Supabase + NextJS authorisation without RLS
TL;DR: A bit overwhelmed with having to learn RLS and was hoping to find an alternative Supabase + NextJS example of how an authenticated user can access only things they are authorised to in a DB
-----
Firstly, I realise there are probably some fundamental things I'm not understanding about the way things work, so apologies for the dumb questions and being all over the place
I come from a frontend background and can see the power of RLS but there's a lot to learn so I'm getting overwhelmed with having to learn RLS policies on top of everything else. I was hoping to see if there was an alternative approach to make an app that has the same functionality as the NextJS quick start (i.e. limit what users are authorised to make changes to), but without the RLS policies aspect.
I don't necessarily need code examples, but was just after some direction on how I should modify the project in the quick start tutorial in order to achieve the same result.
Was thinking something along the lines of having an API route which interacts with the DB. As the JWT contains the user id, this would be enough for me to determine what the user is authorised to do (I'm feel like I'm okay with this part). Do I just send this token as an auth header when calling the API route? Or is this already handled with some of the Supabase libs.
If taking this approach would I also need to: verify the token against my JWT secret, and check whether a token is expired? (my thinking: if an expired token is posted to the API, and I haven't programmed in these checks, then the API function will proceed with grabbing the user id and performing the DB transaction even if the token is expired).
-----
Firstly, I realise there are probably some fundamental things I'm not understanding about the way things work, so apologies for the dumb questions and being all over the place
I come from a frontend background and can see the power of RLS but there's a lot to learn so I'm getting overwhelmed with having to learn RLS policies on top of everything else. I was hoping to see if there was an alternative approach to make an app that has the same functionality as the NextJS quick start (i.e. limit what users are authorised to make changes to), but without the RLS policies aspect.
I don't necessarily need code examples, but was just after some direction on how I should modify the project in the quick start tutorial in order to achieve the same result.
Was thinking something along the lines of having an API route which interacts with the DB. As the JWT contains the user id, this would be enough for me to determine what the user is authorised to do (I'm feel like I'm okay with this part). Do I just send this token as an auth header when calling the API route? Or is this already handled with some of the Supabase libs.
If taking this approach would I also need to: verify the token against my JWT secret, and check whether a token is expired? (my thinking: if an expired token is posted to the API, and I haven't programmed in these checks, then the API function will proceed with grabbing the user id and performing the DB transaction even if the token is expired).
