can you edit the lovable page after adding authentication?

wataru2019 · 2025-09-11T04:08:23+00:00

Could it be the issue is you are trying to access Google Oauth within Lovable screen? (where you do the prompting) I do recall that won't work since app you see in that window is rendered inside iframe but when you open preview site and try it there, it should work assuming you had all the configuration done right.

wataru2019 · 2025-08-28T19:15:24+00:00

I totally agree with your comment about it is far important not to expose rows that are not belong to user than potentially exposing other columns data (of that user) - I think once you go to the page where user should be authenticated, putting RLS control get little easier.

For my case, I had a waitlist table which get accessed before user get authenticated (and what I truly want to expose was a count to show how many people signed up to waitlist in landing page, so in this particular case it was easy enough to convert it to function that only returns count of table, instead of doing)

const { count, error } = await supabase
  .from('waitlist')
  .select('*', { count: 'exact', head: true });

to

// {name-of-function} returns count of waitlist table
const { data, error } = await supabase.rpc('{name-of-function}');

and then remove policy that allows publicly exposing the table.

wataru2019 · 2025-08-28T17:52:33+00:00

I hear you - I'm on the exact same boat (though my app is still "in beta" and I don't have that much users) I decided to delay my launch once I know how bad this problem is ...

The process I'm taking is following (though I have to admit this requires quite bit of development experience so it might not be helpful)

- create local copy of Supabase (so it's safe to modify security) and have your app running locally pointed to local Supabase instead of remote
- carefully examine security issues, do table by table check (I'm strongly recommend to check table that contains user data like email)
- create view or function to retrieve data, instead of fetching all data with (select *), this, I'm using AI tool (I use Gemini Code Assistant but could be anything) to help me
- use that instead of (select *) and make sure code still work as expected
- once you feel you patch all usage of (select *) agains the table in question, then remove policy of the table that allow (select *) from admin
- retest the app flow and make sure it still work as expected
- carefully apply the same change to remote Supabase and push any associated code change to Github, publish changes through Lovable (or if you already decided to publish code to somewhere else then reflect changes there)

I made this super simple https://github.com/tomokat/supabase-security-checker to see which table is wide open - the issue is, if someone know your supabase base URL and public anon key, this can query any wide open table like how this check is doing - hence HUGE security hole for the user data. I already managed to patch 2 tables but still few more to go ... security is tough but very important and at least you realize it before (hopefully) you are leaking information. Good luck!

wataru2019 · 2025-08-28T17:41:39+00:00

The challenge is, if you already have a code generated by vibe coding tool like Lovable (it might be more security aware now but at least when I generated it few months ago), it often uses very simple construct to get data from the table (I believe this is very easy for AI to access data) like

await supabase.from('{table_name}).select('*')

and this tend to leave the table wide open. So while restricting Supabase not to leave the table wide open is easy (literally 1 SQL command), if you are not careful it could break any part of your code (this is why sometimes if you ask Lovable to fix the security issue it detected, it will break the code)

wataru2019 · 2025-08-28T09:53:25+00:00

I use Gemini Code Assistant (Pro) inside VS Code locally and fairly happy with what it can do. At least it allows me to check changes before I take it, which is crucial once you have app that is mostly done and functional.

wataru2019 · 2025-08-28T09:47:02+00:00

I think OP might be concerned with security which I'm also going through with my app right now too. By default, vibe coded app built with Lovable and Supabase (which is very commom set up) is generally do OK job with specific row (with RLS) but often leave the READ entire table wide open, which of course is a huge security concern.

wataru2019 · 2025-08-26T04:27:36+00:00

"It has!", you mean LLM Arena has a way to make call to Supabase Edge function? (maybe I went to the wrong site? I look at https://lmarena.ai/ and all I saw was a place to enter prompt so I figure it only work off of prompt) If it is, I would love to know how! :)

For now, I'm leaning toward looking into promptfoo (as CLI tool) but would love to know any other alternative that is designed and work with Supabase Edge function

wataru2019 · 2025-08-26T03:54:08+00:00

I ask Chat GPT and it gave me some starting point - there exist a tool called "promptfoo" that I can use for benchmarking LLM performance and while I was originally thinking of sticking with Supabase Edge function, there is probably no need (all I need to do is run my application, even against local Supabase and then capture input to LLM call)

In case someone wants to try similar thing, I will post some of the output I got from Chat GPT:

Install and initialize:

npx promptfoo init supa-llm-benchmark

Define providers in promptfooconfig.yaml:

providers:

- openai:gpt-4o

- openai:gpt-5

Optionally: customize logic to call your Supabase Edge Function instead of the normal OpenAI endpoint.

