WingNews logo WingNews
top | item 40045330

(no title)

davetron5000 | 1 year ago

I built a toy app using this, with a front-end only app and postgrest + RBS. The app was seriously two forms behind a login. It was a huge pain.

RBS is "insecure by default" meaning if you don't set it up right, all users can access all data. And, because it's SQL, it's really easy to write a valid and successful configuration that doesn't work. You have to test it. And for views, you have to do some real heroics to get them to respect RBS.

PostGREST is very very basic and far less powerful than just writing SQL. I found it pretty frustrating to use, knowing that SQL would be far simpler.

Yes, I know that I could make a direct SQL connection to the database, but at that point, it would've been easier to put a Rails app on Heroku and use their offering, which is far more mature.

The Supabase dev environment was pretty slick and worked well, though I had to docker implode a couple times.

I wish them luck, but I could not figure out what the use case was for their product, given that Heroku has an awesome managed Postgres and RDS is there if you have more knowledge and want more controls. I don't see how you could make a complex app that is front-end only with Supabase as your entire back-end.

discuss

order

TOMDM|1 year ago

A few things, RLS is secure by default, it's postgrest that's insecure by default.

RLS disables all operations on a table once enabled and is only operable once there's a passing policy unless you can bypass RLS.

When it comes to access control, you should probably always have tests for anything halfway important.

Views are a bit of a footgun when it comes to RLS, they bypass it by default. But getting them to play nice is as simple as defining "security invoker" in their definition; not what I'd call heroics.

steve-chavez|1 year ago

> A few things, RLS is secure by default, it's postgrest that's insecure by default.

What makes you think that? PostgREST delegates all the authorization to PostgreSQL, which is secure by default. You have to explicitly assign privileges to roles for every operation.

Relevant previous discussion: https://news.ycombinator.com/item?id=38689294

steve-chavez|1 year ago

> PostGREST is very very basic and far less powerful than just writing SQL. I found it pretty frustrating to use, knowing that SQL would be far simpler.

The PostgREST query grammar is basic on purpose, you're supposed to write SQL on views or functions[1] to extend its capabilities.

[1]: https://postgrest.org/en/v12/references/api/stored_procedure...