0

When a user in my application claps virtually in the theatre, it will send a request for increasing a count by 1 in Supabase. Currently, I am using signInWithPassword for authentication and the update RLS policy is enabled for authenticated users only.

However, with the approach, the user can open the Chrome console, copy the request headers, including apikey and authentication, and update the count by sending additional requests, e.g. by using Postman.

What should I do to prevent this? I tried to set the JWT expiration time to 1 sec and successfully acheived the goal, but this solution sounds strange.

He3lixxx
  • 3,263
  • 1
  • 12
  • 31
Andy
  • 1

1 Answers1

0

You have to make a trade-off between simplicity and security.

If you want to make it so that you can limit how many claps a user can send, or how often they can send claps, etc., you have to keep every record of claps that every user sends. You can have a claps table taht holds user_id to hold who clapped, clapped_at to hold when the clap happened, and maybe a post_id or whatever suites your application to hold what the clap was for. This way, when a user attempts to clap, you can check to see if it's a valid clap or not. Supabase makes it easy to count rows, so getting the total claps isn't a huge issue.

dshukertjr
  • 15,244
  • 11
  • 57
  • 94