How to Secure Your Supabase Database and Storage

Safeguarding Your Data by Proactive Measures

·

7 min read

How to Secure Your Supabase Database and Storage

Exciting News! Our blog has a new home! 🚀

Introduction

In the era of data breaches and cybersecurity threats, safeguarding sensitive information is paramount for businesses and developers.

With the rise of cloud-based databases and storage solutions, such as Supabase, Firebase, AWS, or Google Cloud Firestore ensuring the security of your data is more critical than ever.

Supabase is an open-source platform that provides developers with a set of tools to build scalable and secure web applications.

Leveraging PostgreSQL as its database engine and integrating with popular authentication providers like Auth0 and Firebase, Supabase offers a comprehensive solution for managing data and user access in modern web applications.

In this blog post, we’ll explore the best practices and strategies for securing your Supabase Database and Storage, helping you mitigate risks, and protecting your valuable data assets.

Database Security

A robust database security strategy is essential for protecting your data from unauthorized access, manipulation, or theft. Here are the step-by-step implementations to consider.

Create a table with the required fields

In Supabase, creating a table is straightforward. we can do this through the SQL editor provided in the Supabase dashboard.

Navigate to the SQL editor and execute a CREATE TABLE statement to define the structure of your "users" table. For example,

create table users (
  id bigint primary key generated always as identity,
  auth_uid text not null, // optional - to store auth user id from supabase.auth
  name text not null,
  email text not null,
  created_at timestamp with time zone default current_timestamp
);

In this definition, auth_uid field is optional. It will required if we want to grant access to all the supabase authenticated users. We’ll see later how it works.

Also, we can create it by using the Supabase table editor like,

Create a table using the Supabase table editor

Customize the fields based on your application’s requirements. In this example, we have fields for user ID, name, email, and creation timestamp.

Create a user for authentication

The auth methods can be accessed via the supabase.auth namespace.

When we use supabase.auth to handle authentication in your application, it interacts directly with the Supabase authentication system.

This means that when a user signs up using your application's authentication flow (powered by supabase.auth), Supabase automatically creates a corresponding user record in the authentication system.

const { data, error } = await supabase.auth.signUp({
  email: 'example@email.com',
  password: 'example-password',
})

However, there might be scenarios where we need to manually create user records, such as during development or for administrative purposes.

In such cases, we can add users directly from the Supabase dashboard using the following steps:

1. Navigate to the Authentication tab in your Supabase dashboard.

2. Under the Users section, we can manually create a user by clicking the Add user — Create new user button.

Create a user for authentication

3. Fill in the required user details such as email and password to create a new user account.

This step simulates the creation of a user account in your application, allowing us to test authentication and access control policies.

Create policies for the users table

In the Supabase dashboard, navigate to the Policies section from the Authentication tab.

Here, you’ll find a list of tables in your database schema. Locate the “users” table that we created earlier.

Create policies for user's table

To create a policy for records from the “users” table, click on the “Add new policy” button.

This will open a dialogue box where we can specify the details of the new policy.

— Select record policy

In the dialogue box, you’ll see a list of available policy templates.

Click on the first template labeled “Select” to create a select record policy.

Add select record policy for the user's table

The policy name and required settings will be automatically populated based on the selected template. Review the settings to ensure they align with your requirements. We can customize the policy further if needed.

After configuring the policy settings, click on the “Save policy” button to save your changes.

— Insert record policy

Now, let’s walk through the process of setting up an insert record policy for the “users” table.

In the dialogue box, click on the template labeled “Insert” to create an insert record policy.

Add insert record policy for user's table

The policy name and required settings will be automatically populated based on the selected template. Review the settings to ensure they align with your requirements. We can customize the policy further if needed.

After configuring the policy settings, click on the “Save policy” button to save your changes.

— Update record policy

Now, let’s outline the steps for implementing an update record policy for the “users” table, taking into account different scenarios:

— — — — — — — Granting access to all Supabase auth users — — — — —

For all supabase auth users, setting up an update record policy is straightforward.

1. In the “Add new policy” dialogue box, select the template for updating records.

2. In the policy configuration, set the Target Roles to “Authenticated”.

Add update record policy for all Supabase auth users

This allows any authenticated user, regardless of their specific role, to update the user record in the “users” table.

3. Save the policy to apply the update record restrictions for the “users” table.

— — — — — Granting access to the specific Supabase auth user — — — —

For the specific Supabase auth user, the process is slightly different.

The first and second points are the same as above described for all Supabase auth users.

Now, you’ll need to identify them based on unique identifiers such as their email address.

3. Set the appropriate conditions in the policy configuration to match the email address of the specific user attempting to update their record.

Add update record policy for specific auth user

This allows only specified authenticated users, regardless of their specific role, to update the user record in the “users” table.

4. Save the policy to apply the update record restrictions for the “users” table.

Delete record policy

Now, let’s detail the steps for implementing a delete record policy for the “users” table, using the user’s ID:

— — — — — — — Granting access to all Supabase auth users — — — — —

For all supabase auth users, configuring a delete record policy follows a similar process as before.

1. In the “Add new policy” dialogue box, select the template for deleting records.

2. In the policy configuration, set the Target Roles to “Authenticated”.

Add delete record policy for all supabase auth users

This allows any authenticated user, regardless of their specific role, to delete a user record in the “users” table.

3. Save the policy to apply the delete record restrictions for the “users” table.

— — — — — Granting access to the specific Supabase auth user — — —

For the specific Supabase auth user, adjust the policy to use the user’s ID:

The first and second points are the same as above described for all Supabase auth users.

Now, for the specific user, you’ll need to identify them based on their user ID.

3. Set the appropriate conditions in the policy configuration to match the user ID of the user attempting to delete their record.

Add delete record policy for specific auth user

This allows only specified authenticated users, regardless of their specific role, to delete the user record in the “users” table.

4. Save the policy to apply the delete record restrictions for the “users” table.

Now, we can see we have Select, Insert, Update, and Delete policies for the “users” table. We can edit or delete it if we find any issues with it.

All the policies to access the records of the “users” table

Awesome!!👌Now, our database is secured.

Customize the policy settings as needed, specifying which roles or users have permission to perform the operations on the “users” table.

In addition to database security, securing data stored in cloud storage is equally important.

This post only has implementation of Supabase Database to read the complete guide including securing data storage , please visit our full blog at Canopas.

I encourage you to share your thoughts in the comments section below.

Your input not only enriches our content but also fuels our motivation to create more valuable and informative articles for you.

Follow Canopas to get updates on interesting articles!

Did you find this article valuable?

Support Canopas's blog by becoming a sponsor. Any amount is appreciated!