PowerSync’s Sync Rules and Supabase’s support for Row Level Security (RLS) can be used in conjunction. Here are some high level similarities and differences:
  • RLS should be used as the authoritative set of security rules applied to your users’ CRUD operations that reach Postgres.
  • Sync Rules are only applied for data that is to be downloaded to clients — they do not apply to uploaded data.
    • Sync Rules can typically be considered to be complementary to RLS, and will generally mirror your RLS setup.
Supabase tables are often created with auto-increment IDs. For easiest use of PowerSync, make sure to convert them to text IDs as detailed here.

Example

Continuing with the schema set up during the guide, below are the RLS policies for the to-do list app: 
alter table public.lists
  enable row level security;

alter table public.todos
  enable row level security;

create policy "owned lists" on public.lists for ALL using (
  auth.uid() = owner_id
);

create policy "todos in owned lists" on public.todos for ALL using (
  auth.uid() IN (
    SELECT lists.owner_id FROM lists WHERE (lists.id = todos.list_id)
  )
);
auth.uid() in a Supabase RLS policy is the same as request.user_id() (previously token_parameters.user_id) in Sync Rules. If you compare these to your Sync Rules configuration in sync-rules.yaml, you’ll see they are quite similar. If you have any questions, join us on our community Discord where our team is always available to help.