Your Supabase is public if you turn off RLS

Posted by skilldeliver 1 day ago

Your Supabase is public if you turn off RLS(skilldeliver.com)

111 points | 64 comments

mediaman 1 day ago|

I don't understand this. In supabase, the default is to turn on RLS for new tables. If you turn it on and have no policy set, no user can fetch anything from the table.

You have to explicitly create a read-all policy for anon keys, and with no constraints, for people to get access to it.

The default is secure.

If you turn off RLS, there are warnings everywhere that the table is unsecured.

The author goes on to compare this with PocketBase, which he says you "have to go out of your way" to make insecure. You have to go out of your way with Supabase, as well!

I wonder if the author tested this? I do agree that some third party website builders who use supabase on the back end could have created insecure defaults, but that's not supabase's fault.

dang 1 day ago||

Ok, we've added "if you turn off RLS" to make the title less misleading. It's still too baity a title for HN, but at least less egregious.

Submitters: baity and misleading titles are against the site guidelines, so please don't post them here.

https://news.ycombinator.com/newsguidelines.html

SOLAR_FIELDS 1 day ago||

The situation is more nuanced than your comment implies, and a lot of this due to direct product decisions from the Supabase team themselves: https://github.com/orgs/supabase/discussions/4547

The tldr is that Supabase makes this less secure by default because Security is Hard and they don’t want to scare off new users

blackoil 1 day ago|||

More likely reason is that Supabase is a BaaS. Between client and DB there is no backend for secret management. So RLS is the only way to directly create API on the DB.

doctorpangloss 1 day ago|||

I’m not sure anyone’s scared off by this. It’s more that it’s more intuitive to declare your user queries (like Meteor did or how GraphQL works) than to reason about RLS.

SOLAR_FIELDS 1 day ago||

It’s not about being scared off, I’m simply challenging the notion that Supabase is secure by default. It depends on your definition of secure, since everyone has a different threat model, but the above thread demonstrates that probably a good chunk of people would say No, it’s not actually secure by default. Being scared off would be probably the best possible outcome over the current situation which is “we don’t really have a good story to tell about whether this is secure or not”.

The fact that it takes a whole thread of conversation to even unwrap whether the default approach they took is good enough is a strong signal to me that it isn’t, because that level of complexity in the implementation often implies a model with a large enough attack surface with weaknesses that can be exploited without too much effort

Raed667 1 day ago||

> I think what's happening is people are creating additional public users tables and not setting proper RLS for them

Yep: https://supabase.com/docs/guides/auth/managing-user-data

> For security, the Auth schema is not exposed in the auto-generated API. If you want to access users data via the API, you can create your own user tables in the public schema.

giogio 1 day ago||

My experience with supabase is it does actually warn you constantly if you don't set up RLS

dmix 1 day ago||

People are using LLMs to generate apps and it's easy for non-technical people to miss this stuff. The blog post mentions https://lovable.dev/ becoming a $300M company, which uses Supabase by default and basically generates React SPA's with no true backend. But random people won't understand this distinction and will want to create full real apps. Doing this serverless is tricky and requires a lot of careful thought to do right.

Lovable is not going to tell them to use a proper auth service or fully secure their data. One Lovable project I looked at had generated an entire custom JS Markdown parser instead of using react-markdown, for example.

zamadatix 1 day ago|||

> The blog post mentions https://lovable.dev/ becoming a $300B company

I had to double take back to the article after reading this - it actually said $330M (raised at $6.6B valuation). AI investment has been crazy enough I would have actually believed it though!

dmix 1 day ago||

Fixed, thanks

satvikpendem 1 day ago||

I don't think you did fix it, you say "becoming a $300M company" but it's actually a $6.6B company, for which we'd be looking at valuation not amount raised.

iamsaitam 2 hours ago||||

Why should we care about what non-technical people do wrong in a technical domain?

vrosas 1 day ago||||

I asked claude to build a system that involved parsing some dates and addresses and rather than using a library it wrote hundreds of lines of regexes and term lists ('st', 'street', 'dr', 'drive', 'ave', etc) to match every test case I gave it. Lesson learned.

DANmode 1 day ago||

What was the lesson,

to ask it to use a library,

if that’s what you intend for your codebase?

Assume LLMs and AI products are a rockstar junior dev until proven otherwise. Act accordingly!

_puk 1 day ago||||

Both the free and paid tiers of lovable don't charge for security fixes, and before you can publish it requests you run security audits.

I've found doing this, and regularly asking "did you just make my system massively insecure" help keep it on its toes.

That said, I've seen a few "look what I just made.." that caused a double take.

jeroenhd 1 day ago||||

LLMs can and often do turn any technology into an insecure heap of shit. I don't see how that's relevant to Supabase specifically.

cess11 1 day ago|||

Now, "non-technical people" should not ever by themselves put anything on the Internet that handles things like names and passwords.

