Replies: 1 comment 2 replies
-
Here’s a link that might help answer your question: Supabase Docs > Hardening the Data API I believe combining Edge Functions, Row-Level Security (RLS), and the insights from this guide can significantly improve your security setup. If you have any further questions, I’d be happy to answer them, even though my knowledge may not be perfect. I’m continually learning as I help others. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
TL;DR: How can I manage custom API routes in Supabase, ensuring flexibility for different user roles without exposing auto-generated endpoints?
Hi Supabase Community,
I’m considering using Supabase for an API-first backend and am facing challenges with managing custom API routes tailored to different user roles. The core issue is how to effectively segregate API routes for different types of users (admins, authenticated users, anonymous users) while maintaining flexibility and clean route structures.
Example Scenario:
Let’s say I’m building an education system with a
lessons
table. I want to expose the lessons data through different API routes depending on the user’s role:domain.com/api/v1/cms/lessons
, with full CRUD capabilities.domain.com/api/v1/lessons
.domain.com/api/v1/my/lessons
.What I've Considered:
To prevent exposing auto-generated endpoints for tables, views, and functions, I’m using the PostgREST schema isolation strategy to separate my
public
schema from myapi
schema. This allows me to isolate the tables from being directly exposed. However, even with this approach, views and functions still get exposed with less-than-ideal route naming conventions such asdomain.com/rest/v1/admin_lessons
ordomain.com/rpc/add_lesson
.I’ve looked into using API gateways to manage custom routing and enhance security. However, using an API gateway adds a layer of complexity, making the product less maintainable. It requires constantly keeping track of the endpoints exposed by PostgREST and ensuring they align with the custom routes defined on the API gateway side.
I’m wondering if using an API gateway is the only path forward or if there are other best practices within Supabase to achieve clean, well-structured API routes tailored to different user roles.
Thanks for your insights!
Beta Was this translation helpful? Give feedback.
All reactions