Row Level Security
Hi, I'm using better auth with Drizzle ORM and I want to implement RLS, similar to what supabase offers, how can I do this easily?
Thanks in advance!
16 Replies
take a look at jwks maybe @daveycodez could help regarding supbase setup
the thing is I want to add it to pure Postgres, without using Supabase 😉
I'm using Neon
I'm updating my tanstack library right now that has a useToken hook to use with JWT plugin
GitHub
GitHub - daveyplate/better-auth-tanstack
Contribute to daveyplate/better-auth-tanstack development by creating an account on GitHub.
You can use the useToken hook there
I'm working on another package for using RLS from the client https://github.com/daveyplate/neon-drizzle-tanstack
But it's in early stages, no Readme yet but feel free to dig around
GitHub
GitHub - daveyplate/neon-drizzle-tanstack: Use Drizzle from the fro...
Use Drizzle from the front end using Tanstack Query hooks, secured with Neon RLS - daveyplate/neon-drizzle-tanstack
@daveycodez can I use it also when I'm not using neon?
I really want to make it on the pure Postgres
Well the neon package I made here uses their serverless driver to use RLS from the front end. For your use case you likely need to manually pass the JWT somehow via the backend. I’m not sure about pure Postgres RLS setup
You need rls because you are using supabase is on your client, assuming for mobile app?
Supabase on client is super unsafe need to use a custom rate limiter
Just curious, why is it unsafe? @daveycodez
I can write a loop that gives infinite egress to any Supabase project in like 30 seconds
They have no protection for supabase-js on the client
Also using Supabase exposes your project's public Realtime channels and there's no way to turn them off
Those can be spammed freely
Exactly. Initially I used to use supabasejs on client side.. now everything is behind a server backend. Enable rls without worrying about somebody using your supabase client to attack your db.
yes, agreed, but I wonder how I can implement rls on postgres itself, without the supabase nor neon 😉
I have no idea tbh but if you do figure out how to get it set up, let me know
PostgreSQL Documentation
5.9. Row Security Policies
5.9. Row Security Policies # In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies …