Getting data with wrong anon key

I am having some issues understanding the anon key and it's role.

I thought that it was a way to identify which project you are connecting to. With this in mind,
this is a separate thing then authentication and the anon key is not used to protect your data.

But, if the anon key is a way to identify which project your data is coming from, why is it that
when I use the wrong anon key, it lets me authenticate and get data from that project anyways?

I tested this out with the local running instance of supabase and even though the anon key is off,
I can still get data from a table. What is the point of the anon key at this point?

Here is the deno script I created to demonstrate what I am talking about:

import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);

import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);

import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);

import { createClient, SupabaseClient } from "jsr:@supabase/supabase-js";
import { Database } from "./database.types.ts";


const url = "http://127.0.0.1:54321"; // Local supabase instance
const key = "wrong-anon-key";

const client = createClient<SupabaseClient<Database, "public">>(url, key);

const { error: signInError } = await client.auth.signInWithPassword({
    email: "bugs-bunny@gmail.com",
    password: "password"
});

if (signInError) {
    console.error(signInError);
    Deno.exit();
}

const { data, error } = await client.from("student").select("*");

if (error) {
    console.error(error);
    Deno.exit();
}

// This returns data.  ????
console.log(data);

The RLS policy I have on the student table is:

alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);

alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);

alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);

alter policy "Enable read access for authenticated users only"
on "public"."student"
to authenticated
using (
  true
);

Getting data with wrong anon key

Similar Threads

Similar Threads

Similar Threads