Hello all,
I am currently developing a Dash app that uses Supabase for Auth + DB backend. I’ve got the Auth working (I think) with applying auth required for protected routes. What I’m struggling with is I have setup Supabase’s row-level-security (RLS) / roles (Details Here) for users to only access table data they’ve created, but I’m still having individual users able to query other users data given certain scenarios.
For example, in my app the user can start a given process, that processes data is stored into the DB with a UID value and the URL is some-nonexistant-app.com/process/UID-1234
. Now that processes data/table has RLS enabled and roles applied. But if I login to the app with a second account, and pass that URL/UID to the second browser logged in incognito, it’s able to load the process data associated with that UID.
I am working on making an MRE for my setup but don’t have it to share at the moment. My primary questions surround:
- Is there anything special around Dash’s server-side rendering with Supabase’s client I need to keep better track of so a user logged in via supabase is correctly applied at supabase client query time?
- Does anyone have examples of this sort of setup implemented else where? I haven’t found one yet that goes beyond basic auth setup, and never associated with Dash.
Thanks in advance and any learnings/best practices I plan to make a cookie-cutter template to use Supabase with Dash because it’s pretty sweet otherwise!
I’ve implemented a similar setup in terms of Flask Storage show by Supabase here: GitHub OAuth in your Python Flask app