DEV Community: Philipp Steinrötter The latest articles on DEV Community by Philipp Steinrötter (@psteinroe). https://dev.to/psteinroe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F842909%2F3b83bc2e-f32a-4571-87ee-de40d2911d14.jpg DEV Community: Philipp Steinrötter https://dev.to/psteinroe en Build A Public API with Supabase in 10 Minutes Philipp Steinrötter Tue, 23 Apr 2024 06:00:00 +0000 https://dev.to/psteinroe/build-a-public-api-with-supabase-in-10-minutes-2947 https://dev.to/psteinroe/build-a-public-api-with-supabase-in-10-minutes-2947 <p>Building with Supabase means most likely you are not buildig your API yourself thanks to PostgREST and the GraphQL extension. But what if your customers want a public API to integrate with your product? Instead of building your own API server from scratch, you can leverage Postgres + PostgREST to build a public API in minutes. This blog post walks you through the required steps. The target architecture is very simple: A custom database role and Row-Level-Security, your PostgREST server, and a proxy that adds rate-limiting and observability, and a few additional security measures.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kirkipdqkntqcv703nh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kirkipdqkntqcv703nh.png" alt="Architecture"></a></p> <h2> The Database Schema </h2> <p>First we create a sample schema. In this case, we create an <code>organisation</code> table. Each organisation has employees. We also have a <code>contact</code> table that we want to expose in our public API.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">table</span> <span class="n">organisation</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">unique</span> <span class="k">not</span> <span class="k">null</span> <span class="p">);</span> <span class="k">create</span> <span class="k">table</span> <span class="n">employee</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">organisation_id</span> <span class="n">uuid</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">organisation</span> <span class="k">on</span> <span class="k">update</span> <span class="k">restrict</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span> <span class="k">default</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">uuid</span> <span class="k">unique</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span> <span class="k">on</span> <span class="k">update</span> <span class="k">restrict</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span> <span class="p">);</span> <span class="c1">-- we want to expose this in our public api!</span> <span class="k">create</span> <span class="k">table</span> <span class="n">contact</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">organisation_id</span> <span class="n">uuid</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">organisation</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span> <span class="k">default</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">(),</span> <span class="n">full_name</span> <span class="nb">text</span> <span class="p">);</span> </code></pre> </div> <p>We use Row-Level-Security to secure our data and make it accessible only if the user is authenticated and employee of the organisation. The <code>private.organisation_id()</code> function is a little helper function that returns the <code>organisation_id</code> of the authenticated user, if any.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">()</span> <span class="k">returns</span> <span class="n">uuid</span> <span class="k">as</span> <span class="err">$</span><span class="k">sql</span><span class="err">$</span> <span class="k">select</span> <span class="n">organisation_id</span> <span class="k">from</span> <span class="n">employee</span> <span class="k">where</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="err">$</span><span class="k">sql</span><span class="err">$</span> <span class="k">language</span> <span class="k">sql</span> <span class="k">stable</span> <span class="k">security</span> <span class="k">definer</span><span class="p">;</span> <span class="k">create</span> <span class="n">policy</span> <span class="n">employee_all</span> <span class="k">on</span> <span class="n">organisation</span> <span class="k">to</span> <span class="n">authenticated</span> <span class="k">using</span> <span class="p">(</span> <span class="p">(</span><span class="k">select</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">())</span> <span class="o">=</span> <span class="n">id</span> <span class="p">);</span> <span class="k">create</span> <span class="n">policy</span> <span class="n">employee_all</span> <span class="k">on</span> <span class="n">employee</span> <span class="k">to</span> <span class="n">authenticated</span> <span class="k">using</span> <span class="p">(</span> <span class="p">(</span><span class="k">select</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">())</span> <span class="o">=</span> <span class="n">organisation_id</span> <span class="p">);</span> <span class="k">create</span> <span class="n">policy</span> <span class="n">employee_all</span> <span class="k">on</span> <span class="n">contact</span> <span class="k">to</span> <span class="n">authenticated</span> <span class="k">using</span> <span class="p">(</span> <span class="p">(</span><span class="k">select</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">())</span> <span class="o">=</span> <span class="n">organisation_id</span> <span class="p">);</span> </code></pre> </div> <h3> Setup API Tokens </h3> <p>We will manage and create api tokens right within our database, and use Row-Level-Security to define what the api token can do. The first step is to create a role <code>tokenauthed</code> that can be used to authenticate with the database. It should behave like the <code>authenticated</code> role.