DEV Community: João Victor Santos Dumont The latest articles on DEV Community by João Victor Santos Dumont (@dumontjv). https://dev.to/dumontjv https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4002864%2Fa5a39da0-0e8c-40e6-b488-b196ae14dccb.jpg DEV Community: João Victor Santos Dumont https://dev.to/dumontjv en Building a LGPD-Compliant Healthcare System with Next.js and Supabase Row Level Security João Victor Santos Dumont Thu, 25 Jun 2026 18:51:43 +0000 https://dev.to/dumontjv/building-a-lgpd-compliant-healthcare-system-with-nextjs-and-supabase-row-level-security-5eib https://dev.to/dumontjv/building-a-lgpd-compliant-healthcare-system-with-nextjs-and-supabase-row-level-security-5eib <p>When I was hired to build a clinic management system for a medical practice in Brazil, I quickly realized that "just add authentication" wasn't going to cut it. The system needed to handle sensitive patient records, digital prescriptions, and telemedicine sessions — all under Brazil's data protection law, the <strong>Lei Geral de Proteção de Dados (LGPD)</strong>, which is the Brazilian equivalent of GDPR.</p> <p>The core challenge: multiple users with different roles (doctors, receptionists, and psychologists) needed to access the same database — but with strictly isolated data. A receptionist should never see a patient's medical history. A doctor should only see their own patients' records. And everything needed to be auditable.</p> <p>In this article, I'll walk through how I used <strong>Next.js</strong>, <strong>Supabase</strong>, and <strong>Row Level Security (RLS)</strong> to build a healthcare platform that's both developer-friendly and legally compliant.</p> <h2> What is Row Level Security (RLS)? </h2> <p>Row Level Security is a PostgreSQL feature that lets you define policies controlling which rows a user can read, insert, update, or delete — at the database level, not the application level.</p> <p>This distinction matters enormously in healthcare applications. If you enforce access control only in your API layer, a single bug in your middleware can expose every patient record in your database. With RLS, even if your application logic has a flaw, the database itself refuses to return unauthorized data.</p> <p>Supabase makes RLS straightforward to configure, and it integrates naturally with Next.js through the Supabase client.</p> <h2> System Overview </h2> <p>The clinic had three user roles:</p> <ul> <li> <strong>Doctor</strong> — full access to their own patients' records, appointments, and prescriptions</li> <li> <strong>Psychologist</strong> — same as doctor, but scoped to their own specialty</li> <li> <strong>Receptionist</strong> — can view and manage appointments and basic patient info, but cannot access medical records or prescriptions</li> </ul> <p>Here's the high-level architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Next.js (App Router) └── Supabase Client (server-side) └── PostgreSQL with RLS Policies ├── patients ├── medical_records ├── appointments └── prescriptions </code></pre> </div> <h2> Setting Up the Database Schema </h2> <p>Let's start with the core tables. I'll focus on <code>patients</code> and <code>medical_records</code> since they contain the most sensitive data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable UUID extension</span> <span class="k">create</span> <span class="n">extension</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="nv">"uuid-ossp"</span><span class="p">;</span> <span class="c1">-- User profiles table (extends Supabase auth.users)</span> <span class="k">create</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">full_name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="k">role</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">check</span> <span class="p">(</span><span class="k">role</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'doctor'</span><span class="p">,</span> <span class="s1">'psychologist'</span><span class="p">,</span> <span class="s1">'receptionist'</span><span class="p">)),</span> <span class="n">specialty</span> <span class="nb">text</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Patients table</span> <span class="k">create</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">default</span> <span class="n">uuid_generate_v4</span><span class="p">()</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">full_name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">date_of_birth</span> <span class="nb">date</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">cpf</span> <span class="nb">text</span> <span class="k">unique</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="c1">-- Brazilian taxpayer ID</span> <span class="n">email</span> <span class="nb">text</span><span class="p">,</span> <span class="n">phone</span> <span class="nb">text</span><span class="p">,</span> <span class="n">created_by</span> <span class="n">uuid</span> <span class="k">references</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Medical records (prontuário eletrônico)</span> <span class="k">create</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">default</span> <span class="n">uuid_generate_v4</span><span class="p">()</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">patient_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">doctor_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">notes</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">diagnosis</span> <span class="nb">text</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">updated_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Appointments</span> <span class="k">create</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">appointments</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">default</span> <span class="n">uuid_generate_v4</span><span class="p">()</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">patient_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">professional_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">scheduled_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">status</span> <span class="nb">text</span> <span class="k">default</span> <span class="s1">'scheduled'</span> <span class="k">check</span> <span class="p">(</span><span class="n">status</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'scheduled'</span><span class="p">,</span> <span class="s1">'completed'</span><span class="p">,</span> <span class="s1">'cancelled'</span><span class="p">)),</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <h2> Enabling and Configuring RLS </h2> <p>By default, Supabase tables have RLS disabled. Once you enable it, <strong>all access is denied</strong> unless you explicitly create policies. This is exactly what you want for healthcare data — deny by default, allow by exception.