Episode 511: Ant Wilson on Supabase (Postgres as a Service)

User Permissions

Supabase leverages PostgreSQL's row-level security to manage user permissions effectively. Ant Wilson explains that when connecting Gotrue, the Auth server, to a PostgreSQL database, it installs its own schema, including an auth users table. This setup allows Supabase to issue JSON Web Tokens (JWTs) that map to user permissions without needing actual PostgreSQL users 1. Wilson highlights the benefits of pushing authorization down into the database, as it simplifies client-side management and enhances security 2.

It's impressive that you garnered that without looking at a single diagram.

--- Ant Wilson

This approach ensures that each request sent to PostgreSQL is automatically authenticated, streamlining the process for developers.

   

Security Measures

Row-level security in Supabase is implemented using PostgreSQL's built-in features, which are enhanced by JWTs for secure access. Ant Wilson describes how Supabase uses PostgreSQL views to restrict data exposure, allowing developers to define views that limit data access based on specific criteria 3. This method provides a secure way to manage data visibility directly from the database, eliminating the need for additional API layers.

We basically push the authorization down into the database.

--- Ant Wilson

By integrating these security measures, Supabase offers a robust solution for managing user access and data protection.