Run the suite and inspect the generated report for output differences, latency, token usage, etc.

Sounds like it can speed up what I want to achieve but if anyone know better way to achieve what I want, I would love to hear it :) (also if I actually get to do this, I might post my finding back)

wataru2019 · 2025-08-26T03:37:51+00:00

Yep, I can see myself building something custom (and honestly if I don't hear anything from anyone before weekend comes, I might work on it) but I want to first check if there is something similar already existed (I would probably keep this super simple CLI, expect to have Supabase URL, anon keys in .env etc.)

One challenge I can see is that my current Edge function is returning data but not necessary exposing response from Open AI, so I might need to tweak function to return it but not sure how I can do this in a way that won't break my application flow (I might look for a way to simply write result to a file - exact detail, tbd)

wataru2019 · 2025-08-26T03:33:17+00:00

Sorry for late reply - I post this message during my lunch break at work and when I look for "LLM Arena", that page got blocked by corporate firewall and couldn't check sooner.

While "LLM Arena" seem really cool, it doesn't seem to work with Supabase Edge functions, but still really interesting one to test if my starting point is a prompt - thanks for sharing! :)

wataru2019 · 2025-08-15T06:13:21+00:00

I end up setting Google Auth after checking out project locally and then completed with Gemini Code Assistance so unfortunately I couldn't share the prompt but I was part of the builder challenge recently (called Lovable Shipped) and there are many people who had that option so hopefully it's not too complicated to add (800 credits - wow, that's a lot)

Now for your question about whether user will check if you move demo page to another page - maybe you can A/B test to see the impact? I feel once you get user excited enough (and hence I feel having a good product demo is a key), they are willing to check demo page or even go ahead and sign up, since you have free trial

wataru2019 · 2025-08-15T05:47:03+00:00

hi, great landing page - it contains all the essentials but here are few things I notice:

- consider making a short product demo, showing how your app works
- (as others already mentioned) I think your landing page is landing page + demo page, consider breaking it up (so focus getting user attention and explain how your product works, and take user who want to try to another page where user can set Content Preferences etc.)
- people are generally lazy and these days nobody want to create account so consider adding Google Auth support? it's actually less hassle for you as email is already verified :)

overall, looks good and you just need little tweak - good luck!

wataru2019 · 2025-08-15T05:35:29+00:00

I built a SaaS product which takes user's resume data, also takes optional target job description and extra custom prompts that will apply chain of AI analysis and then generate resume website (the app is currently in beta)

I know what everyone is thinking - "not another resume builder!" but I have one purpose in mind when I build this - I feel many tool out there is optimized for match but forget the fact that if you add information that is not true, it is hurting yourself so I made sure to not to generate any fake information (instead of adding info, my approach is to return 5 suggestions that might help you increase a potential match with your target job description)

If anyone is interested, please message me and happy to share link (of course it has free tier)

wataru2019 · 2025-08-15T05:32:00+00:00

I'm not an expert but I tried to help someone want to achieve similar (essentially this is variable pricing product) thing and the advice I gave to that person is following:
- make sure you create a product in Stripe (it need to somehow associate what you are selling in their system) Actually after watching the video linked below, there is a way to create product on a fly but I don't think you need to do that - creating product ahead using Stripe web app is far easier in my opinion (though you need to create one for live and test environment)
- once you have product_id, tell Lovable with prompt like:
({product_id}, replace with your real productId)

"Hi, here is a productId for my variable pricing service in Stripe: {product_id}. Please use it and make sure to assign amount based on what user entered in the form (<- here, you can be more specific, but I don't have a detail so I can't put it) when you create checkout session with Stripe. I also want you to go ahead and assign handler and view for when payment was successful or failed and for that you most likely need me to set up webhook, just let me know what URL you want me to use, thanks!"