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable RLS on all sensitive tables</span> <span class="k">alter</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">alter</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">alter</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">appointments</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">alter</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> </code></pre> </div> <p>Now let's create the policies. The key is using <code>auth.uid()</code> — Supabase's built-in function that returns the ID of the currently authenticated user.</p> <h3> Profiles Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Users can read their own profile</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Users can view own profile"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">);</span> <span class="c1">-- Receptionists can view all professional profiles (to display appointment info)</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Receptionists can view all profiles"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">and</span> <span class="k">role</span> <span class="o">=</span> <span class="s1">'receptionist'</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h3> Patients Policies </h3> <p>This is where it gets interesting. Receptionists can see basic patient info, but doctors and psychologists can only see patients they've treated.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Doctors and psychologists: only see their own patients</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Professionals see own patients"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="n">p</span> <span class="k">where</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">and</span> <span class="n">p</span><span class="p">.</span><span class="k">role</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'doctor'</span><span class="p">,</span> <span class="s1">'psychologist'</span><span class="p">)</span> <span class="k">and</span> <span class="p">(</span> <span class="c1">-- Patient was created by this professional</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span><span class="p">.</span><span class="n">created_by</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">or</span> <span class="c1">-- Or this professional has a medical record for them</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="n">mr</span> <span class="k">where</span> <span class="n">mr</span><span class="p">.</span><span class="n">patient_id</span> <span class="o">=</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span><span class="p">.</span><span class="n">id</span> <span class="k">and</span> <span class="n">mr</span><span class="p">.</span><span class="n">doctor_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="k">or</span> <span class="c1">-- Or has an appointment with them</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">appointments</span> <span class="n">a</span> <span class="k">where</span> <span class="n">a</span><span class="p">.</span><span class="n">patient_id</span> <span class="o">=</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span><span class="p">.</span><span class="n">id</span> <span class="k">and</span> <span class="n">a</span><span class="p">.</span><span class="n">professional_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Receptionists: can see all patients (basic info only — enforced at app layer)</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Receptionists see all patients"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">and</span> <span class="k">role</span> <span class="o">=</span> <span class="s1">'receptionist'</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Only professionals can insert patients</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Professionals can insert patients"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">patients</span> <span class="k">for</span> <span class="k">insert</span> <span class="k">with</span> <span class="k">check</span> <span class="p">(</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">and</span> <span class="k">role</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'doctor'</span><span class="p">,</span> <span class="s1">'psychologist'</span><span class="p">,</span> <span class="s1">'receptionist'</span><span class="p">)</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h3> Medical Records Policies </h3> <p>Medical records are the most sensitive part. Receptionists should never touch these.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Only the doctor who created the record can read it</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Doctors see own medical records"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="k">for</span> <span class="k">select</span> <span class="k">using</span> <span class="p">(</span><span class="n">doctor_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">());</span> <span class="c1">-- Only doctors and psychologists can insert</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Professionals can insert medical records"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="k">for</span> <span class="k">insert</span> <span class="k">with</span> <span class="k">check</span> <span class="p">(</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="k">public</span><span class="p">.