Supabase Row Level Security (RLS)

Enable RLS on Table

-- Always enable RLS ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

Common Policy Patterns

User Can Only See Own Data

CREATE POLICY "Users view own data" ON projects FOR SELECT TO authenticated USING (auth.uid() = user_id);

User Can Insert Own Data

CREATE POLICY "Users insert own data" ON projects FOR INSERT TO authenticated WITH CHECK (auth.uid() = user_id);

User Can Update Own Data

CREATE POLICY "Users update own data" ON projects FOR UPDATE TO authenticated USING (auth.uid() = user_id) WITH CHECK (auth.uid() = user_id);

User Can Delete Own Data

CREATE POLICY "Users delete own data" ON projects FOR DELETE TO authenticated USING (auth.uid() = user_id);

Multi-Tenant Patterns

Team-Based Access

-- Users can see projects in their teams CREATE POLICY "Team members view projects" ON projects FOR SELECT TO authenticated USING ( team_id IN ( SELECT team_id FROM team_members WHERE user_id = auth.uid() ) );

Role-Based Access

-- Check user role for admin access CREATE POLICY "Admins can do everything" ON projects FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM user_roles WHERE user_id = auth.uid() AND role = 'admin' ) );

Service Role Bypass

For server-side operations that need to bypass RLS:

import { createClient } from '@supabase/supabase-js';

// This bypasses RLS - use carefully! const supabaseAdmin = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.SUPABASE_SERVICE_ROLE_KEY!, // Not ANON key! { auth: { persistSession: false } } );

Testing Policies

-- Test as specific user SET request.jwt.claim.sub = 'user-uuid-here';

-- Run query and check results SELECT * FROM projects;

-- Reset RESET request.jwt.claim.sub;

Security Checklist

• RLS enabled on all tables with user data

• Service role key only on server, never client

• Policies cover all operations (SELECT, INSERT, UPDATE, DELETE)

• No policies use functions that could be exploited

• Test policies with different user roles