Supabase security strategy: RLS + RPC functions only — good idea?
Hey !
I'm considering enabling RLS on all my tables without defining any policies, and then interacting with my data only through Postgres RPC functions that are marked as SECURITY DEFINER. In each function, I check at the beginning whether the requested data is accessible based on the auth.uid.
Is this a good practice, or is there a better recommended approach for handling access control in this scenario?
I'm considering enabling RLS on all my tables without defining any policies, and then interacting with my data only through Postgres RPC functions that are marked as SECURITY DEFINER. In each function, I check at the beginning whether the requested data is accessible based on the auth.uid.
Is this a good practice, or is there a better recommended approach for handling access control in this scenario?
