Skills Guide

Modèles RLS pour Supabase

VérifiéPrudence

Fournit des modèles prêts pour la production de politiques de sécurité au niveau des lignes (RLS) pour les applications Supabase. Inclut des modèles pour la multi-location, l'isolation des utilisateurs, l'accès basé sur les rôles et des modèles spécifiques à l'IA comme la sécurité des conversations et des embeddings. Aide à implémenter et tester rapidement les politiques RLS pour sécuriser les données utilisateur dans les projets Supabase.

Spar Skills Guide Bot
SecuriteIntermédiaire
3002/06/2026
Claude Code
#supabase#row-level-security#multi-tenant#user-isolation#ai-apps

Recommandé pour

Claude Code

Notre avis

Ce skill fournit des modèles de politiques Row Level Security (RLS) pour Supabase, adaptés aux applications multi-tenant, à l'isolation des utilisateurs et aux systèmes d'IA (chat, RAG).

Points forts

  • Modèles prêts à l'emploi pour les cas d'usage multi-tenant et d'IA
  • Scripts automatisés pour appliquer, tester et auditer les politiques
  • Couverture de plusieurs patterns : isolation utilisateur, rôle, embeddings

Limites

  • Nécessite une connaissance préalable de PostgreSQL et Supabase
  • Les politiques génériques peuvent nécessiter des ajustements selon le schéma
  • Dépend de l'environnement Supabase (variables d'environnement à configurer)
Quand l'utiliser

Utilisez ce skill lorsque vous devez sécuriser des tables Supabase dans des applications multi-tenant, des chatbots ou des systèmes RAG avec isolation des données.

Quand l'éviter

Ne l'utilisez pas si votre base de données n'est pas PostgreSQL/Supabase ou si vos besoins de sécurité sont déjà couverts par un framework existant.

Analyse de sécurité

Prudence
Score qualité88/100

The skill uses bash scripts to apply RLS policies and interact with the database using service admin keys. While the purpose is legitimate security configuration, the execution of external scripts with administrative credentials carries inherent risk if the scripts are malicious or contain errors.

Points d'attention
  • Requires SUPABASE_SERVICE_KEY (admin access) which can be misused if scripts are compromised
  • Runs bash scripts that modify database security policies; script contents not verified

Exemples

Secure chat conversations
Apply RLS policies to my Supabase chat tables (conversations, messages) using the user-isolation pattern so that each user only sees their own data.
Multi-tenant RAG audit
Audit my Supabase database for missing RLS and then apply the multi-tenant and embeddings policies to protect documents and vector embeddings per organization.
Role-based admin panel
Generate and apply role-based RLS policies for an admin panel where admins have full access, editors can write, and viewers can only read.

name: rls-templates description: Row Level Security policy templates for Supabase - multi-tenant patterns, user isolation, role-based access, and secure-by-default configurations. Use when securing Supabase tables, implementing RLS policies, building multi-tenant AI apps, protecting user data, creating chat/RAG systems, or when user mentions row level security, RLS, Supabase security, tenant isolation, or data access policies. allowed-tools: Bash, Read, Write, Edit

RLS Templates

Production-ready Row Level Security policy templates for Supabase applications, with focus on AI application patterns (multi-tenant chat, RAG systems, user-specific embeddings).

Instructions

1. Applying RLS Policies

Apply policies to tables:

# Apply user isolation policies
bash scripts/apply-rls-policies.sh user-isolation conversations messages

# Apply multi-tenant policies
bash scripts/apply-rls-policies.sh multi-tenant organizations org_members documents

# Apply AI-specific policies
bash scripts/apply-rls-policies.sh ai-chat conversations messages message_embeddings

Generate custom policy:

# Generate policy from template
bash scripts/generate-policy.sh user-isolation my_table user_id

# Generate with custom column
bash scripts/generate-policy.sh multi-tenant projects organization_id

2. Testing RLS Enforcement

Test policies work correctly:

