Our great sponsors
Broadcast, Presence, and Postgres Changes via WebSockets
Hey HN, Supabase is an open source Firebase alternative. We're building the features of Firebase using enterprise-grade open source tools. We're particularly focused on scalability. We take proven tools like Postgres, and we make them as easy to use as Firebase.
Today, Supabase is adding Row Level Security (RLS) to our Realtime engine.
The linked blog post goes into depth around the technical implementation, so I’ll just give a recap for the people who jump straight to comments (like me).
Supabase was launched here on HN when we open sourced our Realtime engine - an Elixir server which clients (i.e. website visitors/users) can connect to via websockets and receive a stream of PostgreSQL changes.
The server receives those changes via a logical replication slot - the same system that PostgreSQL uses for replicating to other databases.
To achieve RLS we added a few SQL functions, the main one is apply_rls which the stream is filtered through. For every user connected to the Elixir server, the Postgres function checks if they have access to the database change and appends an array of allowed user IDs. The Realtime server then delivers the change to the user only if the connected user is matched in this array.
This one has been a long time coming, and it's one of the reasons why we have maintained our "beta" badge for so long. A few of the team will be here to answer any questions - my cofounder @awalias and @steve-chavez from PostgREST, @inian, @wenbo and @1_over_n
 [Realtime Show HN](https://news.ycombinator.com/item?id=22114560)
 [SQL function](https://github.com/supabase/realtime/blob/master/server/priv...)
A JWT based API for managing users and issuing JWT tokens (by supabase)
In Supabase we use a separate Auth server . This stores the user in an `auth` schema, and these users can login to receive a JWT. Inside the JWT is a "role", which is, in fact, a PostgreSQL role ("authenticated") that has certain grants associated to it, and the user ID (a UUID).
Inside your RLS Policies you can use anything stored inside the JWT. My cofounder made a video  on this which is quite concise. Our way of handling this is just an extension of the PostgREST Auth recommendations: https://postgrest.org/en/v9.0/auth.html
 Auth server: https://github.com/supabase/gotrue
 RLS Video: https://supabase.com/docs/learn/auth-deep-dive/auth-row-leve...
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
REST API for any Postgres database
Of course this is PostgREST-specific, only when going through it you'd enforce this condition.
How to use Supabase RLS with third-party client library?
2 projects | reddit.com/r/Supabase | 17 Feb 2023
Hyperlambda HTTP Interceptors
2 projects | dev.to | 7 Oct 2022
What is your preferred low-code framework for building REST API?
5 projects | reddit.com/r/selfhosted | 26 Sep 2022
Querying SQL from React without a backend (bear with me here)
5 projects | reddit.com/r/reactjs | 27 Jun 2022
Are ORMs considered an anti-pattern in Go?
7 projects | reddit.com/r/golang | 24 Feb 2022