vercel[bot]
commented
1 year ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated (UTC) |
|---|---|---|---|
| multiplayer-picross | ✅ Ready (Inspect) | Visit Preview | May 4, 2023 11:45pm |
This is albeit a small change in terms of code but a huge change in terms of what responsibilities the server and client have. The client is now responsible for doing queries too whenever client side rendering is running (i.e. after the first page load). This should result in noticeable performance improvements.
The reason why this is safe is because authorization is done through the server-side actions and the row-level security in the Supabase Postgres database, meaning we can trust the client to choose whether it should be able to access the page or not. If someone decides to override this to work without an activate authentication they will just get a blank page as the RLS policy will not allow the query.
Speaking from a high-level, the Supabase client libraries is wrapping the Postgrest server hosted on Supabase which in turn is wrapping SQL queries to the Postgres database. The RLS is the only thing that guarantees that data is only accessed by those who should be able to. This PR does not introduce significant extra bug surface as this was already the case, a potential attacker could already load the Supabase client on their side and attempt queries to the Supabase instance.