1 00:00:01,170 --> 00:00:04,710 ‫So right now everyone could still fetch 2 00:00:04,710 --> 00:00:07,830 ‫and mutate data from our API 3 00:00:07,830 --> 00:00:11,640 ‫even if they cannot log into the applications UI 4 00:00:11,640 --> 00:00:13,380 ‫that we have been building. 5 00:00:13,380 --> 00:00:15,270 ‫And so let's now fix that 6 00:00:15,270 --> 00:00:20,270 ‫by implementing authorization also on Supabase itself 7 00:00:20,370 --> 00:00:24,693 ‫by updating all our row level security policies. 8 00:00:26,220 --> 00:00:30,060 ‫So again, right now, any malicious actor 9 00:00:30,060 --> 00:00:33,990 ‫could very easily find out the URL to our API 10 00:00:33,990 --> 00:00:38,190 ‫even if they cannot see this graphical user interface. 11 00:00:38,190 --> 00:00:40,770 ‫So just from reading our front end code, 12 00:00:40,770 --> 00:00:43,380 ‫they could figure that out and then they could, 13 00:00:43,380 --> 00:00:46,020 ‫for example, delete all of our bookings, 14 00:00:46,020 --> 00:00:50,910 ‫or all of our cabins, and really destroy our entire app. 15 00:00:50,910 --> 00:00:53,490 ‫And so of course we don't want that, 16 00:00:53,490 --> 00:00:55,740 ‫and therefore we need to now update 17 00:00:55,740 --> 00:00:58,173 ‫the role level security policies. 18 00:00:59,070 --> 00:01:01,860 ‫But first, let me actually show you an action 19 00:01:01,860 --> 00:01:04,560 ‫how that could be possible. 20 00:01:04,560 --> 00:01:06,870 ‫So let's log out here, now. 21 00:01:06,870 --> 00:01:10,893 ‫And so on this page, we are, of course, no longer logged in. 22 00:01:12,180 --> 00:01:14,943 ‫So let's now come here to the login page. 23 00:01:16,140 --> 00:01:19,620 ‫And then here we can still include, 24 00:01:19,620 --> 00:01:22,833 ‫for example, the cabin table. 25 00:01:24,030 --> 00:01:26,880 ‫So this component which will read 26 00:01:26,880 --> 00:01:29,340 ‫all the cabins from our API, 27 00:01:29,340 --> 00:01:31,863 ‫and that should work just fine. 28 00:01:32,700 --> 00:01:35,070 ‫So let's wait for the data to arrive. 29 00:01:35,070 --> 00:01:37,440 ‫And indeed, here it is. 30 00:01:37,440 --> 00:01:40,740 ‫So even without being logged into the application, 31 00:01:40,740 --> 00:01:43,500 ‫we can still see this cabin data, 32 00:01:43,500 --> 00:01:46,950 ‫and we could even edit or delete them. 33 00:01:46,950 --> 00:01:50,820 ‫And so this, of course, doesn't make any sense at all. 34 00:01:50,820 --> 00:01:52,260 ‫So we need to protect this 35 00:01:52,260 --> 00:01:56,613 ‫and also enable authorization right on the server side. 36 00:01:58,290 --> 00:02:01,650 ‫But luckily for us, that's not very difficult. 37 00:02:01,650 --> 00:02:04,800 ‫So we just need to come back here to our policies 38 00:02:04,800 --> 00:02:06,840 ‫and then update all of them 39 00:02:06,840 --> 00:02:09,963 ‫to only apply to authenticated users. 40 00:02:10,830 --> 00:02:13,770 ‫So let's click here on Edit. 41 00:02:13,770 --> 00:02:16,443 ‫And then here, we don't have to change anything. 42 00:02:17,280 --> 00:02:19,860 ‫All we need to do is to set the target role 43 00:02:19,860 --> 00:02:24,093 ‫to authenticate it, and that's it. 44 00:02:25,050 --> 00:02:27,930 ‫So we could also change here the name 45 00:02:27,930 --> 00:02:30,510 ‫but there's no need to do that, 46 00:02:30,510 --> 00:02:32,613 ‫that just takes too much time. 47 00:02:34,410 --> 00:02:37,440 ‫So, we have to do all of this for all of them now. 48 00:02:37,440 --> 00:02:39,360 ‫So, that's gonna be a bit boring. 49 00:02:39,360 --> 00:02:43,560 ‫So, I will just fast forward the video 50 00:02:43,560 --> 00:02:46,290 ‫right after doing this one. 51 00:02:46,290 --> 00:02:48,660 ‫Okay, so you can pause the video now, 52 00:02:48,660 --> 00:02:51,247 ‫and do all of this on your own now. 53 00:02:57,060 --> 00:02:59,070 ‫Okay, and there we go. 54 00:02:59,070 --> 00:03:03,810 ‫So, all of them are only now for authenticated users. 55 00:03:03,810 --> 00:03:05,460 ‫And of course if you were building 56 00:03:05,460 --> 00:03:08,760 ‫some other kind of application, then for example, 57 00:03:08,760 --> 00:03:12,630 ‫the select part here might be available for all users 58 00:03:12,630 --> 00:03:16,080 ‫but then inserting or deleting or updating 59 00:03:16,080 --> 00:03:19,590 ‫might only be for authenticated users. 60 00:03:19,590 --> 00:03:23,340 ‫So you don't always have to choose exactly these roles here, 61 00:03:23,340 --> 00:03:26,763 ‫but for this application, this is what makes sense. 62 00:03:28,260 --> 00:03:31,230 ‫All right, and if we now come back here, 63 00:03:31,230 --> 00:03:35,490 ‫then it actually says no cabins could be found. 64 00:03:35,490 --> 00:03:37,410 ‫So, if we reload that manually 65 00:03:37,410 --> 00:03:39,690 ‫then indeed we get the same result 66 00:03:39,690 --> 00:03:42,270 ‫because again at this place here, 67 00:03:42,270 --> 00:03:44,460 ‫we are not authenticated. 68 00:03:44,460 --> 00:03:47,760 ‫And so we are then no longer allowed 69 00:03:47,760 --> 00:03:50,313 ‫to see this data right here. 70 00:03:51,690 --> 00:03:54,690 ‫So, let's remove that, log in, 71 00:03:54,690 --> 00:03:58,470 ‫and so the rest should, of course, still work. 72 00:03:58,470 --> 00:04:02,100 ‫And indeed, here we have our bookings and cabins. 73 00:04:02,100 --> 00:04:03,150 ‫And so that works 74 00:04:03,150 --> 00:04:06,213 ‫because here we are, of course, authenticated. 75 00:04:07,200 --> 00:04:09,240 ‫Great, and so with this 76 00:04:09,240 --> 00:04:14,240 ‫we also protected our data right in our Supabase database. 77 00:04:14,250 --> 00:04:16,800 ‫And with this, we are almost finished 78 00:04:16,800 --> 00:04:19,170 ‫with this whole authentication part. 79 00:04:19,170 --> 00:04:21,510 ‫The only thing that we want to do next 80 00:04:21,510 --> 00:04:26,510 ‫is to also allow each user to update their password, 81 00:04:26,760 --> 00:04:30,840 ‫maybe even their name, and also to upload an avatar. 82 00:04:30,840 --> 00:04:34,230 ‫And so let's do that over the next few lectures 83 00:04:34,230 --> 00:04:36,873 ‫in order to really wrap up this part.