Best practices: everything in edge functions or the usual supabase-js query client?
I have a hard time deciding if i should jsut go with the usual way of querying supabase, or put everything in an edge function including external apis like stripe, plaid, etc. What is the best practice for this these days?
7 Replies
I don't think there is a clear cut answer, many people would insist that you should wrap everything behind an edge function but most people simply use the javascript client to query their database from their frontend and make use of RLS
Some things will have to be done server side in an edge function such as stripe or other things because the environment keys would get exposed on the frontend
but we would still need RLS if i put everything in an edge function right? I can get the auth headers and keys from the request i see in the network tab and post whatever i want still
you should still use RLS, but i guess you could do more validation for the incoming query ( playing devils advocate as i don't use this method personally)
Most security incidents have been people not using RLS or using bad RLS i think
I went with RLS + Edge functions for everything with complex business logic in the functions themselves and invoking them with the js client, mix of ssr and csr
My problem is that i feel like users still can see too much of the backend in the request
As in they can see the function you are invoking?
Auth headers, apikey, project id, etc.
i'd like to show as little as possible on the frontend. the only option might be using SSR for everything and custom domains on sb?
I dont think all of this is a big deal if RLS is set up properly, but its just in the back of my head
i mean anything that you place in environments in frontend can be read, the general idea behind the anon key is that it can be made public. Even for ssr your anon key and project url are as exposed as not using ssr i think (could be wrong on this but docs suggest you still create a client)