dalkommatt
commented
6 months ago If you look into the code you'll see that the functions which use the service role key in supabase-admin.ts are only called by API routes which are serverless functions executed on the server and never exposed to the browser. These could also be refactored to be edge functions, but the result is still the same—the service role key is used securely. This project was created by experts at Supabase and Vercel so it's a good example to follow regarding security.
I have been going through the code here and noticed this app uses SUPABASE_SERVICE_ROLE_KEY. It does come with a warning to only use it in serverside actions, but supabase's docs go one step further and say: SUPABASE_SERVICE_ROLE_KEY: The service_role key for your Supabase API. This is safe to use in Edge Functions, but it should NEVER be used in a browser. This key will bypass Row Level Security.
https://supabase.com/docs/guides/functions/secrets
It is not clear if the server side actions count as 'in a browser' or in an 'edge function'. Does anyone know if it is ok to use here in the server side actions? Other supabase examples use the public keys on the server side actions (but understand RLS means we cannot use those in the webhooks).