4

Supabase url and anon tokens are very easy to retrieve from any site using them. This is normally not an issue for interior tables because you can set up RLS to restrict user from viewing/modifying/deleting data on those tables. But I cannot find anywhere that I can lock down the supabase.auth.signUp() function to a specific domain. I need this to restrict someone from stealing my credentials, building a separate site and flooding my users by signing up random users. I have figured out how to restrict sign ups all together but that is not what I am looking for unless I am missing something with moving this functionality to the server and use the service key instead.

What is the best way to restrict signups to my supabse instance to only users on my domain or those that I deem exceptable?

Craig Howell
  • 1,114
  • 2
  • 12
  • 28
  • I'm wondering the same thing... it seems like Supabase isn't "done yet." – jpsimons May 04 '22 at 16:34
  • It is technically still in Beta, so you are correct. – Craig Howell May 05 '22 at 15:30
  • As I understand your question you want users to sign up only from your website and nowhere else. May I ask, is there any way to restrict the login as well to a specific url? – Tony May 31 '22 at 20:59
  • Unfortunately, currently you CANNOT easily achieve this because HTTP headers are NOT exposed in db triggers related to auth APIs. There is still a workaround which does NOT require re-implementing the sign-up/sign-in APIs, but it does require an additional db table and an additional client call to the server - I've described it in this "Describe alternatives you've considered" section of this ticket: https://github.com/supabase/gotrue/issues/498 – chipilov Jun 14 '22 at 14:21
  • My workaround was to not use superbase on the client at all, send everything through the backend, and check Origin and Referrer for security purposes. More secure in my opinion. – Craig Howell Jun 14 '22 at 16:20
  • I'm looking for solution, too. Not only domain, username. I want to give permission only some usernames. – Emre May 02 '23 at 16:21

1 Answers1

3

I found a solution with a trigger.

You need to create a new function:

CREATE FUNCTION
  public.check_user_domain()
  RETURNS TRIGGER AS
  $$
  BEGIN
    IF NEW.email NOT LIKE '%@test.com' THEN
      raise exception 'INCORRECT_DOMAIN';
    END IF;

    RETURN NEW;
  END;
  $$ LANGUAGE plpgsql SECURITY DEFINER;

Create trigger:

CREATE TRIGGER
  check_user_domain_trigger
  before INSERT ON auth.users
  FOR EACH ROW
  EXECUTE PROCEDURE
    public.check_user_domain();

I tested it on my application and it works.

I recorded a short video on Youtube: https://youtu.be/C-HoRO7Wrhg

Hope it can be helpful for you.

igdmitrov
  • 476
  • 1
  • 3
  • 10
  • This is a great check to make sure users are only specific to a single/multiple domains but my issue is around restricting access to supabase from only one/multiple domains. If my site is on domain `xyz.com`. Someone can take my supabase credentials since they are public and sign up users on domain `abc.com` because I cannot restrict that access. I don't care who signs up, they can have Yahoo, Gmail, etc. – Craig Howell Jul 29 '22 at 17:46
  • My fix was to move all supabase calls to the server and not allow anything on the client. It is just too risky for me. – Craig Howell Jul 29 '22 at 17:47
  • Okay, I understand you, it's not possible I think right now. – igdmitrov Jul 29 '22 at 19:43
  • I checked postgresql function inet_client_addr() but it returns only private IP address of datacenter. – igdmitrov Jul 29 '22 at 19:44
  • This looks great! If you have a list of domains, it would look something like this? "... IF NEW.email NOT LIKE '%@test.com' AND NEW.email NOT LIKE '%@another.com' THEN..." ? – Jorgos Oct 21 '22 at 10:21
  • 1
    @Jorgos yes you can check domain in that way. – igdmitrov Oct 21 '22 at 14:31