supabase-tenant-rbac icon indicating copy to clipboard operation
supabase-tenant-rbac copied to clipboard
verified publisher icon point-source

Support for GraphQL APIs

Open thuringia opened this issue 1 year ago • 2 comments

Thanks for creating this package and the thorough documentation!

You mention that this package relies on hooks from Postgrest to interface with Supabase. Does that mean additional work is required to support the GraphQL extension? The Supabase documentation is very thin on the integration of that particular extension and its security system.

Thanks again for the amazing work and have great week!

thuringia avatar Jul 18 '24 10:07 thuringia

Nothing special has to be done to have the GraphQL extension respect your db policies. Simply pass your users access token in the Authorization header when making Graphql requests.

adamlamaa avatar Jul 22 '24 13:07 adamlamaa

@adamlamaa thanks for answering this. I actually had no idea what the answer was since I don't use the graphql extension. Still, it seems it would be relatively trivial to test.

As long as graphql calls postgrest which queries postgresql, it's fine. If graphql goes straight to postgresql and bypasses postgrest, then it should still be secure but may be slightly less performant when checking permissions for each request since it would have to do a separate query to get the claims.

point-source avatar Aug 02 '24 23:08 point-source

Closing this since it seems answered or at least has gone stale. Feel free to re-open if necessary.

point-source avatar Oct 28 '24 21:10 point-source