supabase-best-practices
314
总安装量
310
周安装量
#849
全站排名
安装命令
npx skills add https://github.com/pedrobarretocw/supabase-best-practices --skill supabase-best-practices
Agent 安装分布
claude-code
218
gemini-cli
192
opencode
191
cursor
171
codex
171
Skill 文档
Supabase Best Practices
Comprehensive security and performance optimization guide for Supabase applications with Clerk authentication integration. Contains 40+ rules across 10 categories, prioritized by impact to guide secure development and code review.
When to Apply
Reference these guidelines when:
- Setting up a new Supabase project
- Integrating Clerk authentication with Supabase
- Writing Row Level Security (RLS) policies
- Designing database schemas
- Implementing real-time features
- Configuring Storage buckets
- Writing Edge Functions
- Reviewing code for security issues
Rule Categories by Priority
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Row Level Security | CRITICAL | rls- |
| 2 | Clerk Integration | CRITICAL | clerk- |
| 3 | Database Security | HIGH | db- |
| 4 | Authentication Patterns | HIGH | auth- |
| 5 | API Security | HIGH | api- |
| 6 | Storage Security | MEDIUM-HIGH | storage- |
| 7 | Realtime Security | MEDIUM | realtime- |
| 8 | Edge Functions | MEDIUM | edge- |
| 9 | Testing | MEDIUM | test- |
| 10 | Security | MEDIUM | security- |
Quick Reference
1. Row Level Security (CRITICAL)
rls-always-enable– Always enable RLS on public schema tablesrls-wrap-functions-select– Wrap auth functions with (SELECT …) for performancerls-add-indexes– Add indexes on columns used in RLS policiesrls-specify-roles– Specify roles with TO authenticated clauserls-security-definer– Use SECURITY DEFINER functions for complex policiesrls-minimize-joins– Minimize joins in RLS policiesrls-explicit-auth-check– Use explicit auth.uid() checksrls-restrictive-policies– Use RESTRICTIVE policies for additional constraints
2. Clerk Integration (CRITICAL)
clerk-setup-third-party– Use Third-Party Auth integration (not JWT templates)clerk-client-server-side– Use accessToken callback for server-side clientsclerk-client-client-side– Use useSession() hook for client-side clientsclerk-role-claim– Configure role: authenticated claim in Clerkclerk-org-policies– Use organization claims for multi-tenant RLSclerk-mfa-policies– Enforce MFA with RESTRICTIVE policiesclerk-no-jwt-templates– Never use deprecated JWT template integration
3. Database Security (HIGH)
db-migrations-versioned– Use versioned migrations for schema changesdb-schema-design– Follow proper schema design patternsdb-indexes-strategy– Implement proper indexing strategydb-foreign-keys– Always use foreign key constraintsdb-triggers-security– Secure trigger functions properlydb-views-security-invoker– Use SECURITY INVOKER for views
4. Authentication Patterns (HIGH)
auth-jwt-claims-validation– Always validate JWT claimsauth-user-metadata-safety– Treat user_metadata as untrustedauth-app-metadata-authorization– Use app_metadata for authorizationauth-session-management– Implement proper session management
5. API Security (HIGH)
api-filter-queries– Always filter queries even with RLSapi-publishable-keys– Use publishable keys correctlyapi-service-role-server-only– Never expose service role key to client
6. Storage Security (MEDIUM-HIGH)
storage-rls-policies– Enable RLS on storage.objectsstorage-bucket-security– Configure bucket-level securitystorage-signed-urls– Use signed URLs for private files
7. Realtime Security (MEDIUM)
realtime-private-channels– Use private channels for sensitive datarealtime-rls-authorization– RLS policies apply to realtimerealtime-cleanup-subscriptions– Clean up subscriptions on unmount
8. Edge Functions (MEDIUM)
edge-verify-jwt– Always verify JWT in edge functionsedge-cors-handling– Handle CORS properlyedge-secrets-management– Use secrets for sensitive data
9. Testing (MEDIUM)
test-pgtap-rls– Test RLS policies with pgTAPtest-isolation– Isolate tests properlytest-helpers– Use test helper functions
10. Security (MEDIUM)
security-validate-inputs– Validate all inputs before processingsecurity-audit-advisors– Regularly run Security Advisor checks
How to Use
Read individual rule files for detailed explanations and code examples:
references/rules/rls-always-enable.md
references/rules/clerk-setup-third-party.md
references/rules/_sections.md
Each rule file contains:
- Brief explanation of why it matters
- Incorrect code example with explanation
- Correct code example with explanation
- When NOT to use the pattern
- Reference links to official documentation
Full Compiled Document
For the complete guide with all rules expanded: references/supabase-guidelines.md