#Problem with auth and fetching data (Supabase + Astro JS)

So I've been building a website using Astrojs and Supabase, to make it easier I followed the guide on the Astrojs website (https://docs.astro.build/en/guides/backend/supabase/). Signing in/out worked but when using Supabase in another API path its using the cookies by default of the last person that signed in, so if an admin signed in with Supabase it would use that persons permission to do all other Supabase requests in all other API paths, is there a way to use the permissions of the requested person? idk if this is a question for astro or supabase

am guessing its saving some cookies or token on the server? weird

sign in is 1:1 as on the docs

fetching is

export const GET: APIRoute = async (context) => {

  const { data, error, count } = await supabase
    .from("members")
    .select("*", { count: "exact" })

  if (error) {
    return new Response(error.message, { status: 500 });
  }

  return Response.json({
    data,
    total: count,
  });
};

if I login as an admin and then someone who is not authorized tries to fetch data thats only for admins from the same route it will use the admin's permission and give the data? i guess its saving something

its kinda like a security breach or somethin

Bump 😦

Bump 😦 should i make a github issue?

How are you restricting the route?

It doesn't sound like it has anything to do with Astro, so I wouldn't create a Github issue.

Also make sure you're server-rendering the dynamic pages

ok

they are server rendered

its just when making a GET route and use supabase

my supabase rules are useless because i think its using the cookies of the last logged in person through the signin route

in the astro guide

so i login as a "admin" through that signin route

then when lets say i send a get request from a private window or postman, its supposted to get the information from supabase from the permission/cookies of the person thats requesting the information

but in reality its using the cookies/permissions of the last logged in user

so it bypasses the need to authenticate and etc

am not sure thats its happening like that in the background

its just what i assume

because if i signout then when a random person makes a request, it wont work

The docs only explain how to authenticate. The restricted routing and dynamic pages are all yours. If you could show how you're fetching those, me or someone else might see the issue

this the fetching route

the resitricting part is supposted to be on the supabase side

which it is doing

No, it's not.

as in

i have set policies on it

to check the authentication of a user

When you log in, a session is created by Supabase, and cookies are created on your Astro site. You then need some sort of implementation to check the rol and user ID and return the corresponding data.

yes on supabase i have a policy to check those

on select requests

You can store the session in middleware for example, and on your dynamic page you check the if a session exists, then get the user ID, and then from the DB you the data you need that belongs to that specific user ID

the confusing thing is when i login as a admin and then do a get request in postman it works and its using admin permissions

but when i sign out from that user on my browser

the get request fails because of lack of permissions

maybe i should make a video or somethin

because idk if ur understanding what am sayin

not in an offensive way but maybe am explaining it badly or its confusing as a whole

No worries, you could be right

but the simplest way to explain it is, when i login from my browser, then send a request from another browser/postman it works but when i logout

they all cant get the data

Can you create a repository where this issue occurs so it can be reproduced?

yea i think that would be good

i will try

@craggy gulch https://github.com/Whitelistedd/astro-supabase-issue.git

repo that i recreated the issue with

you will need supabase

i dont have an extra supabase project to create for a test

but just having a table called members thats only readable by authenticated user and trying to fetch that using the members api route before logging in should give you an empty array

after logging in and doing the same request from another browser/postman/whatever

it will give that data to anyone even if not authenticated

until you signout

this is all from me testing locally, so maybe am dumb and it works differently locally

not sure

ill be happy if you can take a look and explain since its forcing me to switch to other frameworks

which work fine in the same exact way

but i just like astro more

is this valid sql?
Don't you want something like:

  SELECT *
  FROM users
  WHERE users.id = auth.id()
  AND users.role = 2

without the first condition

it just checks if the user is authenticated in supabase and if he has the role 2

but did you have the same issue?

I'm trying your sql on a local db i have and not getting anything good

i mean my problem is specifically with supabase authentication/security

with astro

not sql

Have u tried it with supabase?

@craggy gulch ?

Elo?

Sorry, got no time at the moment 😦

How did you add a column to the users table?

Just insert column

On the top

Here one of the maintainers doesn't recommend editing it: https://github.com/orgs/supabase/discussions/2677

Green btn

the green button is to add a user

not add a column

Wait what do you mean by this

This is not the problem

Has nothing to do

Alright I gotta go

Has nothing to do with the issue xD

U can just check if the user is authenticated

You don't have to do the role thing

Am not extending auth users table

It's just a separate public.users table that is based on the auth table which has more columns

i dont understand how other people have used supabase

if this is kind of a security hole