Spaces:
Sleeping
Sleeping
File size: 1,531 Bytes
395651c | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | import os
from supabase import Client, ClientOptions, create_client
from supabase_auth import SyncMemoryStorage
from dotenv import load_dotenv
load_dotenv()
from app.url_utils import sanitize_env
def get_supabase() -> Client:
"""Service-role client for server-side operations (bypasses RLS when policies expect service role)."""
url = sanitize_env(os.getenv("SUPABASE_URL"))
key = sanitize_env(os.getenv("SUPABASE_SERVICE_ROLE_KEY") or os.getenv("SUPABASE_KEY"))
if not url or not key:
raise RuntimeError(
"SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY (or SUPABASE_KEY) must be set"
)
return create_client(url, key)
def get_supabase_for_user_jwt(access_token: str) -> Client:
"""
Client scoped to the logged-in user: PostgREST sends the user's JWT so RLS applies.
Use SUPABASE_ANON_KEY (publishable), not the service role key.
"""
url = sanitize_env(os.getenv("SUPABASE_URL"))
anon = sanitize_env(os.getenv("SUPABASE_ANON_KEY") or os.getenv("NEXT_PUBLIC_SUPABASE_ANON_KEY"))
if not url or not anon:
raise RuntimeError(
"SUPABASE_URL and SUPABASE_ANON_KEY (or NEXT_PUBLIC_SUPABASE_ANON_KEY) must be set "
"for user-scoped Supabase access"
)
base_opts = ClientOptions(storage=SyncMemoryStorage())
merged_headers = {**dict(base_opts.headers), "Authorization": f"Bearer {access_token}"}
opts = ClientOptions(storage=SyncMemoryStorage(), headers=merged_headers)
return create_client(url, anon, opts)
|