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">role</span> <span class="n">tokenauthed</span><span class="p">;</span> <span class="k">grant</span> <span class="n">tokenauthed</span> <span class="k">to</span> <span class="n">authenticator</span><span class="p">;</span> <span class="k">grant</span> <span class="n">anon</span> <span class="k">to</span> <span class="n">tokenauthed</span><span class="p">;</span> </code></pre> </div> <h3> Create the API Token Table </h3> <p>We store references to api tokens in a table. Note that the key itself is not stored. Employees should be able to manage tokens.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">table</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="n">api_token</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">organisation_id</span> <span class="n">uuid</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">organisation</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span> <span class="k">default</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">(),</span> <span class="n">created_at</span> <span class="nb">timestamp</span> <span class="k">with</span> <span class="nb">time</span> <span class="k">zone</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="p">);</span> <span class="k">alter</span> <span class="k">table</span> <span class="n">api_token</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">create</span> <span class="n">policy</span> <span class="n">employee_all</span> <span class="k">on</span> <span class="n">api_token</span> <span class="k">to</span> <span class="n">authenticated</span> <span class="k">using</span> <span class="p">(</span> <span class="p">(</span><span class="k">select</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">())</span> <span class="o">=</span> <span class="n">organisation_id</span> <span class="p">);</span> </code></pre> </div> <h3> Allow users to actually create a token </h3> <p>To actually create the api tokens we need to mint our own jwt tokens. We will use the <code>pgjwt</code> extension for this. Luckily, its ready to install on our Supabase instance.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="n">extension</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="nv">"pgjwt"</span> <span class="k">with</span> <span class="k">schema</span> <span class="nv">"extensions"</span><span class="p">;</span> </code></pre> </div> <p>The <code>create_api_token</code> function inserts an api token into the database, and then signs a jwt token with id of the token and the organisation id in the payload. There are a few notable things here. First, live supabase instances store the jwt_secret in the <code>app.settings.jwt_secret</code> variable. &gt;ou can run <code>show app.settings.jwt_secret;</code> in the Supabase SQL editor for your project to prove this for yourself. The jwt secret for local development with the <a href="https://supabase.com/docs/guides/local-development" rel="noopener noreferrer">Supabase CLI</a> has the constant value "super-secret-jwt-token-with-at-least-32-characters-long" as an undocumented "feature". You might notice that the token is always valid forever for now. We will fix that at a later stage. And we use <code>HS256</code>, because its the same algorithm Supabase auth uses.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">create_api_token</span> <span class="p">(</span><span class="n">organisation_id</span> <span class="n">uuid</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span><span class="p">)</span> <span class="k">returns</span> <span class="nb">text</span> <span class="k">as</span> <span class="err">$</span><span class="n">token</span><span class="err">$</span> <span class="k">declare</span> <span class="n">token_id</span> <span class="n">uuid</span><span class="p">;</span> <span class="n">jwt_secret</span> <span class="nb">text</span> <span class="p">:</span><span class="o">=</span> <span class="n">coalesce</span><span class="p">(</span> <span class="k">nullif</span><span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.settings.jwt_secret'</span><span class="p">,</span> <span class="k">true</span><span class="p">),</span> <span class="s1">''</span><span class="p">),</span> <span class="s1">'super-secret-jwt-token-with-at-least-32-characters-long'</span> <span class="p">);</span> <span class="k">begin</span> <span class="k">insert</span> <span class="k">into</span> <span class="n">api_token</span> <span class="p">(</span><span class="n">organisation_id</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">values</span> <span class="p">(</span><span class="n">organisation_id</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="n">returning</span> <span class="n">id</span> <span class="k">into</span> <span class="n">token_id</span><span class="p">;</span> <span class="k">return</span> <span class="n">extensions</span><span class="p">.