Can anyone call my supabase function?

  • ssssadsadasd-1336715452122136649

    ssssadsadasd

    3 days ago

    I have a toddle api that calls a supabase edge function. The authorization is simply the supabase apikey which is public. does this mean that anyone (authenticated or not) can call this function? thanks
  • lucasg-1336720500675837983

    Lucas G

    3 days ago

    Yes
  • ssssadsadasd-1336722443888230411

    ssssadsadasd

    3 days ago

    @Lucas G is this safe? can we prevent it from happening?
    in bubble I dont think this is possible
  • lucasg-1336722833681809471

    Lucas G

    3 days ago

    It’s possible anywhere that makes an API call from client-side unless the backend checks for things like session tokens
  • The best thing is to set up different levels of security
  • CORS headers, session check, etc
  • If it’s safe to have a call exposed depends on what the call does.
  • ssssadsadasd-1336758481608511591

    ssssadsadasd

    3 days ago

    @Lucas G I understand, thanks.
    sorry but I have another question. I have authenticaton enabled for the call but this does not solve all the problem: now an authenticated users has all the data url and the key to run the function whenever he wants, right?
    does cors headers help in this regard (ai told me they dont)?

    so basically, I Want to call the function only when a button in my app is clicked and nowhere else
  • lucasg-1336759839053058069

    Lucas G

    3 days ago

    CORS helps in that they can't spoof the call (as easily) from any other place other than the app. Auth and session tokens help authenticate the caller so that unauthenticated calls are refused.
    The moment a call is public, it means it's open to different risks
  • lucasg-1336760122545934417

    Lucas G

    3 days ago

    Adding different layers helps prevent unwanted calls but ultimately it's still a public call
  • lucasg-1336760397004275794

    Lucas G

    3 days ago

    By authentication, I mean using a user's session access token for example
  • Not something like a public key
  • ssssadsadasd-1336776559280918659

    ssssadsadasd

    3 days ago

    @Lucas G many thanks. a further point I would like to make
    in my edge function I added ''Access-Control-Allow-Origin': 'my_website.com'' which restricts api calls to my website. however, this does not prevents calls through postman etc. suggested solutions are cloudflare or rate limiting? my question is: does toddle's own "proxy request" option help in this regard as a replacement to cloudflare? thanks
  • lucasg-1336778217830481920

    Lucas G

    3 days ago

    proxying the request would help in passing along the user's access_token
  • which you can use to authenticate the call

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.