joshcam

SPF is for receiving on your domain only. Not deliverability. Not sure why your agent included that.

No, I totally get it and I realized that you’re focusing on this one primary common issue. I’ve always used the native account picker in mobile apps. I capture the Google ID token completely natively on the device without launching an external or in-app browser and once the user selects their account in the native picker I then use an adapter to pass this token directly to Supabase Auth (⁠signInWithIdToken⁠), establishing a secure Supabase session seamlessly. Your docs are great and perfectly clear. I was just pointing out that you cannot have an Apple Store app without Apple OAuth sign in when you include OAuth sign in/up from a third-party like Google. So for a project starter like this it kind of makes sense to include it right off the bat. But obviously that would not apply if you are developing for android only so it’s just a trade-off whether or not the user would need to remove or add that functionality. Nothing wrong with your take on this at all! Great project starter!!! Edit: hopefully Supabase will add native support for at least the most common auth options. Your way is definitely better for mobile applications, but they both serve a purpose obviously. I don’t really expect Supabase to do this though, that is generally something they leave to the community since it is a bit opinionated, but we will see.

FYI, you cannot release an app on iOS with only Google OAuth. According to Apple’s App Store Guidelines, if your app offers third‑party sign‑in options, such as Google or Facebook, you are required to also include “Sign in with Apple” as an option. The only exceptions are apps that exclusively use their own account system without any third‑party logins, or apps that provide logins for enterprise, education, or business purposes where Apple IDs are not appropriate. Edit: after looking a little closer, I guess it’s obvious that you were just trying to solve the Google OAuth “problem”… but that also confuses me a little, I’ve never had an issue. Either way, glad to see someone putting together packages for react native considering Supabase hasn’t updated there’s in years.

If you asked a child how to begin a letter to someone they don’t know their name, they could provide you with several examples. I’m not sure if you’re simply overthinking this or if you’ve never written a line of code or ever had a logical thought. Seems more likely you are a bot or someone who’s trolling with rage bait.

SupaPleeeeeze and thank you!

Resend if you want fast and easy setup with nice dev tools. AWS SES if you want to minimize cost at high volumes and you’re a giga chad with AWS infra.

That all depends on the size of the project and the complexity of the database model. I can’t say it’s ever a good idea to skip it, but if the project is small enough, and you have all of that in your head, you could get away with it if you are the only developer.

Very good points all around, thank you for expanding on that!!

I think I get what you’re saying, stop rebuilding the same core database stuff for every new app. Centralize your data from day one, or you're gonna have a massive headache by the time you're on app number five. But this would only apply to a project that is scaling, not a separate application. Or am I misunderstanding your point? To me it sounds like you’re saying app when you should be saying module or something similar. Edit: or maybe it is obvious that you were implying applications that obviously have data overlap such as a web store and an internal application that manages the business.

Yes you are correct on auth.users, but not with storage. Edit: the actual storage object/files, though I suppose you could accomplish that with a script but not in Postgres.

Unit testing with a specific focus on probing RLS. Edit: Every time you add a table or a new policy to a table, add it to the tests. Probe the policy to ensure it works, where it should and passes where it should not. It’s really not rocket science, but it is an extra chore and it can be a little bit to catch up on if you’re starting from scratch on an existing project.

Supabase branching does not carry over existing storage objects or files from your main project. Just mentioning that bc op listed storage. Edit: nor does it carry over auth (users).

That would be a fun update migration… (I know it wouldn’t be required.)

So you are sharing the code base?

That just sounds like good UX on a dashboard that is not realtime.

I came across a similar issue on a smaller scale which actually made it much more noticeable, that lead to us being able to catch the silent failure later the same day. We initially solved it in a similar way with a custom log table but realized that pg_cron⁠ is already tracking this natively. You dont even need a custom log table. You can monitor the built-in ⁠cron.job_run_details⁠ table for failures. If this query returns any rows, your cron job failed, and you can instantly trigger a notification. SELECT cron.schedule('refresh', '0 2 * * *', 'REFRESH MATERIALIZED VIEW CONCURRENTLY foobar_matview'); SELECT * FROM cron.job_run_details WHERE status = 'failed' AND command LIKE '%foobar_matview%';

This would be amazing. The workaround is not good.

This. Arctic.

Sounds handy!

HARD way to learn an important lesson there! Hope your cortisol levels are back to normal.

