You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been working with Realtime recently and needed a way to safetly listen to all events on a node.js server.
Here I want to explain my problem and solution for future reference.
Problem
By default SECURE_CHANNELS is 'false'. That means everybody with the anon-key (which is public) can listen to ALL data changes, since Row-Level Security is available for Rest only. That's for sure not what we want...
With SECURE_CHANNELS is 'true', we need to authenticate with a JWT.
However, for my use case I didn't want to authenticate with a particular user, since I wasn't listening in the browser, but on an node.js server. I wanted to listen to everything.
Since my application doesn't require any realtime listening on the client I'm now using the following approach:
Solution
I'm now using the ACL Kong Plugin to allow Realtime usage only for the service-key.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Supabase
-
Hey everybody,
I've been working with Realtime recently and needed a way to safetly listen to all events on a node.js server.
Here I want to explain my problem and solution for future reference.
Problem
By default SECURE_CHANNELS is 'false'. That means everybody with the anon-key (which is public) can listen to ALL data changes, since Row-Level Security is available for Rest only. That's for sure not what we want...
With SECURE_CHANNELS is 'true', we need to authenticate with a JWT.
However, for my use case I didn't want to authenticate with a particular user, since I wasn't listening in the browser, but on an node.js server. I wanted to listen to everything.
Since my application doesn't require any realtime listening on the client I'm now using the following approach:
Solution
I'm now using the ACL Kong Plugin to allow Realtime usage only for the service-key.
So I've adjusted the kong.yml:
- name: realtime-v1 _comment: 'Realtime: /realtime/v1/* -> ws://realtime:4000/socket/*' url: http://realtime:4000/socket/ routes: - name: realtime-v1-all strip_path: true paths: - /realtime/v1/ plugins: - name: cors - name: key-auth config: hide_credentials: true + - name: acl + config: + allow: + - 'service' + hide_groups_header: true consumers: - username: 'anon-key' keyauth_credentials: - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzdXBhYmFzZSIsImlhdCI6MTYwMzk2ODgzNCwiZXhwIjoxNjIwNzQyMTM1LCJhdWQiOiIiLCJzdWIiOiIiLCJSb2xlIjoiYW5vbiIsImp0aSI6ImQ1N2ZkMjFlLTNkYjQtNDk3YS1hNGViLTI4ZDY3Yzg2NjEwMiJ9.Uc0w024BLhWjMAAdzMJfkMxaFa82N-6pBxAtEGzrXCQ - username: 'service-key' keyauth_credentials: - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzdXBhYmFzZSIsImlhdCI6MTYwMzk2ODgzNCwiZXhwIjoxNjIwNzQyMTU1LCJhdWQiOiIiLCJzdWIiOiIiLCJSb2xlIjoic2VydmljZV9yb2xlIiwianRpIjoiOTk4MzJiYmItNDdhNS00NzJhLTgxMDQtYzY4ZGVjZDQyZDVlIn0.zQXx74dQyhpkcqZOMxsx961DPsDz4-nWxTLrCAd-ioI + acls: + - group: 'service'Don't forget to add "acl" to the Kong plugin lists in the docker-compose.yml and kong/Dockerfile.
Restart the services via: docker-compose up -d --force-recreate --build
Now the anon-key can't connect to the realtime socket anymore, but the service-key can. ;)
Hope this helps somebody! If you have any questions or ideas, just let me know.
Beta Was this translation helpful? Give feedback.
All reactions