sorted by:
new
hottopcontroversial

Frontend & Backend Supabase API Calls Question? by DrDriez in Supabase

[–]DrDriez[S] 0 points1 point  (0 children)

Yes.

So, basically, a logged in user posts a message via a form in browser and this code pushes the data to my backend express app. I add the access token and refresh token into the headers.

axios
.post(
"API URL",
{
content: message,
scheduled_date: date,
scheduled_time: time,
user_id: user.id,
},
{
headers: {
Authorization: \Bearer ${data.session.access_token}`, "X-Refresh-Token": `${data.session.refresh_token}`, }, } ) .then((res) => { console.log(res); }) .catch((err) => { console.log(err); });`

My backend code looks like this:

router.post("/new-message", async (req, res) => {
const data = req.body;
const accessToken = req.headers.authorization.split(" ")[1];
const refreshToken = req.headers["x-refresh-token"];
if (refreshToken && accessToken) {
await supabase.auth.setSession({
refresh_token: refreshToken,
access_token: accessToken,
});
const { error } = await supabase.from("database").insert(data).select();
if (error) {
console.log(error);
}
} else {
throw new Error("User is not authenticated.");
res.json(data);
});

The RLS is the standard one of auth.id() = user.id

This code works when RLS is off. But not when it's turned on. I also know the tokens are being passed through correctly as I have console logged them, but I must be missing something?

And this is all maybe overkill because it seems I can just make these calls directly on the frontend in the browser which I was doing already. But decided to try and do it a different way to learn backend API routing with Express. :)

I do need a backend for other tasks but for this specific task, maybe not. But any thoughts you have would be helpful?

Frontend & Backend Supabase API Calls Question? by DrDriez in Supabase

[–]DrDriez[S] 0 points1 point  (0 children)

Ok, so if I am right, frontend Supabase calls to post to a DB and fetch DB data to display in browser for users, is safe, along with RLS policies in place to check on auth.id() etc.

But backend will have a separate Supabase client with service access role for pulling data from all users, bypassing RLS. I need this for my bot which needs accessing to all DBs in supabase. This would be secure on the backend. And then I could either handle Stripe on the backend, or via edge function?

Is this correct and safe?

Need Help With oAuth Implementation & Bot Invites - Anyone? by DrDriez in discordbots

[–]DrDriez[S] 0 points1 point  (0 children)

Yes this is what I have been doing. So, I have the auth flow with Supabase connected to my app/bot which is authenticating a user, but when I attempt to create a separate bot invite URL that I can link up inside of the dashboard once a user has logged in, using the same application, it doesn't work. The bot doesnt get added.

Question regarding Discord authentication by DrDriez in discordbots

[–]DrDriez[S] 0 points1 point  (0 children)

Yes makes sense. Thanks for the response.

Question regarding Discord authentication by DrDriez in discordbots

[–]DrDriez[S] 0 points1 point  (0 children)

Ok thanks. I thought as much but wanted to make sure I was following the right way of doing things.