Questions: Security, Supabase and WeWeb and.. my app

Hi,

I’m not super familiar with security, and not super familiar with Supabase and WeWeb, so I’m hoping you could help point me in the right direction. If anyone wants to jump on a call or discuss this with me, It would be greatly appreciated.

__

So I’m creating an app consisting of a few different elements. A bit meta, but think of it as a blog creator:

• Administration Pages
• User Page (Public)
• User Pages (Private / Internal / Organization level)
  –
  The types of content would typically be:
  *Company
  *Categories
  *Articles
  *Authors.

Users that are registered will have access to administration pages. The blog that users can create can either be Public or Private/Internal. If the blog is internal/private they have to be logged in, and have been given access to these pages.

–
WeWeb:
I’m using Supabase Collections to fetch currentUserProfile. It seems that the collection doesn’t return more than “my Current user” even though its only a filter. Is this bad practice? I use this on currentCompany as well.

I am having third party API calls, and thus i believe my keys are exposed in the dev tools. How would I best do REST calls to third party without exposing my key?

The plan is to create subdomain.domain.com for each “user facing” site, and then connect company id to each of these sites (although public…), so that currentCompanyArticles will always be “only our articles”… But it feels a bit flimsy.

Supabase:
I will enable the RLS policies for the tables. But, I’m not 100% how i want to move forward.

a) For public blogs, everyone should be able to see articles, authors and so on - as long as it is connected to the same Company as the page it is viewing. Is this company uuid = article.company_uuid?

b) For private blogs, i have to limit access. For articles, this would mean hiding all articles from users who do not have company uuid = article company uuid? + user.company_id = article_company_uuid?

The articles reside in the same table, and right now there is no difference in pubic/internal articles. I’m struggling to understand how I should pass the correct information to Supabase to authenticate. I am also not sure what WeWeb does for me, so I don’t know the level of security here.

Although building fast is great, I want to ensure it’s not gonna break if someone blows on it!

How many API calls to third parties are you expecting to make? Is it gonna be often and a lot?

Hi, the REST APIs would be called a lot yes. I’m using OpenAI API and RapidAPIs for core functions.

Also expensive if someone wants to grab my keys

Then what you’d need to do is actually make an Edge Function on Supabase (if OpenAI plugin from WeWeb would not be enough for you), you’ll have to do that for RapidAPI anyway so…

There is also an option of calling APIs with PostgreSQL functions, but I’m not sure how sustainable that is. You’d have to try.

The WeWeb plugin is what i use now. Is that safer than using REST? For some reason I think that using the plugins are hiding the API request keys. But I dont know why I think that.

Ah, edge functions… Do you know if I can do that from somewhere in the dashboard? I’ve never used vscode properly, but I might be able to tutorial my way to connect to Supabase…

Yeah, actually, anything you call from WeWeb REST can be snooped and abused I think. I know that OpenAI plugin is called through WeWeb’s servers, so it’s secure. But yeah. I’d suggest using a backend. If you’re nocode, maybe Xano would be worth it)

I’m pretty well versed in Xano, actually – so if I would use that, it wouldn’t really be an issue.
But for this project I’m learning WeWeb and Supabase to broaden my stack knowledge.

I’m currently looking to utilize vector storing as well, and supabase does a great job for my use case atm. Pinecone is an alternative, but I’m interested in seeing what Supabase can do (also realtime is nifty).
I guess I’ll start learning backend then.

Hi @Kawwl

You are correct

All calls made with the REST API plugin our made client-side and should NOT contain any secret API key.

If you use our OpenAI plugin, then your secret key and prompts configured in the plugin will be kept private.

You may think that because you read it in our user docs article on the OpenAI plugin

In any case, calling OpenAI directly from your backend is also an option as @Broberto mentioned!

Since you’re familiar with Xano, you might enjoy this live stream @Quentin and @Locky did together on how to build a chatGPT clone with Xano and WeWeb.