Threads
Loading user profile...
yeah this is exactly the problem. stripe webhooks hit your endpoint with no user session so any supabase query using the anon key gets blocked by RLS since theres no auth.uid() to match against. the standard fix is to use the supabase service\_role key specifically for webhook handlers. create a separate supabase client in your webhook route initialized with the service\_role\_key instead of the anon key. the service role bypasses RLS which sounds scary but in this context its the correct approach because the webhook is server-side only, never exposed to the client, and you control exactly which queries it runs. the important part is scoping it tightly. dont pass that service role client around your app or export it from a shared lib. create it inline in your webhook handler, do the specific reads and writes you need for the sync, and thats it. keep your regular anon client for everything else. if you really dont want to bypass RLS at all you can create a specific postgres function with security definer that does the subscription update internally, then call it via rpc from your webhook. security definer functions run with the permissions of the function creator (usually postgres) so they bypass RLS but the logic is contained inside the function itself. feels cleaner than passing a service role client around. either way make sure your webhook route is verifying the stripe signature before doing anything. if someone hits that endpoint with a fake payload and youre using service\_role access thats a bad combo
yeah the migration workflow is confusing at first because supabase tracks which migrations have been applied in a table called supabase\_migrations.schema\_migrations on the remote db. when you run supabase db push it compares whats in that table against whats in your local supabase/migrations folder. if theres a mismatch you get those repair suggestions. the most common reason this happens is when both of you create migrations locally at the same time with different timestamps, or when someone manually changes something on the remote db through the dashboard instead of through a migration file. the remote db now has a state that doesnt match any migration and everything gets confused. the workflow that works cleanly: never touch the remote db through the dashboard once you start using migrations. all changes go through migration files only. when one of you creates a new migration locally, push it to git, the other person pulls and runs supabase db reset locally to apply it. when youre ready to deploy, one person runs supabase db push to apply all new migrations to remote in order. for the repair command, its not updating migration files, its updating that tracking table on the remote. if a migration was applied manually or got out of sync you use repair to tell supabase "hey this migration is actually already applied, skip it." its a fix for when things get out of sync, not part of the normal workflow. if youre already in a messy state the easiest fix is to run supabase db remote commit to pull the current remote state into a migration file, get everything in sync, and then start fresh with the clean workflow from there
the fact that youre even thinking about this puts you ahead of 99% of indie devs. most people ship with admin access to everything and never think twice about it. what you want is client-side encryption before anything touches supabase. the user encrypts the image in the browser using a key derived from their password (something like Web Crypto API with AES-GCM), then uploads the encrypted blob to supabase storage. you only ever store the ciphertext. that way even if you open the file from the dashboard its just random bytes. the tricky part is key management. if you derive the key from their password and they forget it, those images are gone forever. no recovery possible. thats the tradeoff with true zero-knowledge encryption. you can soften this by letting users export a recovery key on signup that they store somewhere safe, but youre shifting responsibility to the user. one thing people miss, make sure you encrypt the metadata and commentary too, not just the images. a photo you cant see but with a caption that says "our trip to paris 2024" still leaks a lot. encrypt everything before it hits supabase and store the encryption params (iv, salt) alongside the ciphertext. also your RLS is still important even with encryption. encryption protects against you and anyone who gets database access. RLS protects users from each other at the query level. you want both layers
done something similar with 3 supabase projects and the centralized auth approach was the least painful. basically pick one project as your auth source of truth, then share the same JWT secret across all projects so tokens issued by the auth project are trusted everywhere. you set the jwt\_secret in each projects config to match and RLS policies work as normal since auth.uid() resolves from the token regardless of which project issued it. the external IdP route with clerk or auth0 works too but adds a dependency and another bill for something supabase auth already handles. id only go that route if you need SAML or enterprise SSO that supabase doesnt support yet. for the AI context layer i wouldnt try to query across 3 supabase projects in real time. the latency stacks up fast and if one project is slow everything is slow. better to replicate the data you need into a single read-only project using pg\_cron or a simple sync job. slight delay but way more reliable than fanning out queries at runtime. biggest "dont do this" warning: dont share the service\_role\_key across projects to shortcut the cross-project reads. ive seen people do this and it means a breach in any one project gives full access to all five. keep the blast radius small, use the JWT approach for user-scoped access and the replication approach for AI reads
