usage davey has (https://discord.com/channels/1288403910284935179/1296058482289676320/1337526387967266847), just wondering how to set it up what complicates it more i feel is me migrating auth and then db - it makes sense to do like this but makes some parts more annoying / painful

daveycodez•2mo ago

The best way atm is to use the Tanstack library

daveycodez•2mo ago

https://github.com/daveyplate/better-auth-tanstack

GitHub

GitHub - daveyplate/better-auth-tanstack

Contribute to daveyplate/better-auth-tanstack development by creating an account on GitHub.

daveycodez•2mo ago

This provides the useToken hook

oof2win2OP•2mo ago

hell yeah, thank you hey @daveycodez, do you by chance have any knowledge on how to get supabase working with better-auth? i've looked at your package, but i have no idea how to get supabase to cooperate with the better-auth tokens - do you know how by chance? i have this so far

import { Database } from "@repo/types/supabase";
import { createBrowserClient } from "@supabase/ssr";
import { useToken } from "./use-auth-hooks";

export function useSupabase() {
  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
  const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;

  const { token } = useToken();

  if (!supabaseUrl || !supabaseAnonKey) {
    throw new Error("Missing Supabase environment variables");
  }

  const supabase = createBrowserClient<Database>(supabaseUrl, supabaseAnonKey, {
    accessToken: token || "",
  });

  return supabase;
}

import { Database } from "@repo/types/supabase";
import { createBrowserClient } from "@supabase/ssr";
import { useToken } from "./use-auth-hooks";

export function useSupabase() {
  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
  const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;

  const { token } = useToken();

  if (!supabaseUrl || !supabaseAnonKey) {
    throw new Error("Missing Supabase environment variables");
  }

  const supabase = createBrowserClient<Database>(supabaseUrl, supabaseAnonKey, {
    accessToken: token || "",
  });

  return supabase;
}

turns out i just had to forge my auth token on an api route and put some cache headers on it, kinda sick tbh

daveycodez•2mo ago

Got it to work? great One day I would suggest to migrate to Neon and implement a rate limiter, Supabase can be a lil riskay

oof2win2OP•2mo ago

yeah i know that's the next step - just need to setup proper auth so that i can migrate off supabase part by part @daveycodez i've been looking more and more into this, saw the issue here and convos in discord. how would you ideally have the jwt support work? like it's just stored in the session or something so it can be used on both the client and server in the ideal case, and can be revalidated every 5m or something

daveycodez•2mo ago

I'm hoping we can get an update where the JWT plugin simply adds "token" to sessionData so you have sessionData.session, sessionData.user, and sessionData.token It can simply be synchronized with the session and signed every time you get a session, since it's 0ms latency to sign a new one. So every session refresh has a new JWT as .token I might make my own plugin that does this in the future but my Tanstack solution is working for me in the meantime

XEDD•2w ago

Looking forward to this

daveycodez•2w ago

I’m not gonna lie I’ve totally migrated to InstantDB and it’s awesome

XEDD•2w ago

Damn. No self hosted. Which is critical for me. (Heavy trafic)

XEDD•2w ago

With your tanstack have you achieved all niuanses of authorization? https://github.com/daveyplate/better-auth-tanstack

GitHub

GitHub - daveyplate/better-auth-tanstack

Contribute to daveyplate/better-auth-tanstack development by creating an account on GitHub.

daveycodez•2w ago

there I just have the useToken hook which will get your JWT It will also refetch before it expires, and when session changes

XEDD•2w ago

Damn.

Lucas•2w ago

@XEDD let me know how that goes. I just got away from CLerk exactly because dealing with the JWT token was so annoying. Didnt wanna have to go through this again. May I ask why youre moving away from supabase for DB?

bekacru•7d ago

Could you gus let me know the issue exactly? also a heads-up - we're collbarinting soon with supabase to add direct integration

XEDD•7d ago

Basically. It's the JWT tokens you cant manipulate them force dissconnect and etc. i would be glad using Cookie based auth. For example i creating my own role system which has its own subrole . yes thats not very secure. But the RLS policies should fix it. but still it's kinda pain in the ass because. You cannot add your own [ 40+ ] roles still you have to use direct postgress. For permissions 🙂 RPC also for some functions. There is no ready steady variant currently for react based auth. Which kinda sucks. I hadnt theese problems with PHP and Mysql 🙂 @Lucas im not moving away i will just not use the InstantDB (overpriced). No self host option is pretty much dealbreaker for me. I will host my own supabase instance on dedicated server eventualy, i will launch geoblocked to my country Results system.

Lucas•7d ago

@XEDD as far as I know you cant manipulate the JWT but you can create and use a refresh token instead once the JWT expires but as I've understood @bekacru there's no easy way to sync Supabase RLS with the JWT token directly through Better Auth right now - it would require manual setup. Correct?

bekacru•7d ago

Yea it does. Honestly, I haven’t looked much into it. I should pretty soon in preparation for the direct integration.

daveycodez•7d ago

I thought Instantdb was a good price lol. But I'm looking at Triplit now for reasons

Gaming

Programming

integrating with postgres rls (supabase)

Did you find this page helpful?