Supabase: API querying replacing User JWT Bearer Token

[gams1976]

Has your issue been reported?

• [X] I have searched the existing issues and confirm it has not been reported.
• [X] I give permission for members of the FlutterFlow team to access and test my project for the sole purpose of investigating this issue.

Current Behavior

I have a supabase database with RLS enabled. When i use the flutterflow Supabase Query, everything goes well, but when i do the same query via API, it doesnt work. After careful testing, I identified that flutterflow replaces the bearer token (user JWT) with the anon token even tough i correctly place it in api header via variable. I even checked the same call in postman (using the user JWT) and it worked perfectly.

Expected Behavior

To use the defined variable (User JWT)

Steps to Reproduce

Make a call to supabase with bearer token using a variable Replace variable with user.jwt Check that the request does not use that JWT

Reproducible from Blank

• [X] The steps to reproduce above start from a blank project.

Bug Report Code (Required)

IT4glcn15YpNpbxK1bqBKe9VqGIvKUh9bZc0sd4bGA0dCJzuPLMQdvXsQBRuZMfkTVV+OUSmmloxpdbqhtjpJ/kBFzuufIdxzKlqbT3LZEGie5OBEZeWfXx8DZ9TIX3D36WRmxV4G/VfWX9gwzqQPemXTivrJu62IndISq/LZO4=

Context

Show stopper for using Supabase API with RLS

Visual documentation

Additional Info

No response

Environment

- FlutterFlow version: Most recent
- Platform:Web
- Browser name and version:Chrome 125.0.6422.76 (Versão oficial) 64 bits
- Operating system and version affected: Windows

General

• [ ] I was collaborating with other users in the same project prior to data loss
• [ ] I navigated between different project views leading up to data loss
• [ ] The UI was running very slowly prior to data loss
• [ ] A crash or other bug occurred prior to data loss
• [ ] Data was not saved in a snapshot
• [ ] I was using flutterflow from multiple devices
• [ ] I was using flutterflow from multiple platforms (e.g. both web and MacOS Desktop app)

Relative to the time the changes were made, data was lost within

• [ ] 1 minute
• [ ] 1 hour
• [ ] 1 day
• [ ] 1 week

When following my steps to reproduce, data loss happens

• [ ] ~100% of the time
• [ ] ~50% of the time
• [ ] ~10% of the time
• [ ] ~1% of the time
• [ ] Very rarely or only encountered once

[msusviela]

Hi @gams1976. Thanks for your report.

I was able to get the data with your project from the API call section. Is this still happening to you? Does it only happens in test mode or also in the Response and test of the Create API call section? Please, let me know.

[gams1976]

Micaela, thank you for your response. The problem is not getting the data. The question is getting the data with the correct Token. When i use the supabase query client it works well. But when i make the call from the api it uses the anon key (and not the provided user token replaced by a variable in the call). So the issue is happening and impacts all api calls. I happens in test and in all scenarios

[gams1976]

I i use the user JWT token in postman, it returns correct data. If i replace the bearer token in flutterflow with the same user JWT, it still uses the anon key for the api (returning wrong data with wrong privileges)

[gams1976]

Different results with same JWT key provided as bearer token

[gams1976]

As a summary, even if I change the BearerToken in the apicall, flutterflow still makes the call with the anon key.

[github-actions[bot]]

This issue is stale because it has been open for 7 days with no activity. If there are no further updates, a team member will close the issue.

[gams1976]

I am waiting for a solution @msusviela

[fafa16]

I have the same issue.What can we do??

[gams1976]

@fafa16 as a workaround for supabase you can use supabase actions or custom code as a workaround. But this is a serious issue and creates a lot of extra work that could be done with simple api calls...

[fafa16]

I use this in the header: [auth_token] auth_token=JWT toekn from user

in my edge function (api) I am able to receive the good information but the request on tables done in the edge function are done with the anon token.very curious.I am lost...

[github-actions[bot]]

This issue is stale because it has been open for 7 days with no activity. If there are no further updates, a team member will close the issue.

[gams1976]

We are waiting for a answer from @msusviela

[gams1976]

@msusviela

[Serhio1210]

Does anyone found an elegant solution? Having trouble executing Supabase functions with API Call from Flutterflow when a table has RLS policy

[gams1976]

@Serhio1210 the best way is to use custom code. Here a simple example using datatypes and supabase to load data

try { final response = await SupaFlow.client .from('clients') .select('*') //Choose essencial fields .eq('organization_id', organizationId);

for (var item in response) {
  ClientStruct client = ClientStruct.fromMap(item);
  clients.add(client);
};

[Aging-Developer]

is anyone else in FF support looking at this @pooja-ff @agreaves @leighajarett as the assignee has not responded for over two months, and has only been present on gitHub one day in the last month.

[Alezanello]

Hello!

Apologies for the delayed response.

I tested the issue in your project, and it appears to be more related to the specific data you're trying to retrieve via the endpoint rather than the Bearer token.

For instance, I noticed two different APIs: one for fetching body parts and another for photos. The photos endpoint returns data perfectly, which indicates that the call is being made correctly with the Bearer: [accesstoken].

However, it seems the getBodyParts endpoint isn't returning any data, likely because the endpoint itself isn't resolving correctly. For example, if you call the API like this: https://[your-project-id].supabase.co/rest/v1/ from the FF API Call builder, it may freeze momentarily but will eventually return all data from your project. This suggests that the Bearer token is functioning as expected.

[gams1976]

@Alezanello sorry but it is still not working correctly. I have put detailed instructions here on how to test it and others here have confirmed the issue. I am not keeping the code in the project updated since it doenst work as expected. The getbody parts isnt returning any data because it is not using the correct token. All explanation is above. Sorry to be this straight, but FF suport takes months to answer and you just give a plain answer...

[gams1976]

@Alezanello The summary is : even if I change the BearerToken in the api call, flutterflow still makes the call with the anon key. The user token needs to be used, as it is the user token that has correct security rights. the anon key is the publicc key. This issue only happens in the api call (not on custom code and not on action).

[Alezanello]

Hello,

I apologize for the late response. Does this issue still persist, or was it fixed in the latest FlutterFlow updates?