/supabase-tutorials

How to secure Supabase storage files?

Learn to secure Supabase storage files with step-by-step guidance: set up your project, configure private buckets, apply access policies, and integrate with your app.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to secure Supabase storage files?

 

Step 1: Set Up Supabase Project

 

  • Go to the Supabase website and sign up for an account if you haven't already.
  • Once signed in, create a new project by providing a name, database password, and choosing a region.
  • Navigate to your new project's dashboard.

 

Step 2: Enable and Configure Storage

 

  • In your Supabase dashboard, find the "Storage" option on the left-hand sidebar and click on it.
  • Create a new storage bucket by clicking on the "New bucket" button, and give it a name. Make sure the option for "Public" is toggled off to keep files private.

 

Step 3: Secure the Storage Bucket with Policies

 

  • Navigate to the "Policies" tab within the Storage section.
  • Click on "New Policy" to add a new policy for securing access to the files.
  • Use the SQL editor provided to write a policy that restricts access. Here's an example policy to allow only authenticated users to read files:

CREATE POLICY "Authenticated users can access their files" 
ON storage.objects 
FOR SELECT 
USING (auth.uid() = owner);
  • Modify according to your requirements, ensuring users can only perform actions they are permitted to.

 

Step 4: Integrate Supabase Storage with Frontend

 

  • Install the Supabase client in your frontend project. If you're using npm:

npm install @supabase/supabase-js
  • Set up the Supabase client in your application by providing your project's API URL and public key:

import { createClient } from '@supabase/supabase-js'

const supabaseUrl = 'https://xyzcompany.supabase.co'
const supabaseAnonKey = 'your-anonymous-public-api-key'

const supabase = createClient(supabaseUrl, supabaseAnonKey)

 

Step 5: Upload and Manage Files

 

  • Use the Supabase client to securely upload files:

async function uploadFile(file) {
  const { data, error } = await supabase
    .storage
    .from('your-bucket-name')
    .upload('public/' + file.name, file)

  if (error) {
    console.error('Error uploading file: ', error.message)
  } else {
    console.log('File uploaded successfully:', data)
  }
}

 

Step 6: Access and Download Files Securely

 

  • Retrieve and download files securely for authenticated users using signed URLs:

async function downloadFile(filePath) {
  const { data, error } = await supabase
    .storage
    .from('your-bucket-name')
    .download(filePath)

  if (error) {
    console.error('Error downloading file: ', error.message)
  } else {
    const url = URL.createObjectURL(data)
    console.log('File download URL:', url)
  }
}

 

Step 7: Review and Test Your Security

 

  • Test downloading files with both authenticated and non-authenticated states to ensure the policy functions correctly.
  • Regularly review and update your policies to align with any changes in your application's security requirements.

 

Step 8: Monitor and Audit Usage

 

  • Utilize Supabase's dashboard tools to monitor your bucket usage and review access logs.
  • Periodically audit your policies and file access to ensure compliance and security remain robust.

 

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022