Minyoon Jung

Supabase Auth Review: Impressive, But Not Without Issues

First and foremost, I’d like to extend my moral support to the Supabase team.

  1. A Viable Firebase/Google Alternative: Supabase offers a compelling alternative with its comprehensive features.
  2. User-Friendly Setup: The setup process, particularly with AuthUI, is relatively straightforward.
  3. Regional Support: It’s great to see support in my region, especially on AWS 👍🏼 (check status).
  4. HIPAA-compliant PostgreSQL: The out-of-the-box PostgreSQL solution is HIPAA-compliant, ensuring data security and compliance.
  5. Versatile Extensions: The availability of extensions, such as AI platforms and authentication integration for React Native, is impressive.
  6. Reasonable Pricing: The pricing plan seems fair and accessible for various users.

Given these strengths, Supabase emerges as a great service for Minimum Viable Products (MVP), offering a robust foundation for early-stage projects.

green tree across lightning bolt

However, my experience with Supabase revealed some challenges:

  1. Documentation Concerns: There have been complaints about the authentication and Server-Side Auth documentation, particularly discussed on Reddit and Discord.
  2. Unaddressed Community Interactions: Issues and pull requests on GitHub seem to go unanswered, raising concerns about community engagement and support.
  3. Different Priorities: I resonate the concerns expressed in “I cannot fully recommend Supabase (yet)” (reddit), specifically regarding issues with database transactions (only with RPC, no REST) and the emphasis on ‘trendy features’ over core functionality.
  4. Security of Authentication Cookies: The non-HttpOnly authentication cookie seems to contain an excessive amount of information, which could pose security concerns.

In light of these issues, I remain cautious about how deeply to invest in Supabase.

Auth Token: HttpOnly and User Data

This doc and the response from the auth team explain that modern browsers, equipped with built-in protection mechanisms, require access to the auth token for Client-side Rendering (CSR). Consequently, Supabase has not opted for HttpOnly cookies. The auth token typically includes a mix of access control, user identification, and metadata, which is standard for many authentication systems. In most cases, this approach is adequate.

The 2010s saw the dominance of CSR with the emergence of React. However, Server-side Rendering (SSR) is making a comeback, offering higher performance and improved Search Engine Optimization (SEO). Certain applications may function well without CSR. Supabase acknowledges this shift by supporting SSR.

Nevertheless, I have concerns about the token containing excessive sensitive data. Storing such information in my browser cookie in plain text, without HttpOnly protection, seems risky. It seems to contravene the principle of ‘need-to-know’, exposing too much information.

{
  "access_token": "[REDACTED]",
  "token_type": "bearer",
  "expires_in": [REDACTED],
  "expires_at": [REDACTED],
  "refresh_token": "[REDACTED]",
  "user": {
    "id": "[REDACTED]",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "[REDACTED]",
    "email_confirmed_at": "[REDACTED]",
    "phone": "[REDACTED]",
    "confirmation_sent_at": "[REDACTED]",
    "confirmed_at": "[REDACTED]",
    "last_sign_in_at": "[REDACTED]",
    "app_metadata": {
      "provider": "email",
      "providers": ["email"]
    },
    "user_metadata": {},
    "identities": [
      {
        "id": "[REDACTED]",
        "user_id": "[REDACTED]",
        "identity_data": {
          "email": "[REDACTED]",
          "email_verified": false,
          "phone_verified": false,
          "sub": "[REDACTED]"
        },
        "provider": "email",
        "last_sign_in_at": "[REDACTED]",
        "created_at": "[REDACTED]",
        "updated_at": "[REDACTED]"
      }
    ],
    "created_at": "[REDACTED]",
    "updated_at": "[REDACTED]"
  }
}

Update: There’s news that the token will soon be customizable (source).

Auth Brought Me to Supabase

Supabase’s rapid growth, especially in its Series B phase, is notable. The team has addressed many challenges faced by early-stage startups through their innovative solutions. I continue to view Supabase as one of the best options for MVPs. While the auth service might not be their most profitable product, providing an exceptional authentication experience is likely to retain a significant customer base.

For those interested in exploring alternatives:

Choosing Authentication for NextJS

Posted

in

by

minyoonj

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *