Your Supabase is public if you turn off RLS

Posted by skilldeliver 1 day ago

Your Supabase is public if you turn off RLS(skilldeliver.com)

111 points | 64 commentspage 2

pranavm27 1 day ago|

Isn't Supabase anon key actually a publishable one? What's voila about finding it. RLS disabled is a more of a voila here.

koakuma-chan 1 day ago||

Guys, please, stop using all these Vercel-likes. It won't do you any good. There was an excellent article on self hosting PostgreSQL the other day.

https://pierce.dev/notes/go-ahead-self-host-postgres#user-co...

brikym 1 day ago||

It can go wrong. I had a horrible experience with StackGres. I read a lot of positive things about CloudNativePG though. I can see where people with startups are coming from not wanting to manage database plumbing so they can focus on real business tasks. I think that's fine as long as there is a path to self-host after some growth. I might do some event-sourcing myself so that databases are effectively materialized views easy to add and remove.

ahachete 1 day ago|||

Hi, StackGres founder here.

We're constantly striving to improve the user experience and the quality of StackGres. Would you mind sharing some feedback as to what made your experience not good with it?

Did you join the Slack Community (https://slack.stackgres.io/) to ask if you were facing some trouble? It always helps, even if it is just by sharing your troubles.

(If you'd like to share feedback and do so privately, please DM on the Slack Community)

Your feedback will be much appreciated.

brikym 1 day ago||

I did try slack. Maybe the problem is it was launched much too early. A certificate expiry issue caught me out because there wasn't an automatic process on this version to roll them over. Ironically a single database instance would have been much much more stable. I upgraded but this didn't bring up the database, restoring through the portal failed, so I had to create a new PG cluster to get my site up and I never ended up recovering the data as the process was very tedious involving PVCs rather than just pointing to my bucket. The ratio of open to closed issues on the repo is much worse than CNPG so I would simply start there.

ahachete 1 day ago||

Thank you for your feedback. I'm trying to extract possible improvement actions from your comment, and here are my thoughts.

That certificate expiry issue was unfortunate, but was resolved (if I'm not mistaken) a couple of years ago.

StackGres is just a control plane, your database is as stable as a standalone one. StackGres itself may fail and it won't affect your database, it's not on the data plane. Indeed, it has a feature to "pause it" if you need to perform some manual operations (otherwise everything is automated).

There are procedures to reconstruct a database from PVC. It's arguably tedious, but should be much simpler than running a Postgres pod without the help of an operator like StackGres.

As for the ratio of issues: most of the issues that we get are feature and/or extensions requests, and certainly we can't tackle them all. Most, if not all, outstanding issues are addressed within a reasonable time frame. Is there any particular issue that would itch you that is open? I'd be happy to personally review it. Yet, there are as of today more than 2K closed issues, I won't call that a small number.

I'd also weight the importance of issues, like the split brain that CNPG suffers [1] and that apparently won't even be solved. StackGres relies instead on the trusted and reputed Patroni, which is known NOT to risk split brains that could lead to severe data loss.

[1]: https://github.com/cloudnative-pg/cloudnative-pg/discussions...

koakuma-chan 1 day ago|||

I think people with startups just don't care. I had an interview with a startup the other day, and the interviewer said they were considering using v0 for their front-end. I really want to be wrong here, but so far it feels like all those startups are there to just take VC money for themselves and die.

wahnfrieden 1 day ago||

That article is good if you don't care about uptime or incident recovery time.

Yugabyte is the best open source postgres for HA.

cess11 1 day ago||

Once you have reason to care about that, then you should also be able to afford to hire people that can sort it out for you.

wahnfrieden 1 day ago||

Not really. Maybe for consumer. But there are many kinds of b2b infrastructure businesses that I can build and launch myself where I wouldn't want to expose myself to risk of day-long outages (for either reputational or as competitive disadvantage of having no HA story), such as anything to do with payment gateways, API gateways, AI proxies or other AI infrastructure - anything where client services would experience critical outages if your service goes down... Lots of these businesses are started without VC investment or big money from day 1.

