Can supabase have server authorative name
Can supabase have server authorative player name/id on realtime for a server authorative chat ? instead of client choosing an unsafe name on messages
13 Replies
@jinwin4642 use Supabase Auth UID or a server-side stored username as the authoritative identity, and insert messages via RLS/DB triggers instead of trusting client-provided names.
I want to use broadcast
Not database things
@jinwin4642 use auth.uid with broadcast payload send only the UID from client, and resolve/display the authoritative name server side (or from a secured mapping), so users can’t spoof names.
what if user add another uid on payload, like from other user?
if they call the api thenselves
@jinwin4642 Don’t trust client UID always derive it from the verified JWT.
I would generate an issue in realtime github. I mentioned this to one of their devs awhile back for private broadcasts as an improvement.
It has to be derived on their realtime server from the access token otherwise it could always be faked.
It has to be derived on their realtime server from the access token otherwise it could always be faked.
I dont understand what you mean
Yep
Was just looking at my comment and I think only 1/2 of the impact got implemented (RLS side) not the actual payload....
https://github.com/orgs/supabase/discussions/22484#discussioncomment-9916960
I see, but without payload it is hard to use
No way to create a secure chat at all
it should return data from user session
You can secure the real users in the chat. But you can't secure which user in a group for instance.
RLS can see the sub.
Anyways I was suggesting what you are. I would generate an issue though in realtime not add to an old discussion.
But what about showing user name message sent on chat
I am dungeon2567 on that issue
long ago
LOL
This is sad @garyaustin looks like it won`t ever happen and realtime is useless