supabase: Realtime Row Level security broken for database-wide subscriptions on PG12

Bug report

Describe the bug

Affects

  • PG12
  • PG14 (although these will only be new use-cases, so nobody should be experiencing the bug)

Unaffected

  • PG13 users. If you are experiencing problems with PG13, it is probably because your Policies are not allowing access (whereas previously Policies weren’t applied). This is intended behaviour - your database security is working properly

Description

We’re discovered an issue as a result of our Row-Level Security Realtime updates for that affects any database-wide publications. (eg CREATE PUBLICATION supabase_realtime FOR ALL TABLES;)

To Reproduce

Realtime subscription may have stopped you are on PG12 and you have a Publication in your database set up like

Screenshot 2021-12-01 at 7 49 05 PM

Workaround

Disable the FULL publication (red) and enable each table individually (green) Screenshot 2021-12-01 at 7 50 51 PM

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 44 (25 by maintainers)

Most upvoted comments

UPDATE

We’re currently rolling out the fixes to all projects, and some projects may have already been fixed depending on your project’s region.

+7
w3b6x9 on Dec 3, 2021

UPDATE

We have rolled out the fixes to all projects. If you’re still experiencing Realtime issues then please drop a comment here and/or email support@supabase.io with your project ref and we’ll investigate. Thanks!

+6
w3b6x9 on Dec 5, 2021

@batuhanbilginn @GaryAustin1 I just merged in a fix that addresses certain types for primary keys not working as well as filtering not working for types like int. We’ll be rolling out the changes to all projects as soon as possible.

Thanks for reporting these issues!

+6
w3b6x9 on Dec 3, 2021

@kk21 there’s currently an issue with listening to tables with uuid as primary key. we’re in the process of putting in a fix and will report back here once it’s deployed.

+6
w3b6x9 on Dec 2, 2021

@GaryAustin1 I’ve got it working by turning off and on again the replication for the project.

image

Thanks for the fix @w3b6x9 🙌

+3
kachar on Dec 4, 2021

I sent an email. It is always after a 2nd client signs in the other client will drop realtime on it’s next token refresh. AND the websocket is showing constant loop trying to JOIN again. My subscribes though are not rerunning (console.log right before setups not firing) so I suspect realtime.js is doing the looping joins…

+2
GaryAustin1 on Dec 6, 2021

We will support this @kachar - a fix should be available early this week

+2
kiwicopple on Dec 6, 2021

It looks like a permission issue is blocking pg_dump on our side:

pg_dump: error: query failed: ERROR:  permission denied for table schema_migrations
11
pg_dump: error: query was: LOCK TABLE realtime.schema_migrations IN ACCESS SHARE MODE

Granting privileges to the table using the online SQL editor solved the issue:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA realtime TO postgres;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA realtime TO postgres;
+2
clouedoc on Dec 1, 2021

Realtime RLS currently only works with the authenticated role (in the case that RLS is enabled for a table), and we’re working hard to make it compatible with other roles like service_role.

@w3b6x9 Are you guys planning to support the anon role as well as the authenticated role as both of these are valid regarding the usage of RLS?

In our apps, we’ve got policies for both anonymous and logged-in users and currently, the real-time updates work only for authenticated.

create policy "Anyone can create public mood." on moods
for insert with check (auth.role() = 'anon');

If this feature is out of the roadmap, we’ll need to make changes to our app flow, so it’s good to know in advance. 🙇‍♂️

+1
kachar on Dec 5, 2021

@w3b6x9

That does make sense, thank you for the detailed explanation!

I didn’t mention that i am using it for server side implementations only 😬 There is nothing exposed to the client and I want to bypass the RLS there as my apps are working with all rows.

I guess, I will switch to polling for now.

Thank you again 🙏

@michaelketzer ah, apologies for making the assumption that you were using it client-side! If you send an email to support@supabase.io with a link to your comment then I can follow up and inform you when service_role role is available in Realtime RLS. We’re sorry it isn’t working for your use case today!

+1
w3b6x9 on Dec 5, 2021

@w3b6x9

That does make sense, thank you for the detailed explanation!

I didn’t mention that i am using it for server side implementations only 😬 There is nothing exposed to the client and I want to bypass the RLS there as my apps are working with all rows.

I guess, I will switch to polling for now.

Thank you again 🙏

+1
michaelketzer on Dec 5, 2021

I think I experience the same issue.

I am using supabase.io and I am not getting any realtime updates with my service role key.

I use RLS and I can select rows with supabase-js. My primary keys are mainly uuid’s. I followed any advice in this thread including updating supabase-js to the latest version without any luck

Is the update on all regions deployed? Or are there still some scheduled? For reference, I am on eu-central-1 with the project key mzgcvkiamhhpeqomyvme.

@michaelketzer I think you’re experiencing a different issue.

Realtime RLS currently only works with the authenticated role (in the case that RLS is enabled for a table), and we’re working hard to make it compatible with other roles like service_role.

Also, we do not recommend using the service_role key when creating clients with supabase-js. service_role role is designed to bypass RLS, which is a security concern if exposed on the client. Please refer to Never use a service key on the client for best practices.

You can use your anon key to connect to the client via supabase-js, and if you and/or your users are signed in, then Realtime RLS tracks the authenticated users after they’ve subscribed to topics and determines whether or not they should receive changes to a database table based on your RLS policies.

+1
w3b6x9 on Dec 5, 2021

Hi! I’m facing this issue on PG13, i’ve policies on comments table for select using auth.role()='authenticated' and for insert with check auth.role()='authenticated' too.

I’ve already enable realtime for comments table alter publication supabase_realtime add table comments; image

When I’m trying to subscribe realtime with this code:

supabase.from('comments').on('INSERT', (payload) => {
  console.log('incoming comment', payload);
}).subscribe();

the new comment does not appear on the console.log

I’ve also run this before with no luck:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA realtime TO postgres;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA realtime TO postgres;

I’ve another table with RLS disabled and has realtime active and the realtime do the job correctly.

+1
daemswibowo on Dec 2, 2021

It looks like a permission issue is blocking pg_dump on our side:

pg_dump: error: query failed: ERROR:  permission denied for table schema_migrations
11
pg_dump: error: query was: LOCK TABLE realtime.schema_migrations IN ACCESS SHARE MODE

Granting privileges to the table using the online SQL editor solved the issue:

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA realtime TO postgres;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA realtime TO postgres;

@clouedoc Thanks for reporting and sharing your workaround! Can you please email support@supabase.io with your project ref so we may investigate?

+1
w3b6x9 on Dec 1, 2021

Yeah, now I’m sure it’s related to RLS. When I subscribe to the table directly it works however if I subscribe to a specific row by using a filter it doesn’t work anymore. Also, RLS disabled on those tables. I think there is some kind of bug in my project 😦

+1
batuhanbilginn on Dec 1, 2021
Read more comments on GitHub
← supabase: Realtime does not emit all events
supabase: Realtime Subscriptions No Longer Working Locally With Custom JWT →