How to run RLS with Supabase?
Hey guys,
I made a web app with Flutterflow, Supabase and Buildship. I have RLS enabled and made policies to only allow authorized users to select, insert end update rows. My plan was to use the service_key role api key in my Buildship Supabase nodes to bypass RLS. But that does not work.
I found this on github; https://github.com/orgs/supabase/discussions/15860
What packages is Buildship using by default? Its not in the docs. Can it be that it uses auth-helpers/ssr? If so, how would you recommend I grant my backend acces to Supabase DB with RLS enabled?
GitHub
Performing administration tasks on the server side with the service...
By default, the auth-helpers/ssr do not permit the use of the service_role secret. This restriction is in place to prevent the accidental exposure of your service_role secret to the public. Since t...
11 Replies
Solution
I changed the nodes to 'with token' equivalents, now they work.
@Sleetza I'm having the same use case, and can't figure it out.
If you want to use service_role Supabase key,
what do you as API key and as a Token in BuildShip node?
In your Supabase api section there is a seperate api key for the service role. I use the token that I grab from my FF frontend via api (bearer token)
Can you please share a screenshot where do you get this Bearer token?
And I wonder, shouldn’t it have expiration period (something like a few hours or days?)
@Sleetza , sorry if I look to pushy. I’m really looking forward to find solution for my issue, and will appreciate your input a lot 🙏
Integrate Supabase DB with BuildShip – BuildShip
A unified resource to start building your backend with low-code. Dive into triggers, nodes, and step-by-step guidance to jumpstart your workflow creation.
@Gaurav Chadha , unfortunately in this article there is no information how to get Bearer Token, if the Buildhip is triggered from Supabase
And If am using node without Token, then I cannot overcome RLS
Maybe try the Supabase discord
Did you ever find a solution for this?
The issue is that your node code is only sending the apikey header and not the Authorization header. Supabase expects the service_role key to be passed as a Bearer token in the Authorization header so that it can bypass RLS. In BuildShip enter the Nod Logic of the node in question and update the hears section to read const headers = {
apikey: apiKey,
// Next line has been added so Supabase RLS will be bypassed when a service_role key is used
Authorization:
Bearer ${apiKey},
"Content-Type": "application/json",
Prefer: "return=representation",
};AI Support Bot Information
<@1151781212533309531> you can react on the relevant answer (message) with a ✅ in this thread when you think it has been solved, by the bot or by a human!
Anyone can react on this message with a ❌ if the GPT bot is unhelpful or hallucinating answers.
Please note: Team members will review and answer the questions on best efforts basis.
AI Response
To set up the Authorization header for a Supabase API call, you must include the
service_role API key as a Bearer token in the Authorization header.
Here is how you can configure the headers in your node's logic in BuildShip to ensure that the Supabase Row-Level Security (RLS) is bypassed when using the service_role key:
- Update the node's logic to include the following headers:
This configuration will properly pass the service_role API key in the Authorization header, allowing Supabase to recognize it as a Bearer token, which is necessary to bypass RLS【4:0†buildship-site.json】.
For more information and step-by-step guidance, you might want to look at the BuildShip documentation related to setting headers and handling Supabase integrations【4:5†buildship-site.json】.
BuildShip AI Support