auth-helpers - can't get RLS to work from Sveltekit endpoint

I'm having a problem with the RLS for my sveltekit app from the node endpoints
It works perfectly with client-side JS, but fails when I use the new auth-helpers approach from the endpoints
I'm following the

sveltekit-magic-link

sveltekit-magic-link

sveltekit-magic-link

sveltekit-magic-link example

My query looks like this

export const POST = async ({ request, locals }: RequestEvent) =>
  withApiAuth({ user: locals.user }, async () => {
    const data = await request.formData();
    const title = data.get('title') as string;
    supabaseServerClient(request).from('projects').insert([{ title }]);
    return {
      body: { user: locals.user }
    };
  });

export const POST = async ({ request, locals }: RequestEvent) =>
  withApiAuth({ user: locals.user }, async () => {
    const data = await request.formData();
    const title = data.get('title') as string;
    supabaseServerClient(request).from('projects').insert([{ title }]);
    return {
      body: { user: locals.user }
    };
  });

export const POST = async ({ request, locals }: RequestEvent) =>
  withApiAuth({ user: locals.user }, async () => {
    const data = await request.formData();
    const title = data.get('title') as string;
    supabaseServerClient(request).from('projects').insert([{ title }]);
    return {
      body: { user: locals.user }
    };
  });

export const POST = async ({ request, locals }: RequestEvent) =>
  withApiAuth({ user: locals.user }, async () => {
    const data = await request.formData();
    const title = data.get('title') as string;
    supabaseServerClient(request).from('projects').insert([{ title }]);
    return {
      body: { user: locals.user }
    };
  });

I get a 403 back from the endpoint with error

{
  ...
  message: 'new row violates row-level security policy for table "projects"',
  ...
}

{
  ...
  message: 'new row violates row-level security policy for table "projects"',
  ...
}

{
  ...
  message: 'new row violates row-level security policy for table "projects"',
  ...
}

{
  ...
  message: 'new row violates row-level security policy for table "projects"',
  ...
}

I print out locals.user just before the call and it is authenticated.
I can't find any API documentation on the auth-helpers project, just the example in the README and the examples folder.
But I'm guessing the withApiAuth({ user: locals.user }, ... ) call is setting the user from there, so don't know why my RLS isn't working
there is a note in the user object

  'supabase-auth-helpers-note': 'This user payload is retrieved from the cached JWT and might be stale. If you need up to date user data, please call the getUser method in a server-side context!',

  'supabase-auth-helpers-note': 'This user payload is retrieved from the cached JWT and might be stale. If you need up to date user data, please call the getUser method in a server-side context!',

  'supabase-auth-helpers-note': 'This user payload is retrieved from the cached JWT and might be stale. If you need up to date user data, please call the getUser method in a server-side context!',

  'supabase-auth-helpers-note': 'This user payload is retrieved from the cached JWT and might be stale. If you need up to date user data, please call the getUser method in a server-side context!',

but none of the examples do that ... they just use locals.user.

So I tried

getUser

getUser

getUser

getUser ... it returns an authenticated user and all looks good, but I still get the same RLS error.

Any ideas?

auth-helpers - can't get RLS to work from Sveltekit endpoint

Similar Threads

Similar Threads

Similar Threads