Thanks for tuning in! Make sure to check out the docs: supabase.com/docs/guides/auth/custom-claims-and-role-based-access-control-rbac? And you can find the code on GitHub: github.com/supabase/supabase/tree/master/examples/slack-clone/nextjs-slack-clone
Small tangent, perhaps, but what was the approach to determine which channels were available to delete for the moderator role in the UI? The trash icon existed for just the one available to delete. Presumably that's using the same rules as RLS for the delete, but are those rules duplicated into a function your UI is using?
Perfect timing for me, This is what I need for my website now, Do you have the videos of how you developed this chat app that you showed in the video? Thank you
@@thorwebdev Yes. I have seen their video stream of happy hours few months ago and it made me start my own website. now i have launched it. but it's bit old, Is there a entire slack clone video like that? can you give the link if it there?
Oh i didn't notice, it's you Thor, you were in that stream right? i think came only in one video :) they were joking about Hammer, it was such a wonderful stream, made me start my own website and i started to learn react and now my website is live, but need soooo many improvements to make. love you guys. Thanks Thor
Thanks! What if user could be part of multiple organizations and have different roles within them? Struggling with implementing this - will appreciate any advice.
same here. anyone ever figure out a good way? Edit: An approach I was thinking maybe was refetching the token based on the organization instance. For example, you can have their meta data something like this { "org": "org-id", "role": "user", "additional_permissions": [] } and on the client side, if they change between orgs somehow, that can trigger a session refresh with somehow passing in the org id that they wish to switch to?
Just tried using this approach adding a custom claim (is_admin) to the JWT in a NextJS 14 but it just keep running into an Error -> AuthApiError: Error invoking access token hook
The Auth Hook is only triggered when a token is issued rather than the RLS policy triggering for each API call. So there is a bit of optimization here.
@@Supabasehi, I am a beginner so the RLS is easier for me to control. Would the optimization really make a difference in term of performance and security? Or controlling the RLS directly is sufficient. Thank you.
Nice video! Thank you 😊 I am wondering why you don’t enable this feature by default, like Auth0 does, but we have to actually write a bunch of stuff in our project following a documentation page
Hi @Supabase, thanks for that. I have tweaked it so that I can use a helper function and trigger to control all my fields by the roles (I ignore permissions for now, it is way too much for my usecase). But here is the thing: with your Custom Auth Hook when Impersonating the user right in your SupaBase Webapp to quick-checking things - it is just not working. I guess this impersonating stuff ignores to get the JWT which contains the custom Data from the Custom Auth Hook function that has to be called. When checking these things in my own app, I see that the Custom JWT is issued and all infos are there. Also my Policy setup is working. But not when impersonating. This is really pain when it comes to quick checking things right in your tool rather than having rapid implementations in the app itself. Any comments on this?
Does the impersonate method work correctly with this? Imagine that we have two policies: - one to get the user's own messages (individual select) - one to get every message (for admin users) I tried it and technically it works but it does not work when I'm impersonating... Is there anything missing? Does the auth hook run on impersonate? I don't feel confident enough by testing these policies in development but not being able to test them using impersonate.
Question how can I create custom access token if I deployed supabase in self hosting docker? I'm trying to create a Hook: Custom access token but I can't get it to work... Supabase I deployed in self-hosting version. The documentation says to add fields to config.toml I found it in supabase/supabase/config.toml . But as I understand it is not what I need. Question how can I create custom access token if I deployed supabase in self hosting docker ?
Thanks for tuning in! Make sure to check out the docs: supabase.com/docs/guides/auth/custom-claims-and-role-based-access-control-rbac?
And you can find the code on GitHub: github.com/supabase/supabase/tree/master/examples/slack-clone/nextjs-slack-clone
Thank you so much
What is the good approach to change claims from a user and get changes in realtime ?
Small tangent, perhaps, but what was the approach to determine which channels were available to delete for the moderator role in the UI? The trash icon existed for just the one available to delete. Presumably that's using the same rules as RLS for the delete, but are those rules duplicated into a function your UI is using?
Let us all be real. This appraoch is the hardest. I followed the docs, And there is nothing.
