search

supabase / auth-helpers

A collection of framework specific Auth utilities for working with Supabase.
https://supabase.github.io/auth-helpers/
MIT License
905 stars 237 forks source link

Cannot bypass RLS using `service_key` #598

Closed biowaffeln closed 1 year ago

biowaffeln commented 1 year ago

Bug report

Describe the bug

I'm using the auth-helpers-nextjs package with Next.js 13. I want to create an route handler that bypasses RLS using my service key, however when I instantiate a client and try to insert something into a table with RLS, I get the error "new row violates row-level security policy for table ...".

To Reproduce

  1. create a table, enable RLS without any policies
  2. create a route handler and init a client, like this:
  const supabase = createRouteHandlerClient(
    { cookies },
    { supabaseKey: process.env.SUPABASE_SERVICE_KEY }
  );
  1. try to insert data into the table 
    await supabase.from("table_name").insert(data);
  2. get an error "new row violates row-level security policy for table 'table_name'"

For comparison, when I try to create a client directly with the @supabase/supabase-js package, the insert works:

  const service = createClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.SUPABASE_SERVICE_KEY
  );

  await service.from("table_name").insert(data); // works without a problem

System information

silentworks commented 1 year ago

You cannot use service role with the auth-helpers, this would be a security issue. The auth-helpers by default doesn't allow you to use the service_role secret as this could lead to you leaking your service_role secret to the public. auth-helpers work in both the server and client side so there is no clear way to separate the key when using it in the client environment. You can however create a separate Supabase client using the @supabase/supabase-js createClient method and pass it the service_role``secret. You will also need to turn some properties off since you are working in a server environment.

import { createClient } from '@supabase/supabase-js';

const supabase = createClient(supabaseUrl, serviceRoleSecret, {
    auth: {
        persistSession: false,
        autoRefreshToken: false,
        detectSessionInUrl: false
    }
});
anuoua commented 9 months ago

You cannot use service role with the auth-helpers, this would be a security issue. The auth-helpers by default doesn't allow you to use the service_role secret as this could lead to you leaking your service_role secret to the public. auth-helpers work in both the server and client side so there is no clear way to separate the key when using it in the client environment. You can however create a separate Supabase client using the @supabase/supabase-js createClient method and pass it the service_rolesecret ``. You will also need to turn some properties off since you are working in a server environment.

import { createClient } from '@supabase/supabase-js';

const supabase = createClient(supabaseUrl, serviceRoleSecret, {
  auth: {
      persistSession: false,
      autoRefreshToken: false,
      detectSessionInUrl: false
  }
});

The auth params is much important! the doc creating-a-client need update.

silentworks commented 9 months ago

Hi @anuoua, why do you think that needs updating please? my example above is how to use the service_role key with supabase-js, not the auth-helpers.