It's bad that some folks want to make money on such people doing it anyway, which means they're not very nice and should get help to correct their ways.

x0x0 1 day ago|||

My experience is watching a colleague use lovable which will mostly ignore security. Sure, if you prompt it the system will do something which seems correct, but it will also happily undo that as well.

eg I was trying to help her set up a webhook listener, and it undid our efforts.

These tools seem incapable of building software in the hands of users who don't understand security already.

embedding-shape 1 day ago||

> These tools seem incapable of building software in the hands of users who don't understand security already.

These tools are for augmentation of skills, not for wholesale "imma a programmer now", which a lot of people seem to think. And to be honest, lots of companies are selling that "experience" too, even though they know it isn't true, a bit shit.

x0x0 1 day ago||

It's definitely pushed as not needing an engineer.

My colleague now understands why unit tests, after watching subsequent development regularly break previous work. Lovable doesn't support them. And I don't want to touch this codebase because I don't want to own it.

bitbasher 1 day ago||

You assume people read. :)

anxman 1 day ago||

Supabase doesn’t make a public users table by default. The user schema is in auth and secured. The problem is that unskilled developers bypass those controls out of convenience and put data into Public without RLS. Even the Supabase docs warn against this.

skilldeliver 1 day ago||

The point is that why they even have to make new users table? Something is driving them in this direction and as a counterexample you have Pocketbase where you don't have to.

MoonWalk 1 day ago||

To store application-specific data about users. The Supabase doc or examples show this. Where else would you put such data?

But what the docs don't cover is the provided Users table. Missing documentation is why I gave up on Supabase; and the Users table was one of the first problems I encountered. I could find no details on what to expect in each column at any given time.

Upon creating a new user, values get set in this table for no apparent reason. So if your application depends on knowing the verification status of a new user (for example), good luck... Supabase claimed every user was verified upon creation.

anxman 1 day ago|||

https://supabase.com/docs/guides/auth/auth-hooks

These have gotten much less annoying to use now that it’s controlled through the config.toml.

anxman 1 day ago||||

The auth schema is intentionally not exposed to the rest api for security reasons. You need to use an auth hook to put data where you need, or an RPC with appropriate privileges, and of course RLS on any tables.

fakedang 1 day ago|||

I finally resorted to using Supabase as a Postgres database for Django. In that role, it has worked very nicely.

stephenlf 1 day ago||

After seeing the responses, I believe that this is more evidence of the fact that Supabase is easy to work with (and thus attracts people who have NO IDEA what they’re doing), and less an issue with Supabase security.

SOLAR_FIELDS 1 day ago|

It’s even worse than No Idea what you are Doing. One can, as has been alluded to in other comments, be a completely naive rube who is using Supabase under the hood with v0 or Lovable and not have any idea that you’re even using it or that it exists at all.

jscheel 1 day ago||

The problem is that people just really do not comprehend what the "public" schema means in supabase. My guess is that that they think it means "default" or something along those lines. If you read the supabase documentation, you can clearly see that it says "your database's auto-generated Data API exposes the public schema by default", but to truly understand that, you need to understand what the data api is and how it relies on rls. For people first coming to supabase, they are probably either new devs, or they think of the db as a backend service that has application-layer authentication in front of it.

christophilus 1 day ago||

Interesting. That would have surprised me if I was a supabase user. I’m used to tossing everything into the public Postgres schema simply because it’s the default schema, and for many small apps, that’s all you need. Supabase should really rethink publicly exposing the default schema without explicit consent from the developer.

jscheel 17 hours ago||

They do a lot more nowadays to make it clear to the user what is happening, but it still feels unnatural to me.

EGreg 1 day ago||

That is why in https://github.com/Qbix/Streams the default for all streams is PRIVATE. And people can choose what to open up explicitly. We support access templates, mutable access, and inheritance, roles, even participant roles and custom permissions. But the default is private, and all that is machinery on top of it.

Read this for a high level overview useful for HN: https://community.qbix.com/t/streams-plugin-access-control/2...

k4rli 1 day ago||

Supabase is great if the goal is insecure, incredibly slow postgres. Selfhosting it is also painful with ~10 separate containers, while supabase's own offering has downtimes that won't appear on their status page.

Only thing it actually makes easier is auth. Other stuff just becomes harder to maintain. A simple springboot Java app, especially with basic boilerplate implemented with llm help, will last a long time, be cheap+simple to host, easily extensible.

awitt 1 day ago||

Related to this, I've been wondering how much we should actually be depending on RLS for. There are known timing attacks against it [1].

[1] https://www.cs.tau.ac.il/~mad/publications/sigmod2023-rls.pd...

bArray 1 day ago|

> Of course when a friend sends me their new project my natural tendency is to try hack it.

Yep. Probably the most relatable tech friend thing to do. I send my projects to friends and get a list of improvement suggestions, it's always fun!

More comments...