Luckily now with solutions like Yugabyte, we can achieve enterprise-grade HA without high cost or high maintenance complexity.

cess11 1 day ago||

I'm not familiar with their products but it seems they had a four hour incident a few months ago:

https://status.yugabyte.cloud/history

You should not run a payment gateway on an inexperienced team. Start with something with lesser risk and then introduce the team to things like load balancers, keepalived, clustering and so on over time.

An hour of downtime is a lot once HA is something to invest in, and the first thing you need to do when there's an incident is to tell your customers what you're doing about it and the second thing they want to know is whether it will happen again. Since I don't know how Yugabyte works I'm not sure about the degree of lock-in, but preferably you should have an incident process where you at minute ten or so of downtime boot load balancing with a customer facing message at another infra provider and update DNS records, then start to rebuild the system there in parallel with the main incident response.

int0x29 1 day ago||

Firebase seems to suffer a similar problem of people not setting permissions right. The only major difference is that they seem to steer devs pretty aggressively to Google auth which won't leak password hashes.

While in theory your API can be the database it seems like a footgun for the inexperienced and AI.

veeti 1 day ago||

AWS also had to add some serious warnings into S3 console to stop people from blowing their foot off with public buckets.

tonyhart7 1 day ago||

to be fair, Auth and access control is just "hard" problem in general tbh

we have so many data breach because they lack "common basic" security best practices, we aren't talking about state level hacker here

just public bucket storage and so on

dangoodmanUT 1 day ago||

One thing I find about these "all in one" platforms is that they tend to lure people into a sense of "wow this is easy to use" such that they forget to check security, assuming it's covered.

This is one reason why Firebase was such a gold-mine for security researchers: everyone just forgot about security when they forgot about their backend.

teaearlgraycold 1 day ago|

Any time I see a product like Firebase that rolls auth and other major features into a database I roll my eyes.

SOLAR_FIELDS 1 day ago|||

Are you saying that because you fundamentally just don’t believe the db is a good place for auth, or because these low-code frameworks tend to roll it in and as such you see a lot of low quality implementations of auth from these systems simply because using them is within reach of someone who has no idea what they are doing?

To me it’s important to make this disambiguation. One take says that auth in db itself is a problem. The other take says “auth in db is a symptom of low code garbage”

vrosas 1 day ago|||

FWIW firebase auth and firebase DB are two separate things, and you can use them completely separately. However "Firebase" is a PaaS so I see how it gets confusing.

SOLAR_FIELDS 1 day ago||

Fair call out but if I am a firebase customer, as I have been in the past but less frequently so, I treat them as a singular entity. In other words, there’s no situation I would use firebase and not use its auth, because the reason I might use firebase is Because Of the auth, not In Spite Of. There’s no world for me where firebase is the preferred option that doesn’t use auth, the integration like that is literally the only reason I would ever consider ClosedSourceOwnedByGoogle over alternatives

teaearlgraycold 1 day ago|||

I like to separate concerns. Unix philosophy and all that. That was the primary concern on my mind when writing my comment above.

I think the feature is there not necessarily because it’s the best technical idea but instead because of its ability to pull in less educated developers. That makes sense financially because there are fewer people out there with a higher degree of expertise. But from my perspective it shows that it’s not meant for me.

dangoodmanUT 1 day ago|||

Convex has been quite good so far

devmor 1 day ago||

> I'm not going to blame the vibe-coding wave entirely.

As one vibe-coding's most fervent critics, I don't blame it at all. Amateur devs have been doing this for a decade and change with Firebase and other hosted datastores.

I got one of my first small jobs as a contractor because of an Android app doing this back in 2012!

dmillar 1 day ago||

- Enable RLS

and/or

- Turn off the REST API (if you just use pg connections)

- Disable the JWT/anon token(s)

PierceJoy 1 day ago||

I find that supabase is pretty good at warning you about these things in their project specific security advisories, but obviously you need to actually pay attention to them and then take action.

tonyhart7 1 day ago||

if your product targeting "dummy user" they should make it dummy foolproof

ErroneousBosh 1 day ago||

So like MongoDB twenty-odd years ago?

fakedang 1 day ago|

So, turn it on? You'll get rid of the constant warnings on Supabase too.

I mean, Supabase strongly emphasizes using RLS in every part of the dashboard. They literally advise you everywhere not to expose the database data anywhere client side.

More comments...