</span><span class="n">sign</span><span class="p">(</span><span class="n">json_build_object</span><span class="p">(</span> <span class="s1">'tid'</span><span class="p">,</span> <span class="n">token_id</span><span class="p">,</span> <span class="s1">'iss'</span><span class="p">,</span> <span class="s1">'supabase'</span><span class="p">,</span> <span class="s1">'sub'</span><span class="p">,</span> <span class="n">organisation_id</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">,</span> <span class="s1">'tokenauthed'</span><span class="p">,</span> <span class="s1">'iat'</span><span class="p">,</span> <span class="n">trunc</span><span class="p">((</span><span class="k">extract</span><span class="p">(</span><span class="n">epoch</span> <span class="k">from</span> <span class="n">Now</span><span class="p">()))::</span><span class="nb">numeric</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">),</span> <span class="n">jwt_secret</span><span class="p">::</span><span class="nb">text</span><span class="p">,</span> <span class="s1">'HS256'</span><span class="p">::</span><span class="nb">text</span> <span class="p">);</span> <span class="k">end</span><span class="p">;</span> <span class="err">$</span><span class="n">token</span><span class="err">$</span> <span class="k">security</span> <span class="k">invoker</span> <span class="k">language</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <h3> Update Row-Level-Security Policies </h3> <p>First, we add a function to extract the <code>tid</code> from the jwt token, similar to <code>auth.uid()</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">private</span><span class="p">.</span><span class="n">tid</span> <span class="p">()</span> <span class="k">returns</span> <span class="n">uuid</span> <span class="k">language</span> <span class="s1">'sql'</span> <span class="k">stable</span> <span class="k">as</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span> <span class="k">select</span> <span class="n">coalesce</span><span class="p">(</span> <span class="k">nullif</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claim.tid'</span><span class="p">,</span> <span class="k">true</span><span class="p">),</span> <span class="s1">''</span><span class="p">),</span> <span class="p">(</span><span class="k">nullif</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claims'</span><span class="p">,</span> <span class="k">true</span><span class="p">),</span> <span class="s1">''</span><span class="p">)::</span><span class="n">jsonb</span> <span class="o">-&gt;&gt;</span> <span class="s1">'tid'</span><span class="p">)</span> <span class="p">)::</span><span class="n">uuid</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span><span class="p">;</span> </code></pre> </div> <p>We then update <code>private.organisation_id()</code> to return the <code>organisation_id</code> from the jwt payload when the role is <code>tokenauthed</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">()</span> <span class="k">returns</span> <span class="n">uuid</span> <span class="k">as</span> <span class="err">$</span><span class="k">sql</span><span class="err">$</span> <span class="k">select</span> <span class="p">(</span> <span class="k">case</span> <span class="k">when</span> <span class="n">auth</span><span class="p">.</span><span class="k">role</span><span class="p">()</span> <span class="o">=</span> <span class="s1">'authenticated'</span> <span class="k">then</span> <span class="p">(</span><span class="k">select</span> <span class="n">organisation_id</span> <span class="k">from</span> <span class="n">employee</span> <span class="k">where</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">())</span> <span class="k">when</span> <span class="n">auth</span><span class="p">.</span><span class="k">role</span><span class="p">()</span> <span class="o">=</span> <span class="s1">'tokenauthed'</span> <span class="k">then</span> <span class="p">(</span> <span class="k">select</span> <span class="n">coalesce</span><span class="p">(</span> <span class="k">nullif</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claim.sub'</span><span class="p">,</span> <span class="k">true</span><span class="p">),</span> <span class="s1">''</span><span class="p">),</span> <span class="p">(</span><span class="k">nullif</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claims'</span><span class="p">,</span> <span class="k">true</span><span class="p">),</span> <span class="s1">''</span><span class="p">)::</span><span class="n">jsonb</span> <span class="o">-&gt;&gt;</span> <span class="s1">'sub'</span><span class="p">)</span> <span class="p">)::</span><span class="n">uuid</span> <span class="p">)</span> <span class="k">end</span> <span class="p">);</span> <span class="err">$</span><span class="k">sql</span><span class="err">$</span> <span class="k">language</span> <span class="k">sql</span> <span class="k">stable</span> <span class="k">security</span> <span class="k">definer</span><span class="p">;</span> </code></pre> </div> <p>Finally, we re-create the Row-Level-Security policy on <code>contact</code> to include <code>tokenauthed</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">drop</span> <span class="n">policy</span> <span class="n">employee_all</span> <span class="k">on</span> <span class="n">contact</span><span class="p">;</span> <span class="k">create</span> <span class="n">policy</span> <span class="n">employee_tokenauthed_all</span> <span class="k">on</span> <span class="n">contact</span> <span class="k">to</span> <span class="n">authenticated</span><span class="p">,</span> <span class="n">tokenauthed</span> <span class="k">using</span> <span class="p">(</span> <span class="p">(</span><span class="k">select</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">())</span> <span class="o">=</span> <span class="n">organisation_id</span> <span class="p">);</span> </code></pre> </div> <h3> Create the API Schema </h3> <p>To control what tables and columns should be exposed, we create a separate <code>api</code> schema. This separates our internal data model from the data model exposed in our public api.