Hi Eric and thanks for trying out RBAC in both Supabase and Netlify!
I am working on a Supabase-based app currently and will encounter this scenario soon, too.
Unlike Auth0 and Netlify, Supabase doesn’t send user role or permissions on the access_token.
Supabase has great security in the way of roles and policies that ensure only allowed actors can access or interact with your data at level specific level.
It’s important to recognize that when Prisma connects to the database it is doing so with service_role permission – it can query, delete, add, drop a table etc. Thus the app middleware needs to enforce things. Supabase’s js client passes along the JWT and then determines their PG role and policies from it and enforces what the can happen at a low level.
But, we don’t/can’t? set that JWT when querying – though it would be great if we can. I happened to run across this discussion yesterday asking for ’ Support for Postgres’ SET command in raw mode/PG RLS policies in general`.
But until then …
For example, the
anon roles can’t do things that an
authenticated roles can.
But - (as I understand thing) this is all done/setup/enforced at the Postgres database level.
There isn’t necessarily a mapping between this database role/policy and a user “app/business” role (ie, author) and permission (can add article – insert on articles, but not publish aka update the status).
Actually perhaps Paul @kiwicopple can help here to suggest the best way we might capture these “user roles” and map them (if needed to policies … since we don’t necessarily need to use them:
Policies are a tool. In the case of “serverless/Jamstack” setups, they are especially effective because you don’t have to deploy any middleware at all.
What is supa-nice is that users are in a separate
auth schema and perhaps one can store
UserRole there and maybe map to a user and some underlying role/policies?
This also make it harder for any user info to leak out via queries or GraphQL nested resolvers.
We’d have to make the
getCurrentUser do a query per transaction (and maybe cache in context) to do a rawQuery to join in on the auth schema and User- > UserRole with the sub user id (Prisma can only query the public schema, not across schemas … which is another issue.
Any ideas @kiwicopple ? As I said, I am going to get into RBAC w/ RW and Supabase w/in the next week or two so would love to figure out a solid pattern and add to the RW Cookbook.