I’ve been self hosting it for the past couple of months. It is a really nice product. Allows one to get fully fledged app with backend running extremely quickly, just drop a front end in. There’s still some annoyances with it though - Work still needs to be done to enable backend communication over services using SSL - it’s currently unencrypted by default. I was able to get SSL working with some minor changes to sources and configuration but it really should be encrypted by default.
The defaults don’t seem super sane either, by default an anonymous user can read your entire public database schema via OpenAPI (which is turned on by default as well), including any RPC’s. That alongside the fact that Postgres grants RPC execute to public by default means that if someone isn’t paying attention they can easily expose execute permissions to the outside world on functions in their public schema to unauthenticated users, and tell them exactly what functions are exposed!
The current response from Supabase is to ensure the API gateway you use authenticates users first - which isn’t really a solution IMO, for multiple reasons. I ended up spending some time figuring out how to revoke the appropriate database permissions from the anonymous role in Postgres, but it shouldn’t be like that. Anon role should start with nothing and the end user should very explicitly be turning on what unauthenticated users can access.
> Anon role should start with nothing and the end user should very explicitly be turning on what unauthenticated users can access.
We agree. We're working on a pathway towards this. Under our original designs we matched all defaults to Postgres' defaults, and with any additions the idea was to "stay out of the way" during development. It's become increasingly important for us to design around security. This will definitely mean more difficult development for newbie developers, but it's an important step forward.
> I’ve been self hosting it for the past couple of months. It is a really nice product
Thanks for the kind words! The credit also belongs to the open source tools we leverage - Postgres, PostgREST, GoTrue, Kong
Useless or not, spending less human and environmental resources to make something is generally positive, no? Supabase enables developers with ideas to easily create software with more features thanks to a 1click Postgres database + auth + a secure API. I imagine that would generally lead to more “usefulness” in an app.
All I need is to do is install the npm package, write some psql, and the whole system can be driven securely in the frontend. As a dev with more experience in frontend than backend, it’s quite empowering for me! And I know companies who do much more than what I can accomplish with Supabase.
Yes, it is 100% a good thing. Computers should make our lives easier, and the best way to do that is to enable people to solve their own problems. Not everyone needs to rewrite Microsoft Word, but who knows what great idea someone is sitting on, just waiting for the tools to make it. Perhaps someone has a novel approach to task management, or needs a way to track medication but doesn't want to share their data. Giving people means to do more with their devices than swipe and click is a good thing.
Cheaper bets -> More bets -> more wins -> more winners -> more bets
E.g. Shopify absolutely made Ecom 10x easier, which has enabled more people to start brands catering to more niches while making more entrepreneurs wealthy who then invest in other entrepreneurs.
This is only a good thing; the marketplace cannot be too crowded.
The defaults don’t seem super sane either, by default an anonymous user can read your entire public database schema via OpenAPI (which is turned on by default as well), including any RPC’s. That alongside the fact that Postgres grants RPC execute to public by default means that if someone isn’t paying attention they can easily expose execute permissions to the outside world on functions in their public schema to unauthenticated users, and tell them exactly what functions are exposed!
The current response from Supabase is to ensure the API gateway you use authenticates users first - which isn’t really a solution IMO, for multiple reasons. I ended up spending some time figuring out how to revoke the appropriate database permissions from the anonymous role in Postgres, but it shouldn’t be like that. Anon role should start with nothing and the end user should very explicitly be turning on what unauthenticated users can access.