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">schema</span> <span class="n">api</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="k">schema</span> <span class="n">api</span> <span class="k">to</span> <span class="n">postgres</span><span class="p">,</span> <span class="n">anon</span><span class="p">,</span> <span class="n">authenticated</span><span class="p">,</span> <span class="n">service_role</span><span class="p">,</span> <span class="n">tokenauthed</span><span class="p">;</span> <span class="k">alter</span> <span class="k">default</span> <span class="k">privileges</span> <span class="k">in</span> <span class="k">schema</span> <span class="n">api</span> <span class="k">grant</span> <span class="k">all</span> <span class="k">on</span> <span class="n">tables</span> <span class="k">to</span> <span class="n">postgres</span><span class="p">,</span> <span class="n">anon</span><span class="p">,</span> <span class="n">authenticated</span><span class="p">,</span> <span class="n">service_role</span><span class="p">,</span> <span class="n">tokenauthed</span><span class="p">;</span> <span class="k">alter</span> <span class="k">default</span> <span class="k">privileges</span> <span class="k">in</span> <span class="k">schema</span> <span class="n">api</span> <span class="k">grant</span> <span class="k">all</span> <span class="k">on</span> <span class="n">functions</span> <span class="k">to</span> <span class="n">postgres</span><span class="p">,</span> <span class="n">anon</span><span class="p">,</span> <span class="n">authenticated</span><span class="p">,</span> <span class="n">service_role</span><span class="p">,</span> <span class="n">tokenauthed</span><span class="p">;</span> <span class="k">alter</span> <span class="k">default</span> <span class="k">privileges</span> <span class="k">in</span> <span class="k">schema</span> <span class="n">api</span> <span class="k">grant</span> <span class="k">all</span> <span class="k">on</span> <span class="n">sequences</span> <span class="k">to</span> <span class="n">postgres</span><span class="p">,</span> <span class="n">anon</span><span class="p">,</span> <span class="n">authenticated</span><span class="p">,</span> <span class="n">service_role</span><span class="p">,</span> <span class="n">tokenauthed</span><span class="p">;</span> </code></pre> </div> <p>We now use <a href="https://www.postgresql.org/docs/current/sql-createview.html" rel="noopener noreferrer">"updateable views"</a> and the <code>security_invoker</code> config to expose the <code>contact</code>. An updatable view in postgres is a view which allows mutations, because the underlying table can be derived. Thanks to the <code>security_invoker</code> config, all operations will respect the Row-Level-Security policy we set on the <code>contact</code> table. For better performance, we always filter on the <code>organisation_id</code> and therefore mimick the security policy clause. With the view, we can also define what columns should be exposed. This is pretty neat, since most apps will have columns that are internal to the app logic.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">view</span> <span class="n">api</span><span class="p">.</span><span class="n">contact</span> <span class="k">with</span> <span class="p">(</span><span class="n">security_invoker</span><span class="p">)</span> <span class="k">as</span> <span class="k">select</span> <span class="n">id</span><span class="p">,</span> <span class="n">full_name</span> <span class="k">from</span> <span class="n">contact</span> <span class="k">where</span> <span class="n">organisation_id</span> <span class="o">=</span> <span class="n">private</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">();</span> </code></pre> </div> <p>And thats it for the database part. As of now, we have:</p> <ul> <li>a custom database role</li> <li>a function to generate tokens</li> <li>helper functions to easily define Row-Level-Security Policies</li> <li>a table that is exposed via a custom <code>api</code> schema</li> </ul> <p>We could just share our Supabase Rest API endpoint and be done. I would not recommend that. Instead, lets build a little proxy that will give us the possibility to add required security measures such as rate-limiting and observability.</p> <h2> The Proxy </h2> <p>Our little proxy will be a very simple Cloudflare Worker using Hono. You can choose any framework or platform you want for this though. First, we set up the project.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> bunx create-hono api-proxy </code></pre> </div> <p>First, setup a JWT middleware to verify the incoming request. You can find the JWT secret in your Supabase Dashboard.