S
Supabase8mo ago
KinsonDigital

Getting data with wrong anon key

I am having some issues understanding the anon key and it's role. I thought that it was a way to identify which project you are connecting to. With this in mind, this is a separate thing then authentication and the anon key is not used to protect your data. But, if the anon key is a way to identify which project your data is coming from, why is it that when I use the wrong anon key, it lets me authenticate and get data from that project anyways? I tested this out with the local running instance of supabase and even though the anon key is off, I can still get data from a table. What is the point of the anon key at this point? Here is the deno script I created to demonstrate what I am talking about: 
import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);
import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);
The RLS policy I have on the student table is: 
alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);
alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);
3 Replies
silentworks
silentworks8mo ago
Let me test this out and get back to you. I've tested this and I got the same result as you. My assumption is that the anon key is just that an anon key, it is not used to identify the project but used as a non authenticated user for the project. The reason why the above would work is that you are signed in as an authenticated user and the token from that user would be used for subsequent requests. If you should change your SELECT RLS policy from authenticated to anon you will notice that when you try to read from the students table you now get a empty array, if you go further and remove the .signInWithPassword call you will notice you now get an error because the anon key is formatted incorrectly and even if it was formatted correctly and doesn't belong to this project it will result in an error JWSError JWSInvalidSignature. I'm talking with someone from the Supabase team now to see if my assumption above is correct. Ok after chatting with someone from the Supabase team we setup a test again with a hosted instance instead and it doesn't work with an invalid anon key. You would get a invalid API key error if you tried it there. I think things are a bit more relaxed on the local setup as that environment is only meant for local use. So my assumption above is incorrect and anon key is also used as an identifier for the project.
silentworks
silentworks8mo ago
Here is a video showing this at work.
KinsonDigital
KinsonDigitalOP8mo ago
Interesting. Everything you have said is lining up with any research and testing I have done. One thing that I have not done though, is try this with an anon key that is not a local instance to see if I get an error. Cloud supabase projects with invalid anon keys do indeed matter more to me then the local instance. Either way, I still would expect a local instance to throw an error when the anon key is invalid. I will try this out tomorrow and if I do get an error, then that will work fine for me. Thanks for the response and research/confirmation!! Greatly apprecaited!!

Did you find this page helpful?