Use new Auth Hooks approach?

[thorwebdev]

Hey there, thanks so much for this awesome project!

We've released some official guidance around custom claims & RBAC using the new Auth Hooks approach: https://supabase.com/docs/guides/auth/custom-claims-and-role-based-access-control-rbac

Would love if you could review and see if that would make sense to adopt for this project?

Thanks 💚

[tiniscule]

Love this - thanks for the recommendation I'll look at leveraging it.

[cloudorbush]

would be interesting to know if there is a performance gain

[kylerob]

@tiniscule What are you latest thoughts on custom claims and Auth Hooks? I'm on the fence on if I want to go with the current basejump implementation and upgrade later if basejump changes, or roll with Auth Hooks now with a custom solution. Thanks for your hard work!

[tiniscule]

I think it depends on your use case a bit - if you're working with personal accounts with only a few role levels, then I think it can make sense. If you're working with team accounts and foresee the role complexity growing more over time, then I think it can be a little problematic and error prone since you'd need to either implement your own per-account permissions structure (user 1 is admin of team 1 but member of team 2) or create some kind of per-team token that you swapped on your frontend to give them a team-specific custom claim.

I'd seen a couple threads when Thor posted this about the table lookup performance being comparable to the custom claims, and so decided that I didn't know enough to determine what the best generic solution was.

open to feedback if you think you've got a solid path forward that makes sense. Happy to make it part of core

[kylerob]

@tiniscule Thanks for the prompt response! Those are good points. After installing and diving through the code a little more, I think I'll stick with the current implementation, especially if performance is the same. I'll post something here or in a PR if I ever go the custom claims route.