Auth
User Management
Supabase makes it simple to manage your users.
When users sign up, Supabase assign them a unique ID. You can reference this ID anywhere in your database. For example, you might create a profiles
table referencing the user using a user_id
field.
Supabase provides the routes to sign up, log in, log out, and manage users in your apps and websites.
Third Party Logins
We currently support the following OAuth providers:
- Github
- Gitlab
- Azure
- Bitbucket
You can enable providers by navigating to Authentication > Settings > External OAuth Providers and inputting your Client ID
and Secret
for each.
To fetch these you need to:
- Generate
Client ID
andSecret
(google, github, gitlab, bitbucket) - Enter Authorized Redirect URI:
https://<your-project>.supabase.co/auth/v1/callback
on provider dashboard
Row Level Security
Authentication only gets you so far. When you need granular authorization rules, nothing beats PostgreSQL's Row Level Security. Supabase makes it simple to turn RLS on and off.
Policies
Policies are PostgreSQL's rule engine. They are incredibly powerful and flexible, allowing you to write complex SQL rules which fit your unique business needs.
With policies, your database becomes the rules engine. Instead of repetitively filtering your queries, like this ...
... you can simply define a rule on your database table, auth.uid() = user_id
, and your request will return the rows which pass the rule, even when you remove the filter from your middleware:
Policies are like where clauses.
Policies are easy to understand once you get the hang of them. You can just think of them as adding a WHERE
clause to every query. For example if you had a policy like this:
It would translate to this whenever a user tries to select from the todos table:
How it works
- A user signs up. Supabase creates a new user in the
auth.users
table. - Supabase returns a new JWT, which contains the user's
UUID
. - Every request to your database also sends the JWT.
- Postgres inspects the JWT to determine the user making the request.
- The user's UID can be used in Policies to restrict access to rows.
Supabase provides a special function in Postgres, auth.uid()
, which extracts the user's UID from the JWT. This is especially useful when creating Policies.
Policy Examples
Here are some examples to show you the power of PostgreSQL's Row Level Security. Each policy is attached to a table, and the policy is executed every time a the table is accessed.
Allow read access
- Creates a table called
profiles
in the public schema (default schema) - Enables Row Level Security
- Creates a Policy which allows all
select
queries to run.
Restrict updates
- Creates a table called
profiles
in the public schema (default schema) - Enables Row Level Security
- Creates a Policy which allows logged in users to update their own data.
Policies with joins
Policies can even include table joins. This example shows how you can query "external" tables to build more advanced rules.
Policies with security definer functions
Policies can also make use of security definer functions
, this is useful in a many-to-many relationship where you want to restrict access to the linking table. Following the teams
and members
example from above this example shows how you can use security definer function in combination with a policy to control access to the members
table.
Verifying email domains
Postgres has a function right(string, n)
that returns the rightmost n characters of a string.
You could use this to match staff member's email domains.
Advanced Policies
Use the full power of SQL to build extremely advanced rules.
In this example we will create a posts
and comments
database and then create a policy that depends on another policy.
(In this case the comments policy depends on the posts policy.)
Tips
You don't have to use Policies
You can also put your authorization rules in your middleware,
similar to how you would create security rules with any other backend <-> middleware <-> frontend
architecture.
Policies are a tool. In the case of "serverless/Jamstack" setups, they are especially effective because you don't have to deploy any middleware at all.
However if you want to use another Authorization method for your applications, that's also fine. Supabase is "just Postgres", so if your application works with Postgres, then it also works with Supabase.
Tip: make sure to enable Row Level Security for all your tables, so that your tables are inaccessible. Then use the "Service" which we provide. "Service" are designed to bypass RLS.
Check authentication settings on Supabase
Navigate to Authentication > Settings on app.supabase.io, and you'll be able to change settings for things like:
- SITE URL, which is used for determining where to redirect users after they confirm their email addresses or attempt to use a magic link to log in.
- Disabling email confirmations
- Enabling external OAuth providers, such as Google and GitHub
Never use a service key on the client.
Supabase provides special "Service" keys, which can be used to bypass all Row Level Security. These should never be used in the browser or exposed to customers, but they are useful for administrative tasks.
public.users
table.
Create a Even though Supabase provides an auth.users
table, it is helpful to also create a users table in the public
schema, which uses the same UID Primary Key as the auth.users
.
For security purposes, the auth
schema is not exposed on the auto-generated API. Creating a public.users
table allows you to interact via the Supabase client -
especially useful for cross-table queries.
Pro tip: if you want to add a row to your public.users
table every time a user signs up, you can use triggers. For example:
Disable realtime for private tables
Our realtime server doesn't provide per-user security. Until we build a more robust auth system for websockets, you can disable realtime functionality for any private tables. To do this, you can manage the underlying Postgres replication publication:
We are aiming to deliver enhanced realtime security by Q1 2021.
Next steps
- Read more about Row Level Security
- Sign in: app.supabase.io