Open w3b6x9 opened 2 years ago
Hey @w3b6x9,
Thanks for posting this! Will give this a read and reach out if needed :)
It's been a while since this was posted. Just adding context here in case anyone ones to pick this up -- off the top of head things we need to get this in.
There are probably more tasks as well feel free to add/comment below
We need some more discussion on the implementation of realtime-py. Imo we should only provide an async interface (because the underlying websockets stuff is inherently async). Right now we do some hacky wrap-every-async-call stuff but I think that'd just be an easy spot for bugs to arise, and if we expose that as public API we'd be obligated to provide support for it.
That makes sense -- I'll open up a doc or a thread of sorts for further discussion
This issue is stale because it has been open for 365 days with no activity.
Wow this is old and I confess I don't recall the context around this - @mansueli just looping you in case relevant to the implementation of the lib
Feature request
Is your feature request related to a problem? Please describe.
Currently, Realtime server sends all database changes to all connected clients despite Postgres Row Level Security policies. This poses security concerns when developers wish to broadcast database changes containing sensitive data to an authorized subset of connected clients based on tables with RLS enabled and row security policies.
Realtime server will integrate WALRUS (Write Ahead Log Realtime Unified Security), which means there are some changes that lib clients need to make in order to support this new security functionality.
Describe the solution you'd like
The following changes will need to be made:
user_token
when subscribing client to Realtime channel.The changes have already been applied to
supabase-js
andrealtime-js
and their PRs can be referenced while making the necessary changes:user_token
feat: add user_token when creating realtime channel subscription supabase-community/supabase-py#270
feat: update transformers to accept already transformed walrus changes supabase-community/realtime-py#50
fix: error parsing JSON when transforming array data types supabase-community/supabase-py#113
The bug fixes include longstanding issues with transformers in
realtime-js
where range types are first JSON parsed (which results in an error sometimes due to Postgres' range exclusive and inclusive bounds) and how stringified (e.g. "{1,2,3}") array types are split (can't always split on "," in cases like _daterange). Please see PR for additional context.Additional context
We're looking to launch WALRUS in Realtime at the end of November, and all developers using the JS client will have to do is version bump their
supabase-js
to v1.2.0, which contains all the changes described above.Please reach out if there's any questions and definitely tag me to confirm PRs if you'd like! Thank you!