supabase-custom-claims
frank_jwt
supabase-custom-claims | frank_jwt | |
---|---|---|
18 | 355 | |
482 | 249 | |
8.7% | - | |
1.3 | 3.1 | |
8 months ago | 6 months ago | |
JavaScript | Rust | |
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
supabase-custom-claims
-
Comparing Postgres Managed Services: AWS, Azure, GCP and Supabase
Have you checked out this repo: https://github.com/supabase-community/supabase-custom-claims?
The "raw_app_meta_data" stored for a user is not writeable by the user, so you can store roles and/or privileges in there.
-
Fly Postgres, Managed by Supabase
Have a look at the supabase-community claims repo [1]. NOTE: this is for ACL type permissions where you want to provide granular access to a wide range of services.
This stuff is "really cool" but just keep in mind that it is pretty advanced. And exactly as another commenter noted in this thread, it is possible to destroy your performance if you need to join on other tables in an extended version of this kind of RLS policy.
In this repo, the logic is simply "if a claim exists on the JWT then grant access". But in a lot of cases you may want to do something like "if this user is an owner of then grant access". That can require a join to that other table. That logic can get even more complex, for example, you might want to say "allow the user access to this row if they are an owner of the project". So you have to do more work to join from a child table, to a project table, to the user table, etc.
These operations are in addition to any work you might be doing in the actual query that is executed. I have no idea if the query planner can recognize you are doing the same joins in the RLS as the main query and optimize that away. But at any rate, every single policy invocation (on every single query) will be executing this logic.
These are all considerations if you are planning more advanced access policies to your data. If all you need is a binary "can access"/"cannot access" then basic RLS policies may be fine. But once you get into even moderately complex scenarios your policies are likely to balloon in complexity and you'll be writing a fair amount of PL/pgsql and fighting with testing and validating.
1.https://github.com/supabase-community/supabase-custom-claims...
-
ntegrating Supabase SDK with Drizzle ORM in Next.js: How to handle DB operations and authentication seamlessly?
Custom Claims and RLS: I have created custom claims using this repo to handle routes and API access for custom roles like HEAD_ADMIN, ADMIN. Should I also use RLS (Row Level Security) on tables to add an extra layer of security for certain roles? Is this necessary, or will my custom claim handling suffice?
-
Row Level Security (RLS): Performance implications
https://github.com/supabase-community/supabase-custom-claims https://github.com/point-source/supabase-tenant-rbac
-
Using Triggers to Map Database Relationships in Custom Claims
Custom claims are a powerful tool for implementing row-level security (RLS) policies in your applications which was popularized by Supabase. In a previous blog post (Part 1: "Using Custom Claims: Testing RLS with Supabase"), we explored the basics of custom claims and their application in Supabase. In this Part 2, we will delve deeper into the topic by introducing triggers and how they can be used to map database relationships in custom claims.
-
How to Implement Role-Based Access with Supabase
Supabase does not currently have built-in support for role-based access as of May 21, 2023. However, they are actively working on implementing it in the future. In the meantime, you can leverage the functionality provided by the supabase-custom-claims library. I have personally found this library effective and have successfully integrated it into my system using the SQL functions it offers.
-
Hi! I just moved to Supabase and is there any way that I can set a user as admin without creating a user table?
https://github.com/supabase-community/supabase-custom-claimshttps://github.com/point-source/supabase-tenant-rbac I wrote the first one, the second one was built with mine as a base. If you have questions please let me know -- I'm happy to help.
-
Allowing users to invite others with Supabase Edge Functions
I also had to modify the library I was using (custom-claims) to consider the service_role as an admin.
-
Admin role
What you're looking for is custom claims.check it here
-
Role-based Access Control / Groups / Tenancy
This is built off the original custom-claims project.
frank_jwt
- Show HN: Storing Private Keys in the Browser Securely
-
Authentication using JSON Web Tokens.
NOTE: Never store sensitive information about a client in the payload as the JWT is just encoded and not encrypted. You can paste the JWT I gave as an example above in this cool site which basically allows you to see in decoded. JSON Web Tokens - jwt.io
-
Building Llama as a Service (LaaS)
Although they did not make it into production, I experimented with the RabbitMQ message broker, Python (Django, Flask), Kubernetes + minikube, JWT, and NGINX. This was a hobby project, but I intended to learn about microservices along the way.
-
Rethinking password security: say goodbye to plaintext passwords
JSON Web Token (JWT) creation to extend user authentication to server-side functions
-
JWT, JWS, JWE and how to cook them
The (probably) most famous web resource about JWT - https://jwt.io - provides such a definition of JSON Web Tokens:
-
JWT Authentication in NodeJS
If you want to play with JWT and put these concepts into practice, you can use jwt.ioDebugger to decode, verify, and generate JWTs.
-
Microservices Authentication and Authorization Using API Gateway
In this context, JSON Web Tokens (JWTs) play a crucial role.
- I turned my open-source project into a full-time business
-
FullStack Next.js & Django Authentication: Django REST, TypeScript, JWT, Wretch & Djoser
Json Web Token (JWT): Even though it is more like an industry standard, we will use JWTs for stateless authentication in this article. If you want to learn more, you can refer to the official documentation.
-
Autenticação com Golang e AWS Cognito
Se pegar o token jwt podemos ver o que tem dentro, usando o site jwt.io.