UPDATE RLS in Supabase seems broken

Question

I am trying to set up RLS to a table in Supabase that will only allow the authenticated user to UPDATE their row on users table. I have opted to use Supabase on my server rather than the front-end. My current workflow is as follows:

1. Client requests a OTP via email
2. User is emailed an OTP
3. OTP is entered into the Client
4. OTP is verified on the server
5. If verified UPDATE the users row in the users table with new session details
6. Return the current user details to the Client

Here is the code that is failing:

const { error } = await supabase
  .from('users')
  .update({
    access_token: session.access_token,
    refresh_token: session.refresh_token,
    expires_at: session?.expires_at || 0
  })
  .eq('user_id', user.id)
  .single();

Here is the table structure:

When I run const user = supabase.auth.user(); I am showing the correct user that has a user.id that matches the rows user_id column of the row I want to UPDATE.

Without RLS set up this workflow is working perfectly. Anything I try fails. Below are the three RLS that I have tried that should work.

1. Checking if user exists WHERE auth.uid() = users.user_id in both USING and CHECK

2. Added auth.uid() = user_id in both USING and CHECK

3. The weirdest one of the all, set true in both USING and CHECK

Here are screen shots of the uuid on the auth.users table and user_id on the users table:

Attempted this from one of the answers and it is still failing:

Here is the error response I am receiving from Supabase:

Answer 1

This is not very well documented yet, but signed in users have authenticated role, and not anon role, so changing the target role to authenticated should fix it. When in doubt, just leave the target roles blank, which will apply the RLS on all roles.