Supabase•4mo ago•

38 replies

Unable to test RLS from JWT custom claims (RBAC & multi tenancy on local development)

RLS

CLI

PostgREST

auth

Intro

I found this good guide to properly develop on Supabase (local development first)

https://supabase.com/blog/the-vibe-coders-guide-to-supabase-environments

We started to develop using migrations that they apply on

staging

staging

and

prod

prod

with github actions avoiding to use supabase dashboard directly to make app changes.

This is were this approach started to make dev experience tought when adding features for our applicacion based on official supabase documentation.

Implementing RBAC or Tenant Awareness
https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac#accessing-custom-claims-in-rls-policies

I.E.: You want JWT based multi tenancy using RLS

-- 1. Restrictive Tenant Guard
An authenticated user has

organization_id

organization_id

metadata which we added on JWT custom claims from any tenant aware table by

custom_access_token_hook

custom_access_token_hook

enabled on suapbase auth.
This safe RLS is applied on the table as an AND op so the authenticated user can only interact with rows on the table with the same

organization_id

organization_id

making a simple tenant aware RLS.

create policy "tenant_guard" on <table>
as restrictive
for all to authenticated
using organization_id = coalesce(((select auth.jwt()) ->> 'organization_id')::bigint, -1)

create policy "tenant_guard" on <table>
as restrictive
for all to authenticated
using organization_id = coalesce(((select auth.jwt()) ->> 'organization_id')::bigint, -1)

So, the problem is if you impersonate a user on supabase dashboard, those RLS that evaluates

auth.jwt()

auth.jwt()

does not work on supabase Dashboard because on Local Development, postgres does not take custom claims from GoTrue service

select auth.jwt()

select auth.jwt()

does not contain the custom claims from your

custom_acess_token_hook

custom_acess_token_hook

making the RLS tests very difficult.
But Custom Claims are available on the API.

How is the right approach to follow supabase documentation and being able to properly test your features on local development before pushing to staging or production?

I find very misleading to follow documentation and get an uneven dead end like this in terms of dev experience.

Supabase•4mo ago•

38 replies

Alberto

Unable to test RLS from JWT custom claims (RBAC & multi tenancy on local development)

RLS

CLI

PostgREST

auth

Intro

staging

staging

and

prod

prod

organization_id

organization_id

metadata which we added on JWT custom claims from any tenant aware table by

custom_access_token_hook

custom_access_token_hook

enabled on suapbase auth.
This safe RLS is applied on the table as an AND op so the authenticated user can only interact with rows on the table with the same

organization_id

organization_id

making a simple tenant aware RLS.

create policy "tenant_guard" on <table>
as restrictive
for all to authenticated
using organization_id = coalesce(((select auth.jwt()) ->> 'organization_id')::bigint, -1)

create policy "tenant_guard" on <table>
as restrictive
for all to authenticated
using organization_id = coalesce(((select auth.jwt()) ->> 'organization_id')::bigint, -1)

So, the problem is if you impersonate a user on supabase dashboard, those RLS that evaluates

auth.jwt()

auth.jwt()

does not work on supabase Dashboard because on Local Development, postgres does not take custom claims from GoTrue service

select auth.jwt()

select auth.jwt()

does not contain the custom claims from your

custom_acess_token_hook

custom_acess_token_hook

Unable to test RLS from JWT custom claims (RBAC & multi tenancy on local development)

Intro

Unable to test RLS from JWT custom claims (RBAC & multi tenancy on local development)

Intro

Similar Threads

Similar Threads

Similar Threads