Different roles and access rights vs. one anon key in Supabase

Question

Sorry if this is a dumb question. I cannot figure out how roles and access rights to tables and database work in Supabase. Coming from MongoDB Atlas where it is super easy to define users, their different rights and passwords and then use in front-end accordingly.

My use case is this. I am generating some documents with metadata. These are inserted into Supabase storage (the document) and database table (the metada) using a simple node app.There is a website where the documents and metadata are presented to the public. The website has no user/singing system at all, no need for that, just a simple public website.

Both the node app as well as the website use supabase client with anon key to access Supabase storage and database. The website does not access Supabase storage and database directly but through a server (Sveltekit back-end server.js file to be precise).

My problem is to give website client only the right to read from Supabase. It seems there is no way to have two anon keys with different rights. It seems to me as an overkill to involve Supabase Auth features when there is on need for logging any users. Supabse documentation is silent concerning this use case. To limit anon key on the website just for read and to use service key in the node app seems an inappropriate and dangerous use of service key as well

By the way the default "every one can crud anything in Supabase until you set up row level security" concept of Supabase seems really dangerous and I have serious security concerns if their policies can fix all possible holes.

Thank you very much for your help

Different roles and access rights vs. one anon key in Supabase

Answers (1)

Related Questions