/supabase-tutorials

How to protect admin routes with Supabase?

Learn how to protect admin routes with Supabase by setting up projects, creating role-based policies, configuring middleware, and testing access control in your app.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to protect admin routes with Supabase?

 

Step 1: Set Up Your Supabase Project

 

  • Go to the Supabase website and log in to your account.
  • Create a new project by selecting your preferred organization and giving the project a name. Select the region and click on "Create New Project."
  • Once the project is created, you will be directed to the project dashboard. Take note of the API URL and API Key available in the project's API settings as you will need them for your backend code.

 

Step 2: Define Your User Roles

 

  • Navigate to the "Authentication" section via the side navigation menu.
  • Go to "Policies" under the "Auth" menu.
  • Create a new role called 'admin' in the Auth policies. Optionally, create other roles as needed.

 

Step 3: Create a Custom Table Policy in Supabase for Admin Routes

 

  • Navigate to the "Database" section, then select "Tables."
  • Select the table for which you want to protect the admin routes.
  • Click on "Policies" at the top and click on the "New Policy" button.
  • Define a new policy for admin access. Use the SQL below as a template for your admin policy:

create policy "Allow admin access only"
  on your_table_name
  for all
  using (
    auth.role() = 'admin'
  );

 

Step 4: Connect Supabase with Your Application

 

  • Install the Supabase client in your application. If you are using Node.js, you can install it via npm:

npm install @supabase/supabase-js
  • Import and initialize the Supabase client in your app configuration. Replace SUPABASE_URL and SUPABASE_ANON_KEY with your project's credentials:

import { createClient } from '@supabase/supabase-js';

const supabaseUrl = 'https://SUPABASE\_URL';
const supabaseAnonKey = 'SUPABASE_ANON_KEY';

export const supabase = createClient(supabaseUrl, supabaseAnonKey);

 

Step 5: Implement Admin Route Protection in Your Application

 

  • In your application, define middleware or a guard to check if the user has the admin role before allowing access to admin routes.

  • Example for a Node.js Express middleware:


const adminRouteProtection = async (req, res, next) => {
  const { user, error } = await supabase.auth.api.getUser(req.headers['access-token']);
  
  if (error || !user || user.role !== 'admin') {
    return res.status(403).json({ error: 'Access denied. Admins only.' });
  }
  
  next();
};

app.use('/admin', adminRouteProtection);

 

Step 6: Test Your Setup

 

  • Run your application and attempt to access the protected admin routes.
  • Ensure the middleware correctly restricts access based on the user role.
  • Adjust and troubleshoot as necessary to ensure the role-based access control is functioning as expected.

 

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022