moving minimal chat app to supabase
Hi, I'm porting my minimal self hosted express chat application to supabase and I'm facing a lot of confusion.
I understand that the client receives an anonymous key, authorizes and receives a JWT using the anonymous authentication key. Then it can listen to "INSERT" events in the postgressql database and it can "INSERT" too. But I don't want the key to insert whatever; it has to be done using its own username (not spoofing someone elses) and I might not want it to receive all the "INSERT" events that happen on the database. On my selfhosted express app, this was simple enough because the server handled WebSocket events.
For some context, here is ALL my server code, attached to this post.
1 Reply
Normally your users signup with email in Supabase. There is a concept of an anonymous user with a specific id until they signout. When they signout they have to resign up again and get a new id.
Both can have a username as added data but the user controls that name unless you do some sort of server/database side operation to enforce a user name for that.
You could associate a username with the anonymous user id I guess.
Both users are considered authenticated and have a user_id so you can associate data with them and control realtime with RLS to allow selecting only certain info by checking their user id with auth.uid(). Realtime uses select RLS on tables to decide to which users can see the data OR RLS on the messages table if doing broadcast changes.
Inserts are completely separate RLS enforced the REST API.