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Hono</span><span class="o">&lt;</span><span class="nx">Env</span><span class="o">&gt;</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">c</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jwtMiddleware</span> <span class="o">=</span> <span class="nf">jwt</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">c</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_JWT_SECRET</span><span class="p">,</span> <span class="na">alg</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HS256</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">jwtMiddleware</span><span class="p">(</span><span class="nx">c</span><span class="p">,</span> <span class="nx">next</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Now, add a single "catch-all" route that forwards the request to the upstream PostgREST api.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="dl">"</span><span class="s2">/:table</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">searchParams</span> <span class="o">=</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">?</span><span class="dl">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span> <span class="p">?</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nf">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">?</span><span class="dl">"</span><span class="p">))</span> <span class="p">:</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">upstreamUrl</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">c</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_URL</span><span class="p">}</span><span class="s2">/rest/v1/</span><span class="p">${</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">param</span><span class="p">(</span><span class="dl">"</span><span class="s2">table</span><span class="dl">"</span><span class="p">)}${</span><span class="nx">searchParams</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">newRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">upstreamUrl</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">raw</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">newRequest</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newResponse</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">res</span><span class="p">);</span> <span class="k">return</span> <span class="nx">newResponse</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>To fail early, you might want to validate the path parameter.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">object</span><span class="p">,</span> <span class="nx">picklist</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">valibot</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">vValidator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@hono/valibot-validator</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TABLES</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">contact</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">paramsSchema</span> <span class="o">=</span> <span class="nf">object</span><span class="p">({</span> <span class="na">table</span><span class="p">:</span> <span class="nf">picklist</span><span class="p">(</span><span class="nx">TABLES</span><span class="p">),</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/:table</span><span class="dl">"</span><span class="p">,</span> <span class="nx">vValidator</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">paramsSchema</span><span class="p">,</span> <span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Env</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">paramsSchema</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ...</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>For Kong, the API gateway that Supabase uses, to accept your proxied request, we need to set the <code>apiKey</code> header to the <code>anon</code> key. To target the <code>api</code> schema, set the <code>Accept-Profile</code> and <code>Content-Profile</code> headers.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/:table</span><span class="dl">"</span><span class="p">,</span> <span class="nx">vValidator</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">paramsSchema</span><span class="p">,</span> <span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Env</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">paramsSchema</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ...</span> <span class="kd">const</span> <span class="nx">newRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">upstreamUrl</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">raw</span><span class="p">);</span> <span class="nx">newRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">apiKey</span><span class="dl">"</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SUPABASE_ANON_KEY</span><span class="p">);</span> <span class="k">if </span><span class="p">([</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">HEAD</span><span class="dl">"</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">))</span> <span class="p">{</span> <span class="nx">newRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">Accept-Profile</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">api</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">newRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">Content-Profile</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">api</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>This is also a great opportunity to change the default behavior of PostgREST. For example, your users might expect that any mutation always returns the mutated row. This can be enabled by default by always adding <code>return=representation</code> to the <code>Prefer</code> header.