You're reading from Building Production-Grade Web Applications with Supabase A comprehensive guide to database design, security, real-time data, storage, multi-tenancy, and more

Product type Paperback

Published in Aug 2024

Publisher Packt

ISBN-13 9781837630684

Length 534 pages

Edition 1st Edition

Languages

Typescript

Tools

Next.js

Concepts

Application Development

Author (1):

David Lorenz

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1:Creating the Foundations of the Ticket System App

2. Chapter 1: Unveiling the Inner Workings of Supabase and Introducing the Book’s Project FREE CHAPTER

3. Chapter 2: Setting Up Supabase with Next.js

4. Chapter 3: Creating the Ticket Management Pages, Layout, and Components

5. Part 2: Adding Multi-Tenancy and Learning RLS

6. Chapter 4: Adding Authentication and Application Protection

7. Chapter 5: Crafting Multi-Tenancy through Database and App Design

8. Chapter 6: Enforcing Tenant Permissions with RLS and Handling Tenant Domains

9. Chapter 7: Adding Tenant-Based Signups, including Google Login

10. Part 3: Managing Tickets and Interactions

11. Chapter 8: Implementing Dynamic Ticket Management

12. Chapter 9: Creating a User List with RPCs and Setting Ticket Assignees

13. Chapter 10: Enhancing Interactivity with Realtime Comments

14. Chapter 11: Adding, Securing, and Serving File Uploads with Supabase Storage

15. Part 4: Diving Deeper into Security and Advanced Features

16. Chapter 12: Avoiding Unwanted Data Manipulation and Undisclosed Exposures

17. Chapter 13: Adding Supabase Superpowers and Reviewing Production Hardening Tips

18. Index

Why subscribe?

19. Other Books You May Enjoy

Making the authentication process tenant-based

At this point, we have a setup that respects the tenant permissions when selecting data from the database. Our current setup differentiates tenants by a path in the URL and the login page is shown for valid tenants only.

But something’s bugging me: I can visit the login of the activenode tenant at http://localhost:3000/activenode/ to sign in with my credentials, even though the account I’m signing in with only has permissions set on packt and oddmonkey, not activenode. When I sign in and I’m forwarded to /activenode/tickets, I will see Unknown as the tenant name in the header as I have no permission for it.

And here’s another thing: even if I sign in on the path of a tenant that I have permission for, I can freely jump around to other tenants by changing the URL because the middleware only checks for a valid session.

Both are not a security concern as our RLS policies will shield the data, but it’...