realtime
realtime copied to clipboard
supabase
Table INSERT subscriptions fail with Error 401: Not Unauthorized
Describe the bug
I've subscribed to inserts on a table using the supabase api, when I add a row into that same table on the supabase web interface I receive notice that a change has occurred but not the content of the row that was inserted. I've ensured that the table has been added to the supabase-realtime channel just like the guide. I have tried to disable/enable RLS, giving all permissions to both anon and public roles, and also tried to use the api service key. None of these resolved the 401: unauthorized error.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
Code to subscribe to channel, which I copied from the API tab on the web interface.
const { createClient } = require('@supabase/supabase-js')
const supabase = createClient(process.env.SUPABASE_URL, process.env.SUPABASE_KEY)
const coachMessages = supabase.channel('custom-insert-channel')
.on(
'postgres_changes',
{ event: 'INSERT', schema: 'public', table: 'coach_messages' },
(payload: any) => {
console.log('Change received!', payload)
}
)
.subscribe()
console.log(coachMessages)
and the error:
Row insertion and database actions are done using the supabase web interface.
Expected behavior
A clear and concise description of what you expected to happen.
The payload to contain the row that was just inserted in the payload.new property.
System information
- OS: macOS
- Browser: Firefox
- Version of supabase-js: 2.33.1
- Version of Node.js: 18.16.0
I am experiencing the same problem in 2.33.2. Is there a fallback version I can use until this bug is fixed?
btw.. I am using @nuxtjs/supabase and therefore const supabase = useSupabaseClient(); to create the subscription. I assume that it is a wrapper around @supabase/supabase-js.
Ok, I think I got this to work but I am not sure as to why, maybe someone who is advanced in this topic maybe able to shed some light.
I turned off RLS for the table followed by:
grant select on table to anon;
as documented in Bring your own database
after I did that, I get the payload.
UPDATE: I needed both anon and authenticated for my shopping cart so:
grant select on transactions to anon, authenticated;
Ok, I think I got this to work but I am not sure as to why, maybe someone who is advanced in this topic maybe able to shed some light.
I turned off RLS for the table followed by:
grant select on table to anon;as documented in Bring your own database
after I did that, I get the payload.
UPDATE: I needed both anon and authenticated for my shopping cart so:
grant select on transactions to anon, authenticated;
That makes it work. Thank you.
Ok, I think I got this to work but I am not sure as to why, maybe someone who is advanced in this topic maybe able to shed some light.
I turned off RLS for the table followed by:
grant select on table to anon;as documented in Bring your own database
after I did that, I get the payload.
UPDATE: I needed both anon and authenticated for my shopping cart so:
grant select on transactions to anon, authenticated;
This worked for me as well, thank a lot.
Make sure you have the Authorization header set on the webhook as well, as that can cause a 401
The "Missing grants" section in the troubleshooting docs helper me fix this issue: https://supabase.com/partners/integrations/prisma#troubleshooting
I get an error when I try to set anon for my table, any other workaround?
I am hitting this problem as well.
I am watching for UPDATEs like so:
...
.on(
"postgres_changes", { schema: "public", table: "Feed", event: "UPDATE" },
(payload) => console.log("UPDATE", payload)
)
.subscribe()
All of my requests are via an authenticated client, so I only worry about the authenticated role.
I am finding that if I do not run grant select on "public"."Feed" to authenticated; then I get the 401 error, regardless of whether RLS is enabled for the given table.
If I run the grant command, then if RLS is enabled, the events don't fire -> now nothing gets console logged.
If I remove RLS, then the events fire properly, without the 401 error.
I am not sure why RLS would block the event like that - my only guess would be that the RLS is too restrictive, but this is my RLS policy:
create policy "policy_name"
on "public"."Feed"
as PERMISSIVE
for ALL
to authenticated
using (
true
);
so I am being as insecure as possible with my RLS policy.
Ok, I think I got this to work but I am not sure as to why, maybe someone who is advanced in this topic maybe able to shed some light.
I turned off RLS for the table followed by:
grant select on table to anon;as documented in Bring your own database
after I did that, I get the payload.
UPDATE: I needed both anon and authenticated for my shopping cart so:
grant select on transactions to anon, authenticated;
Thanks! That solves the problem.
Ok, I think I got this to work but I am not sure as to why, maybe someone who is advanced in this topic maybe able to shed some light.
I turned off RLS for the table followed by:
grant select on table to anon;as documented in Bring your own database
after I did that, I get the payload.
UPDATE: I needed both anon and authenticated for my shopping cart so:
grant select on transactions to anon, authenticated;
Please explain the steps to run above command I am also seeing same issue.
grant select on "public"."Feed" to authenticated
this worked, thank you!
When working with a TPA like auth0, you have to do supabase.realtime.setAuth(token) every time your access token refreshes in order for realtime to work. This is sort of called out in https://supabase.com/docs/guides/realtime/postgres-changes#custom-tokens but for what sounds like a different use case.
