How to Secure Your Supabase Database and Storage
Nandani Sharma
Posted on April 12, 2024
Exciting News! Our blog has a new Home! 🚀
Introduction
In the era of data breaches and cybersecurity threats, safeguarding sensitive information is paramount for businesses and developers.
With the rise of cloud-based databases and storage solutions, such as Supabase, Firebase, AWS, or Google Cloud Firestore ensuring the security of your data is more critical than ever.
Supabase is an open-source platform that provides developers with a set of tools to build scalable and secure web applications.
Leveraging PostgreSQL as its database engine and integrating with popular authentication providers like Auth0 and Firebase, Supabase offers a comprehensive solution for managing data and user access in modern web applications.
In this blog post, we’ll explore the best practices and strategies for securing your Supabase Database and Storage, helping you mitigate risks, and protecting your valuable data assets.
Database Security
A robust database security strategy is essential for protecting your data from unauthorized access, manipulation, or theft. Here are the step-by-step implementations to consider.
Create a table with the required fields
In Supabase, creating a table is straightforward. we can do this through the SQL editor provided in the Supabase dashboard.
Navigate to the SQL editor and execute a CREATE TABLE statement to define the structure of your "users" table. For example,
create table users (
id bigint primary key generated always as identity,
auth_uid text not null, // optional - to store auth user id from supabase.auth
name text not null,
email text not null,
created_at timestamp with time zone default current_timestamp
);
In this definition, auth_uid field is optional. It will required if we want to grant access to all the supabase authenticated users. We’ll see later how it works.
Also, we can create it by using the Supabase table editor like,
Customize the fields based on your application’s requirements. In this example, we have fields for user ID, name, email, and creation timestamp.
Create a user for authentication
The auth methods can be accessed via the supabase.auth
namespace.
When we use supabase.auth
to handle authentication in your application, it interacts directly with the Supabase authentication system.
This means that when a user signs up using your application's authentication flow (powered by supabase.auth
), Supabase automatically creates a corresponding user record in the authentication system.
const { data, error } = await supabase.auth.signUp({
email: 'example@email.com',
password: 'example-password',
})
However, there might be scenarios where we need to manually create user records, such as during development or for administrative purposes.
In such cases, we can add users directly from the Supabase dashboard using the following steps:
Navigate to the Authentication tab in your Supabase dashboard.
Under the Users section, we can manually create a user by clicking the Add user — Create new user button.
- Fill in the required user details such as email and password to create a new user account.
This step simulates the creation of a user account in your application, allowing us to test authentication and access control policies.
Create policies for the users
table
In the Supabase dashboard, navigate to the Policies section from the Authentication tab.
Here, you’ll find a list of tables in your database schema. Locate the “users” table that we created earlier.
To create a policy for records from the “users” table, click on the “Add new policy” button.
This will open a dialogue box where we can specify the details of the new policy.
Select record policy
In the dialogue box, you’ll see a list of available policy templates.
Click on the first template labeled “Select” to create a select record policy.
The policy name and required settings will be automatically populated based on the selected template. Review the settings to ensure they align with your requirements. We can customize the policy further if needed.
After configuring the policy settings, click on the “Save policy” button to save your changes.
Insert record policy
Now, let’s walk through the process of setting up an insert record policy for the “users” table.
In the dialogue box, click on the template labeled “Insert” to create an insert record policy.
The policy name and required settings will be automatically populated based on the selected template. Review the settings to ensure they align with your requirements. We can customize the policy further if needed.
After configuring the policy settings, click on the “Save policy” button to save your changes.
Update record policy
Now, let’s outline the steps for implementing an update record policy for the “users” table, taking into account different scenarios:
Granting access to all Supabase auth users
For all supabase auth users, setting up an update record policy is straightforward.
In the “Add new policy” dialogue box, select the template for updating records.
In the policy configuration, set the Target Roles to “Authenticated”.
This allows any authenticated user, regardless of their specific role, to update the user record in the “users” table.
- Save the policy to apply the update record restrictions for the “users” table.
Granting access to the specific Supabase auth user
For the specific Supabase auth user, the process is slightly different.
The first and second points are the same as above described for all Supabase auth users.
Now, you’ll need to identify them based on unique identifiers such as their email address.
- Set the appropriate conditions in the policy configuration to match the email address of the specific user attempting to update their record.
This allows only specified authenticated users, regardless of their specific role, to update the user record in the “users” table.
- Save the policy to apply the update record restrictions for the “users” table.
Delete record policy
Now, let’s detail the steps for implementing a delete record policy for the “users” table, using the user’s ID:
 Granting access to all Supabase auth users
For all supabase auth users, configuring a delete record policy follows a similar process as before.
In the “Add new policy” dialogue box, select the template for deleting records.
In the policy configuration, set the Target Roles to “Authenticated”.
--- Granting access to the specific Supabase auth user
For the specific Supabase auth user, the process is slightly different.
The first and second points are the same as above described for all Supabase auth users.
Now, you’ll need to identify them based on unique identifiers such as their email address.
- Set the appropriate conditions in the policy configuration to match the email address of the specific user attempting to update their record.
This allows only specified authenticated users, regardless of their specific role, to delete the user record in the “users” table.
- Save the policy to apply the delete record restrictions for the “users” table.
Now, we can see we have Select, Insert, Update, and Delete policies for the “users” table. We can edit or delete it if we find any issues with it.
Awesome!!đź‘ŚNow, our database is secured.
Customize the policy settings as needed, specifying which roles or users have permission to perform the operations on the “users” table.
In addition to database security, securing data stored in cloud storage is equally important.
This post only has implementation of Supabase Database to read the complete guide including securing data storage , please visit our full blog at Canopas.
I encourage you to share your thoughts in the comments section below.
Your input not only enriches our content but also fuels our motivation to create more valuable and informative articles for you.
Follow Canopas to get updates on interesting articles!
Posted on April 12, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.