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/:table</span><span class="dl">"</span><span class="p">,</span> <span class="nx">vValidator</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">paramsSchema</span><span class="p">,</span> <span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Env</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">paramsSchema</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ...</span> <span class="kd">const</span> <span class="nx">newRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">upstreamUrl</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">raw</span><span class="p">);</span> <span class="c1">// ...</span> <span class="k">if </span><span class="p">(</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">select</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">newRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Prefer</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">"</span><span class="s2">Prefer</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">return=representation</span><span class="dl">"</span><span class="p">]</span> <span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>And thats it! From here, you should be able to complete this on your own. To be ready for production, you should add rate-limiting as well as logging and monitoring to your worker.</p> <h2> Recommendations </h2> <p>Control the statement timeout for your <code>tokenauthed</code> role. You are giving your users a lot of power with all the query features that PostgREST offers. To make sure they spend some time optimizing their requests, set the limit to a relatively low value depending on your use case.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">alter</span> <span class="k">role</span> <span class="n">tokenauthed</span> <span class="k">set</span> <span class="n">statement_timeout</span> <span class="o">=</span> <span class="s1">'2s'</span><span class="p">;</span> </code></pre> </div> <p>Next, you should make sure that we can invalidate tokens. For now, a token can be invalidated if its reference in the <code>api_token</code> table is deleted. We can leverage the <code>db_pre_request</code> hook that PostgREST exposes for this. To read more about the Pre-Request feature check out their <a href="https://postgrest.org/en/v12/references/transactions.html#pre-request" rel="noopener noreferrer">documentation</a>. Its basically a middleware within Postgres which we can use to ensure that the token reference in our database still exists.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">private</span><span class="p">.</span><span class="n">validate_token</span> <span class="p">()</span> <span class="k">returns</span> <span class="n">void</span> <span class="k">language</span> <span class="s1">'plpgsql'</span> <span class="k">security</span> <span class="k">definer</span> <span class="k">as</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span> <span class="k">begin</span> <span class="c1">-- 1. we should only verify api tokens.</span> <span class="c1">-- skip check if auth is not done using an api token</span> <span class="n">if</span> <span class="n">auth</span><span class="p">.</span><span class="k">role</span> <span class="p">()</span> <span class="o">&lt;&gt;</span> <span class="s1">'tokenauthed'</span> <span class="k">then</span> <span class="k">return</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="c1">-- 2. make sure the token has not been revoked</span> <span class="n">if</span> <span class="p">(</span><span class="k">case</span> <span class="k">when</span> <span class="p">(</span> <span class="k">select</span> <span class="n">id</span> <span class="k">from</span> <span class="n">api_token</span> <span class="n">t</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">private</span><span class="p">.</span><span class="n">tid</span> <span class="p">()</span> <span class="p">)</span> <span class="k">is</span> <span class="k">not</span> <span class="k">null</span> <span class="k">then</span> <span class="k">false</span> <span class="k">else</span> <span class="k">true</span> <span class="k">end</span><span class="p">)</span> <span class="k">is</span> <span class="k">true</span> <span class="k">then</span> <span class="n">raise</span> <span class="k">sqlstate</span> <span class="s1">'pt401'</span> <span class="k">using</span> <span class="n">message</span> <span class="o">=</span> <span class="s1">'unauthorized'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="k">end</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span><span class="p">;</span> <span class="k">alter</span> <span class="k">role</span> <span class="n">authenticator</span> <span class="k">set</span> <span class="n">pgrst</span><span class="p">.