the manual env var copy-paste thing is genuinely one of the most common ways supabase apps break in production. ive seen people accidentally paste their service\_role\_key where the anon key should go and suddenly their frontend has full admin access to every table. nobody notices until someone checks the network tab. for managing it across environments i just use a .env.local per environment and a simple script that pulls the keys from supabase CLI using supabase status. that way the keys are always in sync with whichever project is linked and theres no manual copying. for CI/CD the keys go into github secrets or vercel env vars once and never get touched again. the scarier version of this problem is when people commit their .env file to git by accident. ive seen public repos with service\_role\_keys sitting right there in the commit history even after they delete the file. if anyones reading this and not sure, check your git history with git log --all --full-history -- .env and make sure nothing is in there
had a similar issue connecting a different frontend to supabase where the API showed public schema exposed but no tables showed up. two things fixed it for me. first check if RLS is enabled on those tables but you have no policies added yet. when RLS is on with zero policies it blocks everything including the API from listing the tables. either add a basic select policy for anon or temporarily disable RLS on one table to test if thats the issue. second thing, in your supabase dashboard go to settings > API and make sure the tables you want are actually in the public schema and not accidentally created in a different schema. flutterflow and the REST API only see whats in the schemas listed under PGRST\_DB\_SCHEMAS which defaults to public. if your tables ended up in another schema they wont show up even though they have the green checkmark in the table editor. also double check that your anon key matches the project youre looking at. if you have multiple supabase projects its easy to grab the key from the wrong one and everything looks connected but returns nothing
email is the thing that breaks silently and you dont find out until someone complains they never got their invite. been there. biggest thing that helped me was stopping using supabase edge functions for email entirely and just using resend or loops with a webhook. you set up one webhook trigger on your users table insert and the email service handles deliverability, templates, open tracking, all of it. trying to manage SMTP config and deliverability from edge functions is a losing battle when youre not a backend person. for the trigger breaking after schema updates, thats a common one. if you rename a column or change the table structure the postgres trigger still references the old schema and just silently stops firing. worth checking your triggers in the SQL editor after any migration to make sure theyre still pointing at the right columns. also one thing to watch since you mentioned 300 users and youre a non-dev using lovable, make sure your edge functions arent exposing your SMTP credentials or email API keys on the client side. ive seen lovable generated code where the function env vars were accessible in ways you wouldnt expect. worth a quick check in your supabase dashboard under edge functions > settings to confirm your secrets are actually secret
this is a really well thought out breakdown of the options. the service user accounts approach is honestly the most practical one ive seen people use for this. the extra auth request per run sounds annoying but if your functions are already running 30-60 seconds an extra 50ms auth call is nothing in the grand scheme. one thing that makes the service user approach cleaner is to generate the session token once on cold start and reuse it across invocations until it expires. lambda keeps containers warm for a while so you wont be re-authing every single run. just cache the token in memory and refresh it when the jwt expires. that way your cost stays flat. the signed jwt approach is what i ended up doing for a similar setup. the single signing key limitation is annoying but you can scope the jwt claims per service by giving each one a different custom role in the payload. so service A gets a jwt with role image\_generator and service B gets role data\_processor, and your RLS policies check the role claim. if one service gets compromised you revoke its specific jwt without rotating the signing key itself — just add the compromised tokens kid or jti to a deny list. honestly supabase is missing a first class solution here. scoped api keys with per-key RLS roles would solve this cleanly but i dont think its on their roadmap anytime soon
yeah this is a real pain point. the DX for auth on the client side is great but the moment you need to validate tokens server side or in edge functions it falls off a cliff. feels like two different products honestly. i hit the same JOSENotSupported error when moving between environments and it turned out my JWKS endpoint was returning a key with an algorithm the jose library didnt expect. the fix was stupid simple but finding it took hours because the error gives you zero context about which key or which part of the validation failed. your point about the abstraction layer is spot on. if every developer ends up writing the same 100 lines of token validation code thats a sign it should be a built-in helper. something like supabase.auth.verifyToken() on the server side that just returns the user or throws a clear error with an actual error code would save everyone a ton of time. until they build that i ended up wrapping the whole jwks fetch and validation into a small utility that caches the keys and gives human readable errors when something fails. not ideal but at least i dont have to debug JWSInvalid with no context anymore
