You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a supabase client created in middleware which uses the user's access token, and a service role key supabase client created at the FastAPI app initializing.
However, I found out the header Authorization in these two supabase client's Postgres client session's content is the same!
For service role key supabase client:
For request client:
So the service role key cannot bypass the RLS, I'm really confused with it. Shouldn't every supabase client request supabase using its own session?
To Reproduce
init a supabase client with create_client(url, serv_key)
init another supabase client with create_client(url, anon_key)
anon_client.auth.set_session(access_token)
access_token is the jwt of an authenticated user
send PostgreSQL op using supabase serv client (if you set RLS, you will find it failed to update)
Expected behavior
Every client should be completely independent.
System information
OS: Windows10
Supabase-Py: 2.5.0
😉 Hope for your reply, sincere appreciation to your work!
The text was updated successfully, but these errors were encountered:
Bug report
Describe the bug
I have a supabase client created in middleware which uses the user's access token, and a service role key supabase client created at the FastAPI app initializing.
However, I found out the header
Authorization
in these two supabase client's Postgres client session's content is the same!For service role key supabase client:
![image](https://private-user-images.githubusercontent.com/37663413/338646593-6dd688ab-f5b8-4953-a53c-9e2220d5d2aa.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE5NzEyNzQsIm5iZiI6MTcyMTk3MDk3NCwicGF0aCI6Ii8zNzY2MzQxMy8zMzg2NDY1OTMtNmRkNjg4YWItZjViOC00OTUzLWE1M2MtOWUyMjIwZDVkMmFhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI2VDA1MTYxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPThjNTExZjkwYzVmZDUwZjE4YWRjNjE3NDgwMGUyMDJkYjQ3M2JkOGM5YmVlZTNjODBjZDJmM2Q5OWM5ZDk0NzEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.rQ5Ymw7G5AWcwrgGK2o-45c6zV7JU8QZbwWeuakGEzI)
For request client:
![image](https://private-user-images.githubusercontent.com/37663413/338646928-01f30993-dbac-4977-9342-077a3c2af2e3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE5NzEyNzQsIm5iZiI6MTcyMTk3MDk3NCwicGF0aCI6Ii8zNzY2MzQxMy8zMzg2NDY5MjgtMDFmMzA5OTMtZGJhYy00OTc3LTkzNDItMDc3YTNjMmFmMmUzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI2VDA1MTYxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWY1ODAzNTFjODczM2VjZDA2MTUxOWQxZmY1Yzg5NzA2NWQ2ODI2NmVhM2UwMThlNmQxOTM0MzZjYWMyMzY4MjQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.YhOvIqy8EYY91p-hIIwdx_0RejRuJ15K7GbRJEs6n6E)
![image](https://private-user-images.githubusercontent.com/37663413/338647197-c35f6bf5-d4f6-4b3a-8601-23447995ff7a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE5NzEyNzQsIm5iZiI6MTcyMTk3MDk3NCwicGF0aCI6Ii8zNzY2MzQxMy8zMzg2NDcxOTctYzM1ZjZiZjUtZDRmNi00YjNhLTg2MDEtMjM0NDc5OTVmZjdhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI2VDA1MTYxNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPThlYzgyNzc2MTQ4MjZjYzE2NjBhOTY2ODc0MTVjN2RjN2RhOTRlZmEwOGZjYzExYjk0ODEwMjJiYzM4MDliNDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.2M5vc4QXuO6murMx3NS_G6XJJDF8Tn7kK3pT5NeVvdw)
So the service role key cannot bypass the RLS, I'm really confused with it. Shouldn't every supabase client request supabase using its own session?
To Reproduce
create_client(url, serv_key)
create_client(url, anon_key)
Expected behavior
Every client should be completely independent.
System information
😉 Hope for your reply, sincere appreciation to your work!
The text was updated successfully, but these errors were encountered: