SupabaseS
Supabase2y ago
Daniel

How to use token in URL for Supabase Storage?

Hello!
I have a private bucket named profile-pictures
Inside this bucket are folders with the auth.uid() of the user
Inside each folder are images.

I want the SELECT access for images to be either if the user is authenticated, OR the auth.uid() of the folder matches a row in a table named public_profile

I have this RLS set up on my profile-pictures storage bucket.

2 RLS Policies:
First:
Target roles: authenticated
Using: (bucket_id = 'profile-pictures'::text)

This would mean that if you're authenticated, you can view everything inside profile-pictures

Second:
Target Roles: 
anon

Using: 
((bucket_id = 'profile-pictures'::text) AND ( SELECT (EXISTS ( SELECT 1
           FROM user_public_profile upp
          WHERE ((upp.user_id)::text = (storage.foldername(objects.name))[1]))) AS "exists"))


There are 2 issues:
Inside of user_public_profile I have a row where 
user_id
 is daecbccc-5689-4d06-8020-e2dbf722456f

But when calling
https://tsr.supabase.co/storage/v1/object/profile-pictures/daecbccc-5689-4d06-8020-e2dbf722456f/0.jpg

with the Anon Bearer token, I'm getting object_not_found.

The other question is, is it possible to have all this inside the URL instead of headers, similar to how the signedURL works?
Was this page helpful?