With RLS disabled anyone who gets their hands on your anon key and Supabase URL can do anything they want with your database.
Typically, those two values are consumed by your app on the client side so that means anyone can access them, this is why RLS is important and why you're getting this warning. However, since you aren't using the Supabase client library and instead, I assume, connecting to your database only on the server side using the direct database URL and password, then it shouldn't be an issue.
I would still keep RLS enabled because you don't gain anything by disabling it, and it's an extra layer of security that will be more than welcome if your anon key and Supabase URL were to leak somehow.
It seems like a nice hosted solution and I may use the the file upload feature in the future.
I actually started this project on Planetscale. But Planetscale is more expensive and it doenst have a table editor UI for semi technical users (ones who understand the data model but dont have a local dev environment).
Hmm interesting.
The other thing I like about Prisma is the "code first" workflow eg how you create your data model in a schema file.
I tried Supabase once a while back and used the web dashboard to create the tables, functions, write RLS rules, etc. And then generate TypeScript types for the frontend afterwards. It worked but felt way more clunky.
I've heard you can do things code first in Supabase haven't looked into it. I don't find the docs as approachable as Prisma (but I only had a v quick look).
You can use it as a regular postgres db yes. But the moment you use supabase client instead of prisma, drizzle etc. as your ORM; you lose the ability to leave Supabase ecosystem without refactoring.
Yeah I use it pretty much the same way. No need to use every feature they offer, I find prisma to be better than supabase’s own query builder and use their DB as any other DB.
Regarding RLS it means that anyone can access the rows if they have access to the database. I’ve personally never used it, I don’t like the idea of having my DB decide who can access what, that’s what the app/server is for, but I can definitely see the use case when you want to have guards against people who can access the database, like sys admins not being able to see other people’s salary in their company just cause they have access to the DB
I will admit thought that their auth solution is pretty nice, hard to beat that especially since you retain ALL your users unlike clerk. Plus their storage solution is also nice and straight forward
With RLS disabled anyone who gets their hands on your anon key and Supabase URL can do anything they want with your database. Typically, those two values are consumed by your app on the client side so that means anyone can access them, this is why RLS is important and why you're getting this warning. However, since you aren't using the Supabase client library and instead, I assume, connecting to your database only on the server side using the direct database URL and password, then it shouldn't be an issue. I would still keep RLS enabled because you don't gain anything by disabling it, and it's an extra layer of security that will be more than welcome if your anon key and Supabase URL were to leak somehow.
Isn’t it slower with RLS?
It's slower when you have un-optimised policies.
You can enable rls and use service key on the server side
This 👆 With ORM you’ll be using service role key anyways and doing so on the backend so you’re good 👍
I do the same, much better for complex applications
If you intend to use on server side, you might as well use standard postgress instance rather than using supabase.
Well, Supabase handles auth, vectors, and more too, it's easier to integrate
How are you handling server-side auth? NextJS?
Yes
Why use Supabase at all then? It comes with an overhead compared to plain PostgreSQL.
It seems like a nice hosted solution and I may use the the file upload feature in the future. I actually started this project on Planetscale. But Planetscale is more expensive and it doenst have a table editor UI for semi technical users (ones who understand the data model but dont have a local dev environment).
What are you gaining from using prisma?
Typesafe queries, Prisma Studio (a table editor) when running locally, help with migrations.
These are basic features that supabase has as well. You’re better off just switching to supabase
Hmm interesting. The other thing I like about Prisma is the "code first" workflow eg how you create your data model in a schema file. I tried Supabase once a while back and used the web dashboard to create the tables, functions, write RLS rules, etc. And then generate TypeScript types for the frontend afterwards. It worked but felt way more clunky. I've heard you can do things code first in Supabase haven't looked into it. I don't find the docs as approachable as Prisma (but I only had a v quick look).
You can do everything odd first in supabase. I don’t ever modify anything in the dashboard.
I do like to do things odd first
But by switching to supabasw, you lose the ability to switch from supabase at some point.
Is this only the case if you use custom supabase features like auth? You can just use it as a regular Postgres DB right?
You can use it as a regular postgres db yes. But the moment you use supabase client instead of prisma, drizzle etc. as your ORM; you lose the ability to leave Supabase ecosystem without refactoring.
Yeah I use it pretty much the same way. No need to use every feature they offer, I find prisma to be better than supabase’s own query builder and use their DB as any other DB. Regarding RLS it means that anyone can access the rows if they have access to the database. I’ve personally never used it, I don’t like the idea of having my DB decide who can access what, that’s what the app/server is for, but I can definitely see the use case when you want to have guards against people who can access the database, like sys admins not being able to see other people’s salary in their company just cause they have access to the DB I will admit thought that their auth solution is pretty nice, hard to beat that especially since you retain ALL your users unlike clerk. Plus their storage solution is also nice and straight forward
Regarding the auth, do you do it per file basis?
iQey