RBAC in local development supabse instance

self-hosted

RLS

CLI

auth

After going through many threads and discussions I find out that when impersonating the user

select auth.jwt()

select auth.jwt()

would not return custom claims in the local instance. Because of that authorize() function mentioned in this guid
https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac
would always return false. I think this should be mentioned in the guid. but anyways I was thinking about changing the authorize function to something like this

CREATE OR REPLACE FUNCTION public.authorize(requested_permission public.app_permission)
RETURNS boolean
LANGUAGE plpgsql
STABLE SECURITY DEFINER -- Important: runs as owner to bypass RLS on lookups
AS $$
declare
  user_role public.app_role;
  has_permission int;
begin
  -- 1. Try to get role from JWT (Fastest - Works in App/Production)
  user_role := (auth.jwt() ->> 'user_role')::public.app_role;

  -- 2. Fallback: If JWT is empty (like in Local Impersonation), check the table
  if user_role is null then
    select role into user_role 
    from public.user_roles 
    where user_id = auth.uid();
  end if;

  -- 3. Check permissions
  select count(*)
  into has_permission
  from public.role_permissions
  where role_permissions.permission = requested_permission
    and role_permissions.role = user_role;

  return has_permission > 0;
end;
$$;

CREATE OR REPLACE FUNCTION public.authorize(requested_permission public.app_permission)
RETURNS boolean
LANGUAGE plpgsql
STABLE SECURITY DEFINER -- Important: runs as owner to bypass RLS on lookups
AS $$
declare
  user_role public.app_role;
  has_permission int;
begin
  -- 1. Try to get role from JWT (Fastest - Works in App/Production)
  user_role := (auth.jwt() ->> 'user_role')::public.app_role;

  -- 2. Fallback: If JWT is empty (like in Local Impersonation), check the table
  if user_role is null then
    select role into user_role 
    from public.user_roles 
    where user_id = auth.uid();
  end if;

  -- 3. Check permissions
  select count(*)
  into has_permission
  from public.role_permissions
  where role_permissions.permission = requested_permission
    and role_permissions.role = user_role;

  return has_permission > 0;
end;
$$;

I am still new to supabase and want some expert guidance if this would be the right way to do this. or if there are any better ways to implement RBAC please let me know.

RBAC in local development supabse instance

self-hosted

RLS

CLI

auth

After going through many threads and discussions I find out that when impersonating the user

select auth.jwt()

select auth.jwt()

CREATE OR REPLACE FUNCTION public.authorize(requested_permission public.app_permission)
RETURNS boolean
LANGUAGE plpgsql
STABLE SECURITY DEFINER -- Important: runs as owner to bypass RLS on lookups
AS $$
declare
  user_role public.app_role;
  has_permission int;
begin
  -- 1. Try to get role from JWT (Fastest - Works in App/Production)
  user_role := (auth.jwt() ->> 'user_role')::public.app_role;

  -- 2. Fallback: If JWT is empty (like in Local Impersonation), check the table
  if user_role is null then
    select role into user_role 
    from public.user_roles 
    where user_id = auth.uid();
  end if;

  -- 3. Check permissions
  select count(*)
  into has_permission
  from public.role_permissions
  where role_permissions.permission = requested_permission
    and role_permissions.role = user_role;

  return has_permission > 0;
end;
$$;

CREATE OR REPLACE FUNCTION public.authorize(requested_permission public.app_permission)
RETURNS boolean
LANGUAGE plpgsql
STABLE SECURITY DEFINER -- Important: runs as owner to bypass RLS on lookups
AS $$
declare
  user_role public.app_role;
  has_permission int;
begin
  -- 1. Try to get role from JWT (Fastest - Works in App/Production)
  user_role := (auth.jwt() ->> 'user_role')::public.app_role;

  -- 2. Fallback: If JWT is empty (like in Local Impersonation), check the table
  if user_role is null then
    select role into user_role 
    from public.user_roles 
    where user_id = auth.uid();
  end if;

  -- 3. Check permissions
  select count(*)
  into has_permission
  from public.role_permissions
  where role_permissions.permission = requested_permission
    and role_permissions.role = user_role;

  return has_permission > 0;
end;
$$;

I am still new to supabase and want some expert guidance if this would be the right way to do this. or if there are any better ways to implement RBAC please let me know.

RBAC in local development supabse instance

RBAC in local development supabse instance

Similar Threads

Similar Threads

Similar Threads