99% chance this is RLS. when you look at tables in the supabase dashboard youre using the service\_role key which bypasses all RLS policies. but your app uses the anon key which is subject to RLS. so you can see everything in the dashboard but the app sees nothing. quickest way to confirm: go to the supabase SQL editor and run select \* from your\_table — that uses service\_role and will return data. then go to table editor, click the little dropdown next to the table name and switch to "use API key" with anon role. if that returns empty, its RLS blocking you. if youre using auth and want logged in users to read their own rows, you need a policy like select for authenticated role where auth.uid() = user\_id. the user\_id column in your table has to match exactly what supabase auth assigns, lovable sometimes generates schemas where the user id column is named something different like owner\_id or created\_by and the RLS policy references the wrong one. also check that youre actually passing the session token with your queries. if the auth session isnt attached to the supabase client the request hits as anon even if the user is logged in. in lovable generated code this sometimes breaks when the supabase client gets initialized before the auth state is ready
been running supabase postgres in production for a write-heavy app for about 8 months. no real complaints on reliability, its been solid. the always-on aspect is real, you dont get cold start weirdness on the db side which matters when your api is already on render and you dont want two layers of wake-up latency stacking. neon's scale-to-zero sounds great on paper but for a write-heavy app with food logs and scans coming in constantly your db is basically never idle anyway. so youre paying for the autoscaling machinery without actually benefiting from it. and the cold start when it does scale back up adds a noticeable delay on the first query which is annoying if a user opens the app after a quiet period. one thing to watch with supabase though, even if you dont plan to use their auth or storage, their postgres instance comes with a bunch of extensions and schemas pre-installed (auth, storage, realtime, etc). not a problem functionally but if youre doing your own migrations or backups just be aware theres more in the database than what you put there. also make sure you disable realtime on tables you dont need it on, it adds overhead on writes. for write-heavy on render id go supabase. simpler mental model, predictable pricing, no cold starts
havent checked the tax math but since youre handling peoples financial data on supabase id definitely double check a few things before sharing this more widely. make sure your RLS policies are airtight, with tax data you really dont want a situation where one user can read another users records by guessing an id. test it by creating two accounts and trying to fetch the other users data directly through the supabase client. youd be surprised how often this gets missed especially when AI generates the initial schema. also the receipt scanner with gemini, are you sending the receipt images to gemini's api directly from the client or routing through a server action? if its client side your api key is probably exposed in the network tab. with a tax app thats a bad look even if the key itself is scoped. and since you said no login required for the calculator part, make sure theres no way to hit authenticated endpoints without a session. ive seen setups where the anon key gives more access than intended because the RLS policies were written assuming the user is always logged in. cool project tho, the 1040 waterfall modeling sounds like a ton of work
the RLS cascading ownership pattern is underrated honestly. most people either skip RLS entirely and do auth checks in middleware or they write one policy per table and call it done. chaining it through parent relationships is the right way but it gets gnarly fast once you have nested resources. one thing id watch out for with the supabase storage setup, make sure your storage bucket policies are locked down separately from your table RLS. ive seen projects where the database rows were properly protected but the storage bucket was public so anyone with the file path could access other users images directly. easy to miss since the dashboard shows them as separate sections how are you handling the stripe webhook verification on cloudflare workers btw? last time i tried that the crypto.subtle api on workers handled the signature check differently than node and it silently passed invalid signatures
went with separate projects after trying branches for a while. branches are fine in theory but i kept running into annoying edge cases where migrations behaved slightly differently on the branch vs prod, and debugging that was worse than just maintaining two projects. separate projects also means you get completely isolated storage buckets, auth configs, and edge functions which is nice when youre testing stuff you dont want accidentally hitting prod data. the extra cost of a second project on the free tier is zero so theres not really a downside. only annoying part is keeping migrations in sync but if youre using the supabase cli with db push its pretty painless. i just have a deploy script that runs against staging first and then prod once i verify everything works
this is really solid. the indexeddb queue with auto-replay is smart, most people just let the app crash and blame supabase lol. honestly ive never gone as far as a full ec2 hot standby but ive been burned by the realtime connection dropping silently and writes just disappearing. ended up doing something similar with a local queue that retries on reconnect but way less sophisticated than what you built here. curious about one thing, how are you handling conflicts when the sync replays? like if someone else modified the same row on supabase while your app was writing to the failover, does the replay just overwrite or do you have some kind of last-write-wins logic?
