Unable to Create RLS Policy on `auth.mfa_factors`
Hello everyone,
Hope you are doing alright. I need help please!
My application's Multi-Factor Authentication (MFA) flow is not working. We have diagnosed that the
supabase.auth.mfa.listFactors() function is silently returning an empty array, which prevents users from completing
the MFA challenge.
Root Cause:
There is no RLS SELECT policy on the auth.mfa_factors table for the authenticated role.
Attempted Solutions:
We have tried every possible way to create this policy, and all have failed:
1. Dashboard UI: The auth schema is "Locked" and read-only in the Policy Editor UI, so we cannot add the policy there.
2. SQL Editor: Running CREATE POLICY... directly in the SQL Editor fails with the error: ERROR: 42501: must be owner
of table mfa_factors.
3.
SECURITY DEFINER Function: We attempted to use a SECURITY DEFINER function to escalate privileges, but this also
fails with the same must be owner permission error.
Required Action:
Could you please run the following SQL to create the necessary policy in our project?
1 -- Enable RLS if it is not already
2 ALTER TABLE auth.mfa_factors ENABLE ROW LEVEL SECURITY;
3
4 -- Create the policy
5 CREATE POLICY "Authenticated users can read their MFA factors"
6 ON auth.mfa_factors
7 FOR SELECT
8 TO authenticated
9 USING ((SELECT auth.uid()) = user_id);
Thank you.
Karl1 Reply
You can't have RLS policies on auth schema AND they are not accessible from the API anyway. If you want to access them from the API you need to use a security definer function to select and return results.