RLS violation when attempting to upload to storage on astro api endpoint

Relevant Packages:

"@supabase/supabase-js": "^2.50.2",
"astro": "^5.10.1",
"@astrojs/react": "^4.3.0",
"react": "^19.1.0"

Hi all! I'm having an issue when I am trying to upload some files to supabase via an astro endpoint that's being called with

fetch

fetch

in my react component

I'm using anonymous sign in and i am passing the access token in the as an auth bearer as follows. The form data in this case is an array of images

const res = await fetch('/api/photos', {
                method: 'POST',
                headers: {
                    Authorization: `Bearer ${accessToken}`,
                },
                body: formData,
            })

const res = await fetch('/api/photos', {
                method: 'POST',
                headers: {
                    Authorization: `Bearer ${accessToken}`,
                },
                body: formData,
            })

const res = await fetch('/api/photos', {
                method: 'POST',
                headers: {
                    Authorization: `Bearer ${accessToken}`,
                },
                body: formData,
            })

const res = await fetch('/api/photos', {
                method: 'POST',
                headers: {
                    Authorization: `Bearer ${accessToken}`,
                },
                body: formData,
            })

in my

api/photos

api/photos

api/photos

api/photos endpoint, i am attempting to do the following

const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

// some additional checks here....

for (let file of files) {
        if (file instanceof File) {
            // Create a unique file path, e.g., using user ID and timestamp
            const filePath = `${user.id}/${Date.now()}-${file.name}`
            const { error } = await supabase.storage.from('photos').upload(filePath, file, {
                cacheControl: '3600',
                upsert: false,
            })

            console.log(error)
            if (error)
                return new Response(
                    JSON.stringify({
                        error: 'Something went wrong with picture upload',
                    }),
                    { status: 500 }
                )
        } else {
            return new Response(
                JSON.stringify({ error: `file upload failed for user-${user.id}/${Date.now()}` }),
                { status: 500 }
            )
        }
    }

const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

// some additional checks here....

for (let file of files) {
        if (file instanceof File) {
            // Create a unique file path, e.g., using user ID and timestamp
            const filePath = `${user.id}/${Date.now()}-${file.name}`
            const { error } = await supabase.storage.from('photos').upload(filePath, file, {
                cacheControl: '3600',
                upsert: false,
            })

            console.log(error)
            if (error)
                return new Response(
                    JSON.stringify({
                        error: 'Something went wrong with picture upload',
                    }),
                    { status: 500 }
                )
        } else {
            return new Response(
                JSON.stringify({ error: `file upload failed for user-${user.id}/${Date.now()}` }),
                { status: 500 }
            )
        }
    }

const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

// some additional checks here....

for (let file of files) {
        if (file instanceof File) {
            // Create a unique file path, e.g., using user ID and timestamp
            const filePath = `${user.id}/${Date.now()}-${file.name}`
            const { error } = await supabase.storage.from('photos').upload(filePath, file, {
                cacheControl: '3600',
                upsert: false,
            })

            console.log(error)
            if (error)
                return new Response(
                    JSON.stringify({
                        error: 'Something went wrong with picture upload',
                    }),
                    { status: 500 }
                )
        } else {
            return new Response(
                JSON.stringify({ error: `file upload failed for user-${user.id}/${Date.now()}` }),
                { status: 500 }
            )
        }
    }

const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

// some additional checks here....

for (let file of files) {
        if (file instanceof File) {
            // Create a unique file path, e.g., using user ID and timestamp
            const filePath = `${user.id}/${Date.now()}-${file.name}`
            const { error } = await supabase.storage.from('photos').upload(filePath, file, {
                cacheControl: '3600',
                upsert: false,
            })

            console.log(error)
            if (error)
                return new Response(
                    JSON.stringify({
                        error: 'Something went wrong with picture upload',
                    }),
                    { status: 500 }
                )
        } else {
            return new Response(
                JSON.stringify({ error: `file upload failed for user-${user.id}/${Date.now()}` }),
                { status: 500 }
            )
        }
    }

Checking the user, the user is authenticated as expected but i am getting a status code "403" "new row violates row-level security policy" error. I am not sure what is happeing. Any help would be great!

JoeceOP•7/8/25, 5:30 PM

What I have tried

Perform upload client side in my react component - this works fine, implying that my RLS rules are correct (I will post them below if needed but it's just the basic allow authenticatedauthenticated to SELECT, INSERT, DELETE, UPDATE)
However, I do not want to do this client side as I am planning to do some additional post processing to my images before upload
I have checked my URL config and it seems to be fine (see screenshot)

JoeceOP•7/8/25, 5:31 PM

I have checked if the user is authenticated and according to this, they are. Unless I am not understanding something with how
```
getUser
```
```
getUser
```
and
```
storage
```
```
storage
```
interact

JoeceOP•7/8/25, 5:33 PM

And, here is how I am accessing the access token from the request header - let me know if you need anymore info from me!

const authHeader = request.headers.get('authorization')
    const accessToken = authHeader?.split(' ')[1] // Extract the token after 'Bearer'

    if (!accessToken) {
        console.log({ error: 'No access token provided' })
        return new Response(JSON.stringify({ error: 'No access token provided' }), { status: 401 })
    }
    const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

const authHeader = request.headers.get('authorization')
    const accessToken = authHeader?.split(' ')[1] // Extract the token after 'Bearer'

    if (!accessToken) {
        console.log({ error: 'No access token provided' })
        return new Response(JSON.stringify({ error: 'No access token provided' }), { status: 401 })
    }
    const {
        data: { user },
        error,
    } = await supabase.auth.getUser(accessToken)

garyaustin•7/8/25, 5:34 PM

You should show your policies.