most of those "shipped in 24 hours" people are doing nextjs + vercel and nothing else. the second you add mobile the auth story gets 10x harder and nobody talks about that. went through the same thing with expo + supabase. two things that fixed it for me: ditch asyncstorage for expo securestore for session persistence — asyncstorage randomly loses sessions on ios cold starts and thats probably why it feels flaky. and for redirect urls you need a custom scheme in your app.json (like carrotcash://) and add it as a separate entry in the supabase dashboard. trying to make one redirect url work for both web and mobile was half my debugging time. youre not overcomplicating it, mobile auth genuinely is that annoying. once you get past this part the rest of expo + supabase is smooth tho
yeah this is a classic gotcha with self-hosted supabase. the issue is almost certainly that your custom volume path for /etc/postgresql-custom doesnt have the right files in it, or the permissions are off. when the db container starts it expects to find config files at /etc/postgresql/postgresql.conf but that file actually gets generated from whats in /etc/postgresql-custom. if that mounted directory is empty or the files inside dont have the right ownership (postgres user, uid 26), the config generation fails and you get that fatal error. couple things to check: make sure the directory youre mounting to /etc/postgresql-custom actually has the files from the original volumes folder. if you just created a new empty directory at that path thats your problem, it needs the contents copied over, not just the same folder structure. also check permissions on the host side. run ls -la on your custom path and make sure the files arent owned by root with 600 perms or something. the postgres process inside the container runs as a specific uid and if it cant read the config files youll get exactly this error. one more thing the :Z flag on your volume mounts is for selinux relabeling. if youre not on a selinux system (like if youre on ubuntu) that flag can occasionally cause weird permission issues. try removing the :Z and just use a plain mount for the db volumes and see if that fixes it. if none of that works try running docker compose logs supabase-db right after it fails, theres usually a more detailed error above the fatal line that tells you exactly which config key is broken
had this happen twice. both times it ended up being stuck in a weird limbo state where the restore process started but didnt fully complete on their backend. what worked for me: go to the project settings page and try pausing it again, wait like 5 minutes, then restore. basically forces it to restart the whole restore cycle cleanly. second time around it came up in like 10 min. if that doesnt work, hit the supabase support through the dashboard (the little chat bubble bottom right). they can manually kick the restore process on their end. when i did that they fixed it within a couple hours. also heads up, after it does come back, double check your edge functions and any cron jobs you had running. mine came back with the db fine but two of my edge functions were in a weird undeployed state and i didnt notice for like a day. fun times lol
oh man yeah the silent failure thing in supabase is brutal. got bitten by the same thing a while back. Had an insert that was failing because of an RLS policy i misconfigured and the response just came back looking totally fine. no error, no nothing. took me like 3 hours to figure out why data wasnt showing up. one thing that helped me beyond sentry is wrapping every supabase call in a helper that checks for both `error` and whether `data` is actually what you expect. something like if the insert returns null data but no error, thats usually an RLS issue. saved me a ton of debugging since. also worth checking if you have `REPLICA` mode on for realtime, that one silently drops writes too if your RLS isnt set up for the realtime role. super annoying to track down. good call on sentry tho, the supabase + sentry combo catches most of the weird edge cases