Is there an update for the app router? I am trying to do this in the middleware but can't get it to work
Perfect timing for me, This is what I need for my website now,
Do you have the videos of how you developed this chat app that you showed in the video?
Thank you
You mean a video of live coding the entire Slack clone?
@@thorwebdev Yes. I have seen their video stream of happy hours few months ago and it made me start my own website. now i have launched it. but it's bit old, Is there a entire slack clone video like that? can you give the link if it there?
Oh i didn't notice, it's you Thor, you were in that stream right? i think came only in one video :) they were joking about Hammer, it was such a wonderful stream, made me start my own website and i started to learn react and now my website is live, but need soooo many improvements to make. love you guys. Thanks Thor
Thanks!
What if user could be part of multiple organizations and have different roles within them? Struggling with implementing this - will appreciate any advice.
I have the similar query. Let me know if anyone have any good idea
same problem here, did you find any solution?
I'm wondering about the same
same here. anyone ever figure out a good way?
Edit: An approach I was thinking maybe was refetching the token based on the organization instance. For example, you can have their meta data something like this
{
"org": "org-id",
"role": "user",
"additional_permissions": []
}
and on the client side, if they change between orgs somehow, that can trigger a session refresh with somehow passing in the org id that they wish to switch to?
your user_roles table could have an organisation_id column, so then you should be able to do different organisations with different roles
Just tried using this approach adding a custom claim (is_admin) to the JWT in a NextJS 14 but it just keep running into an Error -> AuthApiError: Error invoking access token hook
If custom claims still reads from the database, how is this faster than just using RLS directly?
The Auth Hook is only triggered when a token is issued rather than the RLS policy triggering for each API call. So there is a bit of optimization here.
@@Supabasehi, I am a beginner so the RLS is easier for me to control. Would the optimization really make a difference in term of performance and security? Or controlling the RLS directly is sufficient. Thank you.
Nice video! Thank you 😊
I am wondering why you don’t enable this feature by default, like Auth0 does, but we have to actually write a bunch of stuff in our project following a documentation page
Hi @Supabase,
thanks for that. I have tweaked it so that I can use a helper function and trigger to control all my fields by the roles (I ignore permissions for now, it is way too much for my usecase).
But here is the thing: with your Custom Auth Hook when Impersonating the user right in your SupaBase Webapp to quick-checking things - it is just not working. I guess this impersonating stuff ignores to get the JWT which contains the custom Data from the Custom Auth Hook function that has to be called. When checking these things in my own app, I see that the Custom JWT is issued and all infos are there. Also my Policy setup is working. But not when impersonating. This is really pain when it comes to quick checking things right in your tool rather than having rapid implementations in the app itself.
Any comments on this?
Does the impersonate method work correctly with this?
Imagine that we have two policies:
- one to get the user's own messages (individual select)
- one to get every message (for admin users)
I tried it and technically it works but it does not work when I'm impersonating... Is there anything missing? Does the auth hook run on impersonate?
I don't feel confident enough by testing these policies in development but not being able to test them using impersonate.
This is amazing been wanting to implement such functionality , nice to see a tutorial on this. Wonder if it works well with graphql too ?
Yes, GraphQL fully supports this approach also 👍
Hi , i have used the same steps. Still i am not getting user_role in jwt, can someone help
Question how can I create custom access token if I deployed supabase in self hosting docker? I'm trying to create a Hook: Custom access token but I can't get it to work... Supabase I deployed in self-hosting version. The documentation says to add fields to config.toml I found it in supabase/supabase/config.toml . But as I understand it is not what I need. Question how can I create custom access token if I deployed supabase in self hosting docker ?
Supabase with drizzle ?
Or local dev ?
Great stuff, I was wondering what the Supabase team thinks of services like Cerbos for RBAC, ABAC
Noob question: why a public.users table? Why not use auth.users?
You can’t query auth.users using the Javascript client
@@Justin-oo2xt why do we need to query auth.users anyway when the cookie/jwt will be stored locally in the browser?
@@flowmv I was thinking about trying to get all the users out of the auth table.
this saved me
nice 9:34 mins, how to learn more about it.
thanks
Always pronounced it Ree-back 😅
Have you developed any personal websites with this? can i see? Thank you.
Let's be honest, this video on is disappointing and not helpful.