</span><span class="n">profiles</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">and</span> <span class="k">role</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'doctor'</span><span class="p">,</span> <span class="s1">'psychologist'</span><span class="p">)</span> <span class="p">)</span> <span class="k">and</span> <span class="n">doctor_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Professionals can update only their own records</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"Professionals update own records"</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="k">for</span> <span class="k">update</span> <span class="k">using</span> <span class="p">(</span><span class="n">doctor_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">())</span> <span class="k">with</span> <span class="k">check</span> <span class="p">(</span><span class="n">doctor_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">());</span> </code></pre> </div> <h2> Integrating RLS with Next.js </h2> <p>With the database policies in place, let's wire this up to a Next.js application using the App Router and Supabase's server-side client.</p> <h3> Setting Up Supabase Clients </h3> <p>Supabase requires two separate clients in Next.js: one for server components (using the service role or user session) and one for client components.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/supabase/server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createClient</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cookieStore</span> <span class="o">=</span> <span class="nf">cookies</span><span class="p">()</span> <span class="k">return</span> <span class="nf">createServerClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="nf">get</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">name</span><span class="p">)?.</span><span class="nx">value</span> <span class="p">},</span> <span class="nf">set</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="nf">remove</span><span class="p">(</span><span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/supabase/client.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createBrowserClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createClient</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">createBrowserClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Fetching Data with RLS in a Server Component </h3> <p>Here's the beauty of RLS: your data fetching code stays clean. You don't manually filter by user ID — the database handles it automatically based on the authenticated session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/patients/page.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/server</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PatientsPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// RLS automatically filters this query based on the user's role and relationships</span> <span class="c1">// A receptionist gets all patients; a doctor gets only their own patients</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">patients</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">patients</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id, full_name, date_of_birth, phone, email</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">order</span><span class="p">(</span><span class="dl">'</span><span class="s1">full_name</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error fetching patients:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Failed</span> <span class="nx">to</span> <span class="nx">load</span> <span class="nx">patients</span><span class="p">.</span><span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Patients</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">ul</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">patients</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">patient</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">li</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">patient</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">patient</span><span class="p">.</span><span class="nx">full_name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/li</span><span class="err">&gt; </span> <span class="p">))}</span> <span class="o">&lt;</span><span class="sr">/ul</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>No manual <code>where user_id = currentUser.id</code>. The database enforces it. This means even if a developer forgets to add a filter in a new query, the data is still protected.</p> <h3> Protecting Routes with Middleware </h3> <p>RLS handles the data layer, but you also want to protect routes at the Next.js level to prevent unauthorized users from even reaching certain pages.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/ssr</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createServerClient</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SUPABASE_ANON_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">cookies</span><span class="p">:</span> <span class="p">{</span> <span class="nf">get</span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">name</span><span class="p">)?.</span><span class="nx">value</span> <span class="p">},</span> <span class="nf">set</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">value</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="nf">remove</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="c1">// Protect all dashboard routes</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Protect medical records routes — receptionists cannot access these</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard/medical-records</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">profile</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">profiles</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">role</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">profile</span><span class="p">?.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">receptionist</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard/unauthorized</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> LGPD-Specific Considerations </h2> <p>Beyond RLS, LGPD requires a few additional implementations that are worth highlighting.