What is Best Practice to have role based access of Components and Pages using Supabase?
https://youtu.be/WUD1RLSd3U0?t=710 I found this way on how to do it . It seems easy enough and similar to what I am doing with checking if the user is authenticated at all . My plan is to display "no access granted " instead of redirecting the user , but I assume this allows the user to update the "user " variable and just set the role through console . @the_guy
https://youtu.be/WUD1RLSd3U0?t=710 I found this way on how to do it . It seems easy enough and similar to what I am doing with checking if the user is authenticated at all . My plan is to display "no access granted " instead of redirecting the user , but I assume this allows the user to update the "user " variable and just set the role through console . If I understand correctly , encoding data into the JWT seems secure on its own as the encryption is done with a secret that is only stores server -side . To read a JWT , no secret is needed , only to verify if the JWT is from your AUTH system , you need the JWT and the secret . But how do I get the data from the encrypted JWT inside Toddle ? @Lucas G Assuming I have stored the AUTH Token only in the Cookies . What else would I need to do to get data from the JWT ? Just storing the User Object in Session or Local Storage is problematic since the user can just update it inside the Browser /auth /v1 /user In supabase , you 'd set up the RLS policies to grant access if the JWT has the required claims in it That thread may help Some people I think just choose to use user _profile tables and roles tables too I thing I understood the concept of custom claims - seems like the way to go for role /feature based access . I understand that all RLS are updated instantly with new permissions , so the first request after the update is already wit the new permissions . When I want to do a Page /Component restriction on the client side - lets say a user can see the same page as an admin but the admin gets the "edit " button . I just fetch /auth /v1 /user on page /component load - just once - and check for the role directly in the response without assigning the response to a variable and then checking the variable afterwards . Is this considered safe ? Or can someone with just user access cheese his way into getting the edit button ? I currently store the object I get as response on login on local storage - this can be read and updated by the user , so checking permissions from there is not safe . If I could get the Access Token that was stored as cookie and read the JWT it should be good . However , I would not be able to verify the JWT is actually from my system since I would expose the JWT secret due to missing secret management in toddle When I think about it - IF the user is able to cheese his way into showing the Page /Component , the Page /Component would not provide any data as the data response is server side and uses the permissions from the auth.users.raw_app_meta_data So doing the RLS / server side permission check is mandatory , doing it on UI is cosmetics to only show UI to backend that the user would be authorized anyway . TLDR : If the user gets the "Edit Button " to show up an clicks it , nothing will happen because RLS does not allow to update a "user " , only "admin " can update . If you 're checking directly from the API response then a user would have to go through a good amount of loops to 'override ' the response but even then they wouldn 't actually be able to update anything on the backend as their JWT is signed from supabase by a secret that shouldn 't be anywhere on the client side
.jpeg/public)