Hello,
recently I was working on a project entirely made by AI. at first it looked plausible but as I dig deeper into the code I found out ton of security issues. we solved the security issues one by one. ( thankfully the site isn’t released yet and only have beta testing users )
my question is that is it considered a security issue if I let the client ( browser ) make the supabase api call instead of routing those requests through the backend ( vercel ) even when I have made policies that prevents unauthorized users from submitting INSERT queries however I am still not sure if this is enough.
one thing that comes in my mind is that any authorized user can just spam the database and fill it with junk data but I think I can just ban that user and delete all the junk data relatively easily using a SQL query?
the thing is that I don’t want to refactor AI code and make it “use server” instead of “use client”. since I have to make a ton of changes and I am still learning Nextjs. ( thinking about using AI to fix AI code but I don’t think it will work and don’t want more AI slop in the codebase )
any suggestions are appreciated!
This is fundamentally how Firebase etc. is meant to work: the client talks directly to the database, and security rules gate access. You don’t need your own backend in between.
As for the spam issue, you’re right that supabase can’t do it (firebase can btw.)
https://github.com/orgs/supabase/discussions/36512
https://github.com/orgs/supabase/discussions/19493
Not sure what the best approach is, but for me it just sounds like supabase is not ready for real world production.
ps:
trailbase seems to do user rate limiting by ip through a reverse proxy. I’m sure the same can be done for supabase. https://trailbase.io/documentation/production/#reverse-proxy