supabase-py: RLS not working after sign-in

Describe the bug After signing in a user using supabase-py a user is correctly returned with it’s acces_token etc. However if I try to insert or select a row in a table with RLS enabled it seems the client does not correctly send the requests as being authenticated by that user. Only the tables without RLS seem to be working. The error returned by supabase is:

postgrest_py.exceptions.APIError: {'message': 'new row violates row-level security policy for table "machines"', 'code': '42501', 'details': None, 'hint': None}

Is this currently not supported by supabase-py or is this indeed a bug? Also, if not supported how would one best go about accessing secured tables (e.g. using postgres-py directly).

To Reproduce The minimal example below highlights this for systems

client = create_client(SUPABASE_URL, SUPABASE_KEY)
session = client.auth.sign_in(email=SUPABASE_MAIL, password=SUPABASE_PASS)
user = session.user

data = {
    "user_id": str(user.id)
}

response = client.table("examples").insert(data).execute()

client.auth.sign_out()

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 15 (6 by maintainers)

Most upvoted comments

This needs some work to be done on postgrest-py first (as in, it isn’t directly supported as such). I’m working on that right now, and it should be done by the end of this week, and when that’s done we’ll make a new release of postgrest-py and have it work here.

In the meantime you could do something along the lines of:

client = create_client(SUPABASE_URL, SUPABASE_KEY)
session = client.auth.sign_in(email, password)

postgrest_client = client.postgrest
postgrest_client.auth(session.access_token) 

# run queries
client.auth.sign_out()
postgrest_client.auth(SUPABASE_KEY) # go back to using the anon key
+7
anand2312 on Apr 12, 2022

Are there any updates on this? 😃

+4
nielsrolf on Jan 4, 2023

The latest v1.1.0 release of the supabase-py library fixes this issue.

+2
silentworks on Sep 30, 2023

This needs some work to be done on postgrest-py first (as in, it isn’t directly supported as such). I’m working on that right now, and it should be done by the end of this week, and when that’s done we’ll make a new release of postgrest-py and have it work here.

In the meantime you could do something along the lines of:

client = create_client(SUPABASE_URL, SUPABASE_KEY)
session = client.auth.sign_in(email, password)

postgrest_client = client.postgrest
postgrest_client.auth(session.access_token) 

# run queries
client.auth.sign_out()
postgrest_client.auth(SUPABASE_KEY) # go back to using the anon key

How would this work if I’m using oauth (with google as a provider for example)?

+2
0xDeadcell on May 13, 2023

@anand2312 Hey just checking up, can I now instantiate a supabase instance with a anon key? I don’t want to use a username/pw.

+1
ShantanuNair on Jul 10, 2023

I have the same question as @0xDeadcell

+1
benjamin-kirkbride on Jun 15, 2023

Any updates on this?

+1
0xDeadcell on May 13, 2023

@timreibe 👍🏼 done. Perhaps this issue should be pinned for better visibilty

+1
anand2312 on Oct 21, 2022

Thanks @anand2312 this clears things up indeed. The workaround works flawlessly in the mean time!

+1
tobias-scheepers on Apr 14, 2022
Read more comments on GitHub
← supabase-py: [ERROR] AttributeError: module 'typing' has no attribute '_ClassVar', supabase-py on AWS Lambda
supabase-py: rpc() - value is not a valid list →