But what the docs don't cover is the provided Users table. Missing documentation is why I gave up on Supabase; and the Users table was one of the first problems I encountered. I could find no details on what to expect in each column at any given time.
Upon creating a new user, values get set in this table for no apparent reason. So if your application depends on knowing the verification status of a new user (for example), good luck... Supabase claimed every user was verified upon creation.
While in theory your API can be the database it seems like a footgun for the inexperienced and AI.
Yep: https://supabase.com/docs/guides/auth/managing-user-data
> For security, the Auth schema is not exposed in the auto-generated API. If you want to access users data via the API, you can create your own user tables in the public schema.
eg I was trying to help her set up a webhook listener, and it undid our efforts.
These tools seem incapable of building software in the hands of users who don't understand security already.
These tools are for augmentation of skills, not for wholesale "imma a programmer now", which a lot of people seem to think. And to be honest, lots of companies are selling that "experience" too, even though they know it isn't true, a bit shit.
My colleague now understands why unit tests, after watching subsequent development regularly break previous work. Lovable doesn't support them. And I don't want to touch this codebase because I don't want to own it.
Lovable is not going to tell them to use a proper auth service or fully secure their data. One Lovable project I looked at had generated an entire custom JS Markdown parser instead of using react-markdown, for example.
I had to double take back to the article after reading this - it actually said $330M (raised at $6.6B valuation). AI investment has been crazy enough I would have actually believed it though!
Yep. Probably the most relatable tech friend thing to do. I send my projects to friends and get a list of improvement suggestions, it's always fun!
Read this for a high level overview useful for HN: https://community.qbix.com/t/streams-plugin-access-control/2...
As one vibe-coding's most fervent critics, I don't blame it at all. Amateur devs have been doing this for a decade and change with Firebase and other hosted datastores.
I got one of my first small jobs as a contractor because of an Android app doing this back in 2012!
Just FYI, this is what users see when they try to turn off RLS in a public table (it is on by default). We also show security issues in the project homepage and red alerts in the table editor.
You have to explicitly create a read-all policy for anon keys, and with no constraints, for people to get access to it.
The default is secure.
If you turn off RLS, there are warnings everywhere that the table is unsecured.
The author goes on to compare this with PocketBase, which he says you "have to go out of your way" to make insecure. You have to go out of your way with Supabase, as well!
I wonder if the author tested this? I do agree that some third party website builders who use supabase on the back end could have created insecure defaults, but that's not supabase's fault.
This is one reason why Firebase was such a gold-mine for security researchers: everyone just forgot about security when they forgot about their backend.
ErroneousBosh•2h ago