Your migrations should be idempotent (read about this). Hard coding table data in a migration creates maintenance debt because the migration will eventually become outdated as the schema evolves. You can also run into primary key conflicts if you need to reset your local database and the migration is trying to insert data where data already exists. There are ways to negate this, but it is still not good practice. Without knowing your exact use case, my best guess is that this sounds like a case where you should create an internal CRUD tool to update the table data in the application itself if it is something you will update often. If it’s something you will do rarely, then you could do it directly in the SQL dashboard or in the table itself. Edit: typo (voice to text fail)

Is the table data you’re inserting hardcoded system-level data, such as user roles, or is it dynamic content that you might modify over time?

It is only temporary if it is not a public bucket. If the bucket is public, the link is fixed and accessible publicly until you delete the file. 96% If you modify the bucket to be private, to access the image or file in the bucket, you need to first create a signed URL, this does expire. You (or your agent) can start here: https://supabase.com/docs/guides/storage/buckets/fundamentals

Oh that’s a totally different topic, more like, just because you can, doesn’t mean you should. Great guide though! Been following your channel for a while now, keep up the great work! Personally, I only use self hosting for the not serious stuff. But there are plenty of people out there hosting production applications with it.

Just remember with great power (or control) comes great responsibility. Especially if you are building something “serious”.

To really keep Supabase Edge Functions in check you gotta catch those requests before they even trigger the function execution either using a proxy like Cloudflare or API gateway like Zuplo. Internal limits like Upstash Redis still charge you even if you don’t use them. For user specific limits, just base them on the JWT user ID. Hopefully, they eventually bake something into their Edge Gateway (Relay). If they handled rate limiting right alongside JWT validation, they could kill malicious traffic before it ever hits the Deno runtime saving invocation quota and our wallets.

**Best Practice: Requirements first. Every time.** Choosing the stack first is how you end up with a high-maintenance over-engineered mess that doesn't actually solve your problem. Figure out what the app needs to do, then pick the tools that get you there fastest with the least friction. Don't buy the trailer until you know how much weight you're hauling. THAT SAID. As someone just learning, just use whatever ~~AI knows best~~ you feel comfortable with. This "learning project" should be more of a demo MVP rev 0.0 alpha. Then take what you've learned and build it again.

This is flat out wrong. Supabase IS a BaaS. That said, it is much easier to fail at securing your app using only the client side data API and RPC functions than it is if you keep db access behind your own server's api/loading mechanism. Keeping your db access server side also does NOT guarantee security.

Shop Resend for all you email never sent to spam needs. it runs on aws ses so the flavor is always peek

Curious, if you or anyone else who has self hosted, has implemented a reliable way to spin up new projects programmatically like you can in the hosted version. Edit: disclaimer, I have not even so much as Googled this topic, but it’s been on my mind for a while because I have a few projects that do that on the hosted version. At least one of them is small enough that I would really like to not do it in the hosted version. I’m all for paying for this when it’s a production app, but it can get a little crazy on non-production/non-monetized work.

Ahhh you are right, I glazed over the fact he is trying to do this with the data API. My first knee jerk answer there if the API indeed requires an FK is either add one or use an RPC call to a pgsql function. Which is exactly the route you took.

Foreign keys are a form of data integrity constraint, not a technical prerequisite for the JOIN operation itself. The join is performed based on the conditions specified in your SQL query. You can join two tables in a PostgreSQL database without explicit foreign keys by joining on columns with a logical relationship and compatible data types.

Staging Staging Staging. And E2E!

Yes, you can join these tables because they both share a common piece of information. Even though the tables are not directly linked to each other, they both reference the same user id from your authentication system. This shared id acts as a bridge that allows you to connect the data. Instead of fetching everything separately and matching it yourself, you can perform a join by telling the database to link the user id in the orders table to the id in the profiles table. Since both columns represent the same user, the database will successfully pair each order with the correct profile information. This is a standard way to retrieve related data without needing a direct relationship between every single table. This is however, not the optimal way to deal with joins. I can give you some example code, but you could ask the same question to the Supabase ai, it will have all the content that needs to give you the code and explain it. It can also (and will likely) help explain why it may be better to create a foreign key constraint.

Will be checking this out this for sure. Was working on something similar using Sb log drains with a self hosted Sentry instance. Including a supabase-js SDK integration with Sentry to collect breadcrumbs and errors and expand from just raw log ingestion to add a focus on performance monitoring.

Very little information here so I’ll ask a couple questions. 1. Are you using Supabase CLI and working any local environment or are you always connecting to your remote hosted Supabase instance? 2. Do you have migration files in your code base? 3. What is the name of the API key you are using to connect to Supabase? (Service Role vs. Anon Key OR Publishable vs. Secret) 4. Have you verified the table's RLS status in the Dashboard? (Local and/or remote.) 5. In your code is the Supabase client using a custom database connection string to connect?