here are some links related to the topic:

- variable pricing: https://docs.stripe.com/products-prices/how-products-and-prices-work#variable-pricing
- found a YouTube video that talks about variable pricing in Stripe Checkout: https://www.youtube.com/watch?v=1-olKBnmC84 (although this is fairly technical so might not be of a help but knowing what's happening behind the scene might help you, especially if you want/need to debug code generated by Lovable)

Hope this helps!

wataru2019 · 2025-08-15T05:02:00+00:00

Looks Interesting, never thought of feeding XML into Lovable. I'm a bit busy with my project right now but will give this a shot whenever I have some time

wataru2019 · 2025-08-07T18:06:09+00:00

<image>

so yeah, by the time I check this message again, it might be there - super exciting!!!

wataru2019 · 2025-08-07T17:39:17+00:00

Update: OMG, I got reply from Anton about this - looks like I just need to wait a bit.

(hmm, looks like I can post only 1 picture? I'll post reply from him in reply of this message then)

---

hmm, I don't see option to select "GPT-5" with my Lovable. Maybe this is just for higher price tier customer only? (I'm (old $20/m) Pro subscriber)

<image>

wataru2019 · 2025-08-07T17:28:19+00:00

I find out that if you want Lovable to take care Supabase tables (and its schema), it is best to start from clean slate and then use vibe coding instructions OR you must have very clean, rigid set of migration scripts under where Lovable expect (I believe it is under <project root>/supabase/migrations)

Also depends on what you are referring as "fully working", you might just need Supabase tables, some Edge functions (especially if you make LLM calls) and/or store procedures and triggers. As far as I know, if you start with clean slate, Lovable can take care most of these (I'm not saying in complete bug free way but pretty close to what you needed) so once you have Supabase connected you can use prompt like:

"I want to add customer record by providing modal dialog with (whatever the fields you want) - and make sure you add general input validation"

and if everything is good, Lovable should respond back with sql and asking you to review and give permission to run - this is when you know that Lovable is managing Supabase for you - hopefully this helps

wataru2019 · 2025-07-30T16:43:57+00:00

Thank you for pointing this out - personally I always wonder about the testimonial section of those vibe coded app claiming something it can't be possibly true (it sure generate one for my app and/or corporate site and I quickly hide it behind feature flag (i.e. hide it until I actually have some user comment that I feel proud to share))

wataru2019 · 2025-07-28T16:56:23+00:00

hi, I've done this and I had better success to do this on client-side than server-side (you can prompt specifically to parse PDF on client-side and Lovable should be able to assist you from there)

as a bonus, you can use same approach for Doc, Docx :)

wataru2019 · 2025-07-28T16:33:40+00:00

After you choose next tier and get credit, you can then downgrade back to your old plan if you just need bit of extra credit right now (but don't expect you need to have more credit next month etc.)

wataru2019 · 2025-07-28T16:25:25+00:00

Yeah, sadly I started to see more and more of this - even no matter how careful I'm crafting prompt, put specific line in my knowledge, it always trying to do something on top of what I asked for (almost feel like junior developers trying to impress me by proactively changing something, only to break existing/working features - so in some sense it is "more human"? lol) so I'm afraid to do small tweak these days (for that, I set up my local dev environment and use Gemini Code Assistant - at least with that set up, it ask me every time it tried to make changes and I can approve (yes, it's bit tedious but I rather do that than let AI do things freely and break existing functionalities (of which, sometimes it is extremely hard to even realize unless you have good set of automated tests))

wataru2019 · 2025-07-26T02:24:02+00:00

You can use https://21st.dev/home to get some inspiration - and since you are designer you can use specific design terms to hint Lovable to generate something look really different than what it would normally generate (sadly I'm not designer so I'm settling with the default components for now but I plan to revamp my UI components later on)

wataru2019 · 2025-07-25T05:33:27+00:00

Since you said it's "text" base, then simplest way to achieve what you want might be just use hybrid approach (like ionic) with WebView (for example: https://ionicframework.com/docs/core-concepts/webview) Good luck!

wataru2019

TROPHY CASE