JoeceOP•7/8/25, 5:36 PM

all methods target authenticatedauthenticated users only

JoeceOP•7/8/25, 5:36 PM

and this is just on my photosphotos bucket only

garyaustin•7/8/25, 5:39 PM

Those are just labels. Show the insert policy.

JoeceOP•7/8/25, 5:42 PM

This is what i ran which was created via the template

CREATE POLICY "Give users authenticated access to folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'photos' AND (storage.foldername(name))[1] = 'private' AND auth.role() = 'authenticated');

CREATE POLICY "Give users authenticated access to folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'photos' AND (storage.foldername(name))[1] = 'private' AND auth.role() = 'authenticated');

garyaustin•7/8/25, 5:48 PM

You use private for the folder here but in your upload code have user id as the folder I think.

JoeceOP•7/8/25, 5:49 PM

so private just means no one can access? even if it's your own one?

JoeceOP•7/8/25, 5:50 PM

ohhhhhh you know what i might be using the wrong template - let me try again

JoeceOP•7/8/25, 5:51 PM

CREATE POLICY "Give users access to own folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'photos' AND (select auth.uid()::text) = (storage.foldername(name))[1]);

CREATE POLICY "Give users access to own folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (bucket_id = 'photos' AND (select auth.uid()::text) = (storage.foldername(name))[1]);

okay here is the new policy im going to try - which is just allowing users to upload to their own top level folder

JoeceOP•7/8/25, 5:52 PM

no luck again - same new row violates row-level security policynew row violates row-level security policy

garyaustin•7/8/25, 6:03 PM

Log out the path before you do the upload. You could also simplify it for a test to just With Check ( true). You might not actually have a user session at the point you make the call.

JoeceOP•7/8/25, 6:07 PM

CREATE POLICY "Give users access to own folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (true);

CREATE POLICY "Give users access to own folder 1io9m69_0" ON storage.objects FOR INSERT TO authenticated WITH CHECK (true);

so gonna set my policies to this

JoeceOP•7/8/25, 6:08 PM

And here's the results

user info {
  id: '1e766af3-d30c-4e04-bc75-57104e84f2c8',
  aud: 'authenticated',
  role: 'authenticated',
  email: '',
  phone: '',
  last_sign_in_at: '2025-07-07T19:48:08.890758Z',
  app_metadata: {},
  user_metadata: {},
  identities: [],
  created_at: '2025-07-07T19:48:08.882875Z',
  updated_at: '2025-07-08T17:21:29.363397Z',
  is_anonymous: true
}
1e766af3-d30c-4e04-bc75-57104e84f2c8/1751998053587-neck.png
{
  statusCode: '403',
  error: 'Unauthorized',
  message: 'new row violates row-level security policy'
}

user info {
  id: '1e766af3-d30c-4e04-bc75-57104e84f2c8',
  aud: 'authenticated',
  role: 'authenticated',
  email: '',
  phone: '',
  last_sign_in_at: '2025-07-07T19:48:08.890758Z',
  app_metadata: {},
  user_metadata: {},
  identities: [],
  created_at: '2025-07-07T19:48:08.882875Z',
  updated_at: '2025-07-08T17:21:29.363397Z',
  is_anonymous: true
}
1e766af3-d30c-4e04-bc75-57104e84f2c8/1751998053587-neck.png
{
  statusCode: '403',
  error: 'Unauthorized',
  message: 'new row violates row-level security policy'
}

JoeceOP•7/8/25, 7:24 PM

Hey! So i think i have a solution working

i had to make a server side client with th eAuth context use the global options as shown here

const supabase = createClient(
        SUPABASEURL,
        SUPABASEKEY,
        // Create client with Auth context of the user that called the function.
        // This way your row-level-security (RLS) policies are applied.
        {
            global: {
                headers: { Authorization: request.headers.get('Authorization')! },
            },
        }
    )

const supabase = createClient(
        SUPABASEURL,
        SUPABASEKEY,
        // Create client with Auth context of the user that called the function.
        // This way your row-level-security (RLS) policies are applied.
        {
            global: {
                headers: { Authorization: request.headers.get('Authorization')! },
            },
        }
    )

I followed this deno example below, but all seems to be working as expected now?? I'll get back to you on this if it doesn't work by tomorrow. But, ill mark this as solved for now

https://github.com/supabase/supabase/blob/master/examples/edge-functions/supabase/functions/select-from-table-with-auth-rls/index.ts

GitHub

supabase/examples/edge-functions/supabase/functions/select-from-tab...

The Postgres development platform. Supabase gives you a dedicated Postgres database to build your web, mobile, and AI applications. - supabase/supabase

RLS violation when attempting to upload to storage on astro api endpoint

Similar Threads

Similar Threads

Similar Threads