S
Supabase2w ago
Idris

Realtime error 401 unauthorized

Hi, In my supabase project I lock down all schemas, tables etc for all roles that dont need them and manually grant it back where I see fit, following deny-by-default principle. I also use api instead of public, following Supabase's harding guidelines. I noticed that Supabase Realtime broke. I get errors like "{:error, \"Unable to subscribe to changes with given parameters. An exception happened so please check your connect parameters: [event: *, filter: user_id=eq.3adc3ac9-a617-4828-b7b6-ed04167fc1dc, schema: api, table: profiles_tasks]. Exception: ERROR P0001 (raise_exception) invalid column for filter user_id\"}" and Error 401: Unauthorized Perhaps supabase realtime has a role I also need to grant usage to api and the specific tables. Because I have to enable permission per table like this: 
grant
select
,
    insert (user_id, fcm_token),
update (user_id, fcm_token),
delete on table api.user_fcm_tokens to authenticated;

grant
select
,
    delete on table api.user_fcm_tokens to service_role;
grant
select
,
    insert (user_id, fcm_token),
update (user_id, fcm_token),
delete on table api.user_fcm_tokens to authenticated;

grant
select
,
    delete on table api.user_fcm_tokens to service_role;
logs: https://hastebin.com/share/idusunedac.swift
Hastebin
Hastebin is a free web-based pastebin service for storing and sharing text and code snippets with anyone. Get started now.
14 Replies
Idris
IdrisOP2w ago
I saw some people allowing anon usage and select (which i dont want only authenticated) but this didnt work either Doing 
GRANT USAGE ON SCHEMA api TO authenticated, anon;
GRANT SELECT ON ALL TABLES IN SCHEMA api TO authenticated, anon;
GRANT USAGE ON SCHEMA api TO authenticated, anon;
GRANT SELECT ON ALL TABLES IN SCHEMA api TO authenticated, anon;
fixed the issue, but i dont want this. I want to manually grant permissions. authenticated does have usage already on API, and has select on all tables i make it listen to... But still only this fixed the issue. Is it because anon needs permission as well? I do only have RLS with to authenticated so it would be save, but bad practice....
Idris
IdrisOP2w ago
Lockdown script during setup i used: https://hastebin.com/share/vizidekupu.sql
Hastebin
Hastebin is a free web-based pastebin service for storing and sharing text and code snippets with anyone. Get started now.
Idris
IdrisOP2w ago
Hi @garyaustin On answers forum i saw a answer from you about priusma also resetting grants like I manually did with my script and you referred to a page that doesnt exist anymore with which grants to set back. Perhaps that page contains the answer. Do you happen to know what it said?
silentworks
silentworks2w ago
Is someone spamming the server? Is there a suspicious activity you'd like to report? Is someone breaking the server rules? If not please don't @ the mods or team members on this server. Your account will go into timeout if you @ the mods and it's not any of the issues mentioned above.
Idris
IdrisOP2w ago
My bad, honestly didn't tag him because he is staff but because I saw a post online from him and we had great threads before. But won't do it again
silentworks
silentworks2w ago
He's not staff like myself, we are just mods. Normally we read all posts here so he would get to your post when he comes online as he is well acquainted with realtime and has answered most realtime questions on here.
Idris
IdrisOP2w ago
I see, awesome thanks!
garyaustin
garyaustin2w ago
So it works if you grant select to anon and not if you just have authenticated? If so then for some reason when you subscribe you are anon and not your user. Your error is odd for that though with it calling out your filter.
Idris
IdrisOP2w ago
I think that might be it, just to confirm, there are no special roles, functions or tables envolved. Just the role of the subscriber and the tables being listened to? I have also gotten 401 unauthorized. But that one like 1 or 2 times...
garyaustin
garyaustin2w ago
So I've seen several reports that realtime.setAuth() is needed since supabase-js 2.54 due to a bug not fixed yet I don't believe. The subscribe would show up as anon.... https://discord.com/channels/839993398554656828/1414876335662301194
Idris
IdrisOP2w ago
Hi gary, thanks that was it. In my app the realtime listeners would be set after data is not null or undefined. Normally this would happen after a network fetch which would happen after user authentication has settled. But I added caching which would populate data instantly and therefore setup Realtime too early. Thanks! Oh no nvm I am still seeing "invalid column for filter id" I am 100% sure realtime is called after onAuthStateChange for supabase auth Yeah the issue is tat realtime auth is not set when supabase auth is set. Like in the topic. Will see if i can make a pr for this any time soon. Wouldnt be my first pr for realtime js, that lib is too buggy lol Might not be the fault of realtime js tho... The issue is a race condition, it seems like realtime auth user is set too soon and Supabase realtime response with unauthorized
garyaustin
garyaustin2w ago
There is some issue since 2.54. They may be fixing it but supabase.realtime.setAuth() has fixed it at least a 1/2 dozen times for users. https://github.com/supabase/supabase-js/pull/1561
GitHub
fix(realtime): prevent empty Authorization header in REST fallback ...
Avoid sending empty Authorization header when no session exists Use global.headers.Authorization or supabaseKey as fallback Fixes 500 error on /realtime/v1/api/broadcast Closes #38820 Issue: When ...
Idris
IdrisOP7d ago
Yes, that fixed it for me as well. I think the supabase team is aware of this, they started calling realtime.setAuth(token) after sign in, inside the lib itself. instead of it "magically" working by realtimejs detecting signin wrongly. but that didnt solve it since its called too early
Idris
IdrisOP7d ago

Did you find this page helpful?