</p> <h3> Data Export (Right of Access) </h3> <p>LGPD gives patients the right to export all their personal data. I implemented this as a server action that generates a complete PDF of the patient's record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/actions/export-patient-data.ts</span> <span class="dl">'</span><span class="s1">use server</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/supabase/server</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">exportPatientData</span><span class="p">(</span><span class="nx">patientId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">supabase</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">()</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">getUser</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// RLS ensures this only returns data the doctor is allowed to see</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">records</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">medical_records</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="s2">` *, patients (full_name, date_of_birth, cpf, email, phone) `</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">patient_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">patientId</span><span class="p">)</span> <span class="c1">// Pass to PDF generation service (e.g., Puppeteer or PDFKit)</span> <span class="k">return</span> <span class="nf">generatePatientPDF</span><span class="p">(</span><span class="nx">records</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Audit Logging </h3> <p>LGPD requires you to be able to demonstrate who accessed what data and when. I used a PostgreSQL trigger to log every access to medical records:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Audit log table</span> <span class="k">create</span> <span class="k">table</span> <span class="k">public</span><span class="p">.</span><span class="n">audit_logs</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">default</span> <span class="n">uuid_generate_v4</span><span class="p">()</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">action</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="k">table_name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">record_id</span> <span class="n">uuid</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Trigger function</span> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">log_medical_record_access</span><span class="p">()</span> <span class="k">returns</span> <span class="k">trigger</span> <span class="k">as</span> <span class="err">$$</span> <span class="k">begin</span> <span class="k">insert</span> <span class="k">into</span> <span class="k">public</span><span class="p">.</span><span class="n">audit_logs</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">action</span><span class="p">,</span> <span class="k">table_name</span><span class="p">,</span> <span class="n">record_id</span><span class="p">)</span> <span class="k">values</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">(),</span> <span class="n">TG_OP</span><span class="p">,</span> <span class="n">TG_TABLE_NAME</span><span class="p">,</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span><span class="p">);</span> <span class="k">return</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">end</span><span class="p">;</span> <span class="err">$$</span> <span class="k">language</span> <span class="n">plpgsql</span> <span class="k">security</span> <span class="k">definer</span><span class="p">;</span> <span class="c1">-- Attach trigger to medical_records</span> <span class="k">create</span> <span class="k">trigger</span> <span class="n">medical_records_audit</span> <span class="k">after</span> <span class="k">select</span> <span class="k">or</span> <span class="k">insert</span> <span class="k">or</span> <span class="k">update</span> <span class="k">or</span> <span class="k">delete</span> <span class="k">on</span> <span class="k">public</span><span class="p">.</span><span class="n">medical_records</span> <span class="k">for</span> <span class="k">each</span> <span class="k">row</span> <span class="k">execute</span> <span class="k">function</span> <span class="n">log_medical_record_access</span><span class="p">();</span> </code></pre> </div> <h2> Testing Your RLS Policies </h2> <p>One of the most useful Supabase features for healthcare apps is the ability to test RLS policies directly in the SQL editor by impersonating users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Test as a specific user (replace with actual user UUID)</span> <span class="k">set</span> <span class="k">local</span> <span class="k">role</span> <span class="n">authenticated</span><span class="p">;</span> <span class="k">set</span> <span class="k">local</span> <span class="n">request</span><span class="p">.</span><span class="n">jwt</span><span class="p">.</span><span class="n">claims</span> <span class="k">to</span> <span class="s1">'{"sub": "doctor-uuid-here", "role": "authenticated"}'</span><span class="p">;</span> <span class="c1">-- This query should only return records where doctor_id = 'doctor-uuid-here'</span> <span class="k">select</span> <span class="o">*</span> <span class="k">from</span> <span class="n">medical_records</span><span class="p">;</span> <span class="c1">-- Reset</span> <span class="k">reset</span> <span class="k">role</span><span class="p">;</span> </code></pre> </div> <p>This lets you verify your policies are working before shipping to production — critical in healthcare where a misconfiguration isn't just a bug, it's a compliance violation.</p> <h2> Key Takeaways </h2> <p>Building a LGPD-compliant system taught me that <strong>security has to be layered</strong>:</p> <ul> <li> <strong>Database layer (RLS):</strong> Enforces access control at the data source — the last line of defense, always active regardless of application bugs.</li> <li> <strong>API/middleware layer:</strong> Prevents unauthorized users from even reaching sensitive endpoints.</li> <li> <strong>Application layer:</strong> Hides UI elements that users don't have access to, improving UX while adding a third layer of protection.</li> </ul> <p>RLS with Supabase made this layered approach actually practical for a small team. Instead of writing complex authorization logic spread across dozens of API routes, the core rules live in the database and apply automatically to every query.</p> <p>If you're building anything with sensitive user data in Brazil — or anywhere with strict data protection laws — this combination of Next.js, Supabase RLS, and proper audit logging gives you a solid, auditable foundation without drowning in boilerplate.</p> <p><em>João Victor Dumont is a Full Stack Developer based in Rio de Janeiro, specializing in Java, Spring Boot, React, and Next.js. He builds production systems for healthcare and automation, including Taskborne — an AI automation agency for US health practitioners.</em></p> nextjs supabase webdev security