“Then fix everything and MAKE NO MISTAKES!”

Funny, I was just reviewing the react-admin repo this morning. We have a large internal tool that has been in beta for a couple years that is using Sveltkit and are planning a full rewrite for the final version. As part this, we will also be splitting out the field data capture portion of this into a native mobile app. Where are they exploring the possibility of using React (vanilla with react router, Tanstack, or Next.js) as react native is on the list for the native app. One thing that concerns me is the snappiness of front end. In our current implementation, with mostly client side databases access (supabase-js), the app is extremely fast. I know from experience react applications, especially in Next.js are noticeably slower. What can you tell me honestly about your experience with react-admin in regard to page load/hydration speeds?

https://preview.redd.it/e3bl5c9b0pmg1.jpeg?width=1179&format=pjpg&auto=webp&s=c04211bb120d846fc91efac7ed501c0677177ea8 If there is an issue, I don’t think it’s just the east, I West Coast users reporting slow uploads to buckets. This is a 10 MB video that would normally take a few seconds tops. Been like that all morning.

self literally = on your own Just use Coolify or some other one click deployment. Could the documents be better, absolutely. Are they obligated or motivated to do that, no.

Very cool! If you scale definitely look into broadcast from db. https://supabase.com/blog/realtime-broadcast-from-database

Solid, leaning on Supabase's built in auth context to automatically secure and manage your serverless endpoints without custom middleware is an efficient architecture for a solo developer. Since you abandoned streaming entirely to wait for structured JSON, aren't you concerned that the combined AI response delay and those Edge Function cold starts will feel unresponsive and frustrate mobile users? (Insert world class captivating animations here.) To bypass React Native's notorious streaming limitations and deliver that realtime typing effect to your users, you can import web-streams-polyfill in your entry file and explicitly pass { reactNative: { textStreaming: true } } in your fetch options. It’s easy and just works. Unless that server processing and structured JSON is not something you can get away from.

It’s definitely a unique solution and Patreon is well known. If it fits with your model, maybe it’s the niche that gets you a foothold where a typical subscription payment set up would not! Props for thinking outside the box. That said when you’re ready for Stripe, I know it can be a bit overwhelming because they offer so much but their documentation is best in class when it comes to payment platforms IMO. Just dig in, and use the extension as well. Oh, and don’t forget that the Stripe Superbase integration can give you a big head start. And obviously, Stripe is not the only option out there, the Fintech is scene is growing at an exponential pace. Edit: fix a bunch of voice to text garbage

One does not simply ”interact with Supabase” without reading the manual, at least the first page or two. ;)

Ducktape and WD-40 gets the job done

Custom claims JWT custom_access_token_hook Google that and read up.

You can absolutely do this in local development using a second local instance and a testing data seed.sql file. You can spin it up without interfering with your current local CLI instance by following this Gist - [https://gist.github.com/ThingEngineer/27de580744b73a382d1832fde5423a56](https://gist.github.com/ThingEngineer/27de580744b73a382d1832fde5423a56) You could also just do something like this if you are ok stoping and starting your one instance. #!/bin/bash # test.sh +x set -e set -o pipefail sb db dump --local --data-only --schema auth,storage,public \   --exclude storage.buckets \   --file supabase/seed.sql supabase/local_bk_seed.sql cp testing_bk_seed.sql seed.sql supabase db reset pnpm test:run # (or whatever) # These will only run if all preceding commands succeeded cp local_bk_seed.sql seed.sql supabase db reset echo "all good bro" You can do something similar in your GitHub actions CI with branching or with a free Supabase project if your project can fit on one. Edit: sorry sounds like you are already doing that.

Second that. I do wish the posts were dated (created/updated)!!! https://supabase.com/docs/guides/getting-started/quickstarts/sveltekit Edit: I know documentation is time consuming and docs are not always up to date, that’s why this is so important.

Curious, do any of the Statuspage statuses relating to your upstream partners get updated automatically via integrations? We’ve been looking at automating ours like that, but there is a lot to consider.

That said, implementing the requirements to ensure your service’s availability, processing integrity, confidentiality, and privacy might not afford you the option of staying in the cheap/low price bracket. You’ll also have to provide integrations for third-party clients using your service who want to be SOC2 compliant, since their own audits will require it. The initial/yearly cost of your own audit is just tip when you’re providing a service like this. It does help you appreciate the costs that providers have to pass along for a service like this. SB Teams comes with a lot of other perks too.