</span><span class="n">db_pre_request</span> <span class="k">to</span> <span class="s1">'private.validate_token'</span><span class="p">;</span> <span class="k">notify</span> <span class="n">pgrst</span><span class="p">,</span> <span class="s1">'reload config'</span><span class="p">;</span> </code></pre> </div> <p>Finally, we only want to allow <code>tokenauthed</code> requests if they were routed through our proxy, so that rate-limiting applies. The simplest way to achieve this is to add a custom secret value to the header in the request.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/:table</span><span class="dl">"</span><span class="p">,</span> <span class="nx">vValidator</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">paramsSchema</span><span class="p">,</span> <span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Env</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">"</span><span class="s2">param</span><span class="dl">"</span><span class="p">,</span> <span class="nx">paramsSchema</span><span class="p">),</span> <span class="k">async </span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ...</span> <span class="kd">const</span> <span class="nx">newRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Request</span><span class="p">(</span><span class="nx">upstreamUrl</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nx">raw</span><span class="p">);</span> <span class="c1">// ...</span> <span class="k">if </span><span class="p">(</span><span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">select</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">newRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-proxy-secret</span><span class="dl">"</span><span class="p">,</span> <span class="nx">c</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PROXY_SECRET</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>We can check for the existence of this token within the <code>validate_token</code> function. Luckily, our Supabase project comes with a built-in Vault, so we do not have to worry about storing our secret key in the database.</p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">private</span><span class="p">.</span><span class="n">validate_token</span> <span class="p">()</span> <span class="k">returns</span> <span class="n">void</span> <span class="k">language</span> <span class="s1">'plpgsql'</span> <span class="k">security</span> <span class="k">definer</span> <span class="k">as</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span> <span class="k">begin</span> <span class="c1">-- 1. we should only verify api tokens.</span> <span class="c1">-- skip check if auth is not done using an api token</span> <span class="n">if</span> <span class="n">auth</span><span class="p">.</span><span class="k">role</span> <span class="p">()</span> <span class="o">&lt;&gt;</span> <span class="s1">'tokenauthed'</span> <span class="k">then</span> <span class="k">return</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="c1">-- 2. Make sure that the request is going through our proxy</span> <span class="n">if</span> <span class="p">(</span><span class="k">select</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.headers'</span><span class="p">,</span> <span class="k">true</span><span class="p">)::</span><span class="n">json</span> <span class="o">-&gt;&gt;</span> <span class="s1">'x-proxy-secret'</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="p">(</span><span class="k">select</span> <span class="n">decrypted_secret</span> <span class="k">from</span> <span class="n">vault</span><span class="p">.</span><span class="n">decrypted_secrets</span> <span class="k">where</span> <span class="n">name</span> <span class="o">=</span> <span class="s1">'proxy_secret'</span><span class="p">)</span> <span class="k">then</span> <span class="n">raise</span> <span class="k">sqlstate</span> <span class="s1">'pt401'</span> <span class="k">using</span> <span class="n">message</span> <span class="o">=</span> <span class="s1">'unauthorized'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="c1">-- 3. make sure the token has not been revoked</span> <span class="n">if</span> <span class="p">(</span><span class="k">case</span> <span class="k">when</span> <span class="p">(</span> <span class="k">select</span> <span class="n">id</span> <span class="k">from</span> <span class="n">api_token</span> <span class="n">t</span> <span class="k">where</span> <span class="n">id</span> <span class="o">=</span> <span class="n">private</span><span class="p">.</span><span class="n">tid</span> <span class="p">()</span> <span class="p">)</span> <span class="k">is</span> <span class="k">not</span> <span class="k">null</span> <span class="k">then</span> <span class="k">false</span> <span class="k">else</span> <span class="k">true</span> <span class="k">end</span><span class="p">)</span> <span class="k">is</span> <span class="k">true</span> <span class="k">then</span> <span class="n">raise</span> <span class="k">sqlstate</span> <span class="s1">'pt401'</span> <span class="k">using</span> <span class="n">message</span> <span class="o">=</span> <span class="s1">'unauthorized'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="k">end</span> <span class="err">$</span><span class="n">body</span><span class="err">$</span><span class="p">;</span> </code></pre> </div> <p>And thats it!</p> <p>You can find the source code and a demo on <a href="https://github.com/psteinroe/supabase-public-api-demo" rel="noopener noreferrer">GitHub</a>.</p> supabase postgres postgrest api