Noob dev question on FastAPI + Supabase best practices for security + image storage
Hi!
I'm a first-time dev trying to learn Fastapi and Supabase. I'm setting up a project where users can order personalised products but I am getting really confused and frustrated about the best way to handle security between my backend and the database.
My Core Dilemma:
I see two ways for my FastAPI backend to talk to Supabase, and I'm not sure which is correct:
The "User-Mode" Way: My backend gets the user's JWT from the frontend and uses it for every database call. This means all my RLS policies work automatically.
The "Admin-Mode" Way: My backend uses the master service_role key for everything. This bypasses RLS, so I'd have to write WHERE user_id = ? in all my Python code and make sure I pass through all of the appropriate details and where constraints etc.
My Questions:
As a beginner, what's the standard practice here? Should I always default to #1 (User-Mode) for user actions and only use #2 (Admin-Mode) for special server tasks like writing to app_internal.orders?
My biggest worry is the image_url in my products table. I know having an RLS policy on that table isnt enough - how do I actually protect the image file in Supabase Storage that I want to render to my front end? Or could someone who finds a URL access an image they don't own? I have no idea how to make sure theres multiple levels of security on the DB/s3/supabase storage so that users can only access their own images, and even if an image url was leaked (due to my bad code.... ) they still wouldnt be able to access other peoples images...?
Thanks for reading and helping out! Any advice would be huge, I am learning to chatgpt code but I want to make sure i get security right from the start. I am even willing to pay for some professional guidance, please comment or pm me direct!
Thanks
Full reddit post here: https://www.reddit.com/r/Supabase/comments/1mq9iwm/noob_dev_question_on_fastapi_supabase_best/
0 Replies