auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

RLS on auth.users table for GOTRUE_JWT_ADMIN_ROLES

Open andrearoscognamiglio opened this issue 1 year ago • 0 comments

Hi everyone! I'm using a self-hosted version of Supabase on my local machine via Docker. I'm trying to activate RLS on the auth.users table and apply custom policies to allow deletion from auth.users only when the Bearer Token in the request has a specific value in the email claim.

By default, RLS is disabled on the Auth schema, but I enabled it through SQL and also wrote a custom policy. I have a NestJS microservice that needs to allow deletion through a related endpoint, but I’m encountering issues.

If I use a client with the SERVICE_ROLE_KEY, the user is recognized as service_role:

this.supabase = createClient(
  this.SUPABASE_BASE_URL,
  this.SUPABASE_SERVICE_ROLE_KEY
);

In this setup, the service_role has the bypassrls privilege by default, which allows it to delete any user without going through any policies.

On the other hand, when I use the SUPABASE_SERVICE_ANON_KEY, the user recognized is anon, and it lacks access to the auth.users table.

I also tried revoking the bypassrls privilege for the service_role user. Although the console shows success for these commands:

ALTER ROLE service_role WITH NOSUPERUSER;
ALTER ROLE service_role WITH NOBYPASSRLS;

the service_role user still bypasses RLS on the auth.users table.

I changed the GOTRUE_JWT_ADMIN_ROLES variable to set a new role (administrator) as the admin role instead of service_role, but even then, any user token with this role bypasses RLS.

Next, I tried using Axios with a "user-specific JWT" as described here. However, if the Bearer token in the Axios request contains the role specified in GOTRUE_JWT_ADMIN_ROLES, RLS is still bypassed.

this.supabaseAdmin.defaults.headers.common['Authorization'] = authorization; 
this.supabaseAdmin.defaults.headers.common['apikey'] = apikey;        

const response = await this.supabaseAdmin.delete('/' + userId);

Here’s the response in the auth log when using a Bearer token with a role claim different from service_role:

[
  {
    "component": "api",
    "error": "this token needs to have one of the following roles: service_role",
    "level": "info",
    "method": "DELETE",
    "msg": "this token needs to have one of the following roles: service_role",
    "path": "/admin/users/c445c102-d8d1-4b45-be04-70f926287099",
    "referer": "http://localhost:3000",
    "remote_addr": "172.20.0.3",
    "request_id": "04507e6d-f815-4c38-96cb-8137ebc5818f",
    "time": "2024-11-14T20:07:57Z",
    "timestamp": "2024-11-14T20:07:57Z"
  }
]

I’m looking for a way to activate RLS and enforce policies on auth.users. Any help would be greatly appreciated. Thanks in advance!

andrearoscognamiglio avatar Nov 15 '24 01:11 andrearoscognamiglio