Supabase Client-Side Disaster: Exposing Flaws in Basic Backend Security Protocols
A specific, high-risk vulnerability emerged in a project using Supabase where all data calls originated client-side. This setup lacked any backend policies protecting the data, creating a clear security vulnerability that others noted.
Commenters deeply disagreed on the definition of code review. Some users insisted 'code review' must cover product viability—the question of 'should this be part of my product?'—while others restricted it solely to technical correctness: 'does it work?'. Furthermore, MagicShel asserted that reaching code review suggests a fundamental failure in the development process. Conversely, resipsaloquitur observed that these reviews often devolve into ideological arguments rather than pure technical critiques.
The weight of opinion screams for mandatory process discipline. The general consensus demands robust architectural reviews upstream and meticulous documentation of technical debt. The primary fault line remains the scope of critique: whether review must be purely technical, or if it must also govern product direction.
Key Points
Client-side data calls without backend policies are a critical security failure.
ghodawalaaman pointed out a specific, severe risk in a Supabase implementation lacking server-side protections.
Code review scope must encompass product viability, not just technical function.
The original poster argued for checking 'should this be part of my product?', countered by arguments limiting review to 'does it work?'.
Reaching code review implies an early failure in architecture.
MagicShel scored this strongly, stating fundamental architectural questions belong much earlier in the cycle.
Process hurdles are necessary for stability, despite stifling creativity.
litchralee compared process improvement to aviation safety, suggesting procedural gates are vital to avoid failure.
Quick fixes require a personal guardrail for quality.
jackevans advocated for the rule: 'Would I understand this in 3 months?' to force deceleration.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.