Using raw_app_meta_data to conditionally render email content but I am unsure if this is available
Hey,
I am storing user roles in
auth.users.raw_app_user_metadata, I am wanting to access the roles in the email template to conditionally render content. It says in the docs here that user metadata is available but it's not clear exactly what fields are accessible.
Any help would be greatly appreciated.Email Templates | Supabase Docs
Learn how to manage the email templates in Supabase.
9 Replies
Ahh so it seems .Data returns
auth.users.raw_user_meta_data NOT raw_user_app_dataYes correct. Only
raw_user_meta_data is accessible in an email template.@silentworks Thank you! I am trying to send different email content based on RBAC roles stored in
raw_user_app_data. Would you have any recommendation on this, I am pondering creating a custom edge function for sending specific emails to "admins" but not sure if there might be a more elegent solution.
Also would storing roles in raw_user_app_data be considered bad practise?I would use a custom solution in that case, so as you mentioned use edge function or do it in your application code. You can use https://supabase.com/docs/reference/javascript/auth-admin-generatelink to get the data that is used in the normal email template and send your emails manually.
JavaScript: Generate an email link | Supabase Docs
Supabase API reference for JavaScript: Generate an email link
Legend! I'll look into this, thank you @silentworks
On the second question about if it's bad practise to store the roles inside of
raw_user_app_data I cannot say as I normally keep roles in their own table and just use joins in my queries/RLS policy.Is it insecure/bad practise to store majority of data in the public schema and exposing the data structure via GraphQL? I am just trying to be a bit more security conscious and I am unsure whether it's an attack vector even with solid RLS policies
With your RLS policies in place it should be fine. I normally don't advice much on security on here because folks have a tendency of saying it was a mod on the Supabase discord who said it was fine to do and now look I got hacked or something of the sort. So I'd advice to check with a security expert or a company that specialises in that.
Yeah that's fine and understandable. I appreciate the help anyway!