supabase delete user through application

Question

I have a supabase project where I want the users to be able to delete their account. Every user has a profile in public.profiles. I thought I could let the users delete their profile and then handle the deletion of the account using a trigger.

So I created this:

CREATE OR REPLACE FUNCTION deleteUser() RETURNS TRIGGER AS $$
BEGIN
    DELETE FROM auth.users WHERE auth.users.id = OLD.user_id;
    RETURN OLD;
END $$ LANGUAGE 'plpgsql';

CREATE TRIGGER deleteUserTrigger 
    AFTER DELETE
ON public.profiles
FOR EACH ROW 
    EXECUTE PROCEDURE deleteUser();

In the supabase table-editor interface it works great, but when I delete an account through my application it fails with: code: "42501", message: "permission denied for table users".

const { error } = await client.from("profiles").delete().eq("user_id", user.id);
console.log(error)

Without the trigger there is no error and the profile is deleted (but the account persists obviously).

Any help would be much appreciated!

I found this but I'm not sure about it..

Answer 1

If anybody is having this same issue, it can be fixed by adding security definer

so the sql becomes this:

CREATE OR REPLACE FUNCTION deleteUser() RETURNS TRIGGER AS $$
BEGIN
    DELETE FROM auth.users WHERE auth.users.id = OLD.user_id;
    RETURN OLD;
END $$ LANGUAGE 'plpgsql' security definer;

CREATE TRIGGER deleteUserTrigger 
    AFTER DELETE
ON public.profiles
FOR EACH ROW 
    EXECUTE PROCEDURE deleteUser();