g14wxz/realtime-channel-authorization
Secures Supabase Realtime private channels via RLS policies on the realtime.messages table.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Realtime Channel Authorization
Configures private Realtime channels with RLS-backed authorization and tenant-scoped Presence/Broadcast security.
Overview
Supabase Realtime supports Broadcast, Presence, and Postgres Changes over WebSocket channels. Without authorization controls, any authenticated client can subscribe to any channel, creating data leakage across tenants. This tile enforces private channel configuration backed by RLS policies on the internal realtime.messages table, ensuring tenant isolation extends to all real-time communication.
Reference
Channel Multiplexing Pattern
{resource}:{tenant_id}:{sub_topic}Example: orders:tenant_abc:updates — a single channel for all order updates within a tenant.
RLS on realtime.messages
ALTER TABLE realtime.messages ENABLE ROW LEVEL SECURITY;
CREATE POLICY "tenant_realtime_select" ON realtime.messages
FOR SELECT TO authenticated
USING (extension ->> 'tenant_id' = (SELECT auth.jwt() ->> 'tenant_id'));Private Channel Subscription (Client)
const channel = supabase.channel('orders:tenant_abc:updates', {
config: { private: true },
});Dependencies
supabase-mcp-verification— validates migration application.tenant-isolation-rls— provides the tenant scoping patterns reused in Realtime policies.
Composition Position
Runs after tenant-isolation-rls establishes the base tenant isolation model. Feeds into realtime-connection-resilience which handles client-side connection stability for the channels this tile secures.
- Workspace
- g14wxz
- Visibility
- Public
- Created
- Last updated
- Publish Source
- CLI
- Badge
