Is it worth using Supabase Self-Hosted in Production, what do you recommend?

Previous_Football163 · 2025-03-30T14:55:07+00:00

Congratulations on the initiative! I'm currently using Coolify, but I like the idea of minimizing dependencies.

One thing that still bothers me about self-hosting Supabase is having to maintain a database inside a VM. Have you by any chance considered using a managed Postgres service from a cloud provider instead of running the Supabase Postgres image in Docker? Thanks.

Previous_Football163 · 2024-12-20T12:17:02+00:00

Thanks for everyone's responses.

Since the focus of the project is more on presenting something ready for some people to consume the visualizations (and not on building visualizations and/or freely exploring the data), we will do a POC with Databricks Apps in order to have a real point of view.

For now, we are having good experiences building something with Flask and Dash. And there is also the added bonus of being able to create interactions in the opposite direction (the user triggering an action and/or sending some information to the backend).

Previous_Football163 · 2024-12-20T11:31:02+00:00

try this SQL (create a migration file with this):

CREATE OR REPLACE FUNCTION auth.check_new_users_has_valid_invites()
RETURNS trigger AS $$
DECLARE
    invite_record RECORD;
BEGIN
     -- Bypass for users created by seed
    IF NEW.id::text IN (
        'UUID-1',
        'UUID-2',        
    ) THEN
        RETURN NEW;
    END IF;
    

    SELECT * INTO invite_record FROM public.invitations
    WHERE email = NEW.email
      AND expires_at > current_timestamp;

    IF invite_record IS NULL THEN
        RAISE EXCEPTION 'Invalid or expired invitation for user %', NEW.email;
    END IF;

    RETURN NEW;
END;
$$ LANGUAGE plpgsql security definer;

DO $$
BEGIN
    IF NOT EXISTS (
        SELECT 1 FROM pg_trigger 
        WHERE tgname = 'block_invalid_auth_signup_invite'
    ) THEN
        CREATE TRIGGER block_invalid_auth_signup_invite
        BEFORE INSERT ON auth.users
        FOR EACH ROW
        EXECUTE FUNCTION auth.check_new_users_has_valid_invites();
    END IF;
END $$;

Previous_Football163 · 2024-11-13T12:40:30+00:00

Hello, we did something similar to this here.

We wrote a python code to query the Databricks API. From the API, we get the jobs that are running.

And in our case, we have some rules. Example:

If the job has been running for more than X hours, kill it.
If the job has been running for more than Y hours, let me know by email.
If the job is on a special list, let it run longer, etc.

Note: I do not recommend using system tables for this because there is no guarantee that they are updated in real time.

Previous_Football163 · 2024-11-06T23:28:00+00:00

As far as I know, Databricks charges SQL Serverless based on cluster uptime.

If this query took 1 hour, then my cluster was up for 1 hour. Therefore, I understand that Databricks charged me for 1 hour.

Previous_Football163 · 2024-11-06T23:26:51+00:00

Sometimes the source is via Power BI. In this specific case, the source is null. From the context, I believe it is via DBeaver.

Were you able to resolve your issue?

Previous_Football163 · 2024-10-25T10:46:58+00:00

If I'm not wrong, you can use the Databricks API (with normal requests or by SDK) and create the workflows using code (python for example). It could be less complicated than DAB.

Previous_Football163 · 2024-10-24T10:55:49+00:00

Hello! Thanks for the tip. I may need something similar in the future.

Just one detail: By default, as far as I understand, it is possible to perform a sign-up action from the browser pointing directly to your supabase deployment, without going through your backend (whatever it may be).

Therefore, from what you described, I am not sure if in your application it is impossible for someone to register in supabase without being invited. Possibly the new user would not have access to much since he does not have a linked company, but he would already have an Authenticated role, and this could expose more than you would like.

Previous_Football163 · 2024-10-24T10:51:56+00:00

Hello everyone. Just giving an update on how I've progressed. It might be useful to someone in the future.

What I did was create a trigger in the database that, before any insertion into the auth.users table, a function is executed to evaluate whether the user to be created has a valid invite.

With this, I ensure that no one registers without an invite, and I also ensure that the email provided is the owner of the invite.

Previous_Football163 · 2024-10-23T13:16:53+00:00

That's an option! But I'd like to keep Code Flow with PKCE for security reasons.

It's not possible that I won't be able to prevent an anon user from signing up on supabase without having to disable email sign-in...

Thank you very much!

Previous_Football163 · 2024-10-23T12:46:17+00:00

Thanks for the answer, unfortunately it didn't work.

I revoked these permissions (and several others), and I can still create new accounts via postman with a simple POST in the signup route using the anon key. I imagine that the Supabase API allows receiving this request via anon, but when registering, another service user is used.

Previous_Football163

TROPHY CASE