# Test all policies on a table
bash scripts/test-rls-policies.sh conversations

# Test specific user context
bash scripts/test-rls-policies.sh messages --user-id "user-uuid-here"

# Test multi-tenant isolation
bash scripts/test-rls-policies.sh documents --org-id "org-uuid-here"

3. Auditing Security

Audit tables for missing RLS:

# Audit all tables in public schema
bash scripts/audit-rls.sh

# Audit specific tables
bash scripts/audit-rls.sh conversations messages embeddings

# Generate audit report
bash scripts/audit-rls.sh --report audit-report.md

4. Policy Pattern Selection

Choose the right pattern:

  • user-isolation.sql: User owns row directly (user_id column)

    • Use for: User profiles, settings, personal documents
    • Pattern: auth.uid() = user_id

  • multi-tenant.sql: Organization/team-based isolation

    • Use for: SaaS apps, team workspaces, shared resources
    • Pattern: Check organization membership via join

  • role-based-access.sql: Different permissions per role

    • Use for: Admin panels, hierarchical access, permission levels
    • Pattern: Check role from auth.jwt() claims

  • ai-chat-policies.sql: Chat/conversation data

    • Use for: AI chat apps, message history, conversation threads
    • Pattern: User owns conversation + participants table

  • embeddings-policies.sql: Vector/embedding data

    • Use for: RAG systems, semantic search, vector databases
    • Pattern: User owns source document that owns embeddings

Examples

Example 1: Secure Chat Application

-- Apply chat policies to tables
\i templates/ai-chat-policies.sql

-- Tables: conversations, messages, participants
-- Result: Users only see conversations they participate in

Example 2: Multi-Tenant RAG System

-- Apply organization isolation
\i templates/multi-tenant.sql

-- Apply embedding security
\i templates/embeddings-policies.sql

-- Tables: organizations, documents, document_embeddings
-- Result: Each org only sees their own documents and embeddings

Example 3: Role-Based Admin Panel

-- Apply role-based policies
\i templates/role-based-access.sql

-- Roles: admin (full access), editor (read/write), viewer (read-only)
-- Result: Different permissions based on user role

Requirements

Prerequisites

  • Supabase project with database access
  • PostgreSQL client (psql) installed
  • Environment variables set:
    • SUPABASE_DB_URL: PostgreSQL connection string
    • SUPABASE_ANON_KEY: For testing anon access
    • SUPABASE_SERVICE_KEY: For admin operations

Security Checklist

  • [ ] RLS enabled on all tables in public schema
  • [ ] Policies test both authenticated and anonymous access
  • [ ] Indexes created on columns used in policies (user_id, org_id, etc.)
  • [ ] Service key never exposed to client applications
  • [ ] Policies use (SELECT auth.uid()) for performance
  • [ ] WITH CHECK clause included on INSERT/UPDATE policies
  • [ ] Testing validates isolation between users/tenants

Performance Optimization

  • Create indexes: CREATE INDEX idx_table_user_id ON table(user_id);
  • Wrap auth functions: (SELECT auth.uid()) instead of auth.uid()
  • Always filter queries: .eq('user_id', userId) in client code
  • Use security definer functions for complex authorization logic
  • Specify roles in policies: TO authenticated to skip anon checks

Best Practices:

  1. Enable RLS before adding any data
  2. Test with multiple user contexts
  3. Use audit script regularly in CI/CD
  4. Document policy decisions in migration files
  5. Monitor query performance after adding policies
Skills similaires

Auditeur de Securite

Premium

Securite

Analyse le code pour detecter les vulnerabilites OWASP Top 10.

Claude Codeadvanced
210
87
906
Admin

Checklist de Sécurité OWASP

Securite

Génère des checklists de sécurité applicative basées sur l'OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Modélisation de Menaces

Securite

Génère des documents de modélisation de menaces avec analyse STRIDE.

claudeCursoradvanced
78
23
289
Admin