Using EntityFramework Core with Supabase

[wgrs]

I am using EF Core with Supabase , but working directly with the Postgres database (using the postgres db connection string in app settings). Migrations works fine and all is good, but now I want to take advantage of the Auth stuff and that means using the csharp client. But, as I am in project development, I still want to use EF Core to generate table structures as my models evolve. Is this possible? Use EF Core and csharp client?

[acupofjose]

Yep! You don’t have to use the postgrest-csharp or realtime-csharp client functionality from the main supabase-csharp repo. You would just use the main client and access the Gotrue Auth from Supabase.Auth after initializing it.

[wgrs]

Ok, so I have had a few weeks at trying to get this to work. I have a aspnet core web api and tried to integrate .Net auth with Supabase auth but I am getting unexpected results.

I log a user in, and then grab the JWT from the response and paste it into the Swagger Client. Then I make a request to a secured endpoint but I am getting a 401 response. Makes no sense.

Should I be sending the whole session object back with each request?

The .Net Auth setup below for bearer tokens

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddBearerToken("Bearer");

The method I was expecting to work is returning 401. I call this endpoint from swagger with the token in the header. Same result from PostMan

app.MapPost("/addprofile", async (AddUserProfileDataRequest req, Supabase.Client supabase) =>
{
    if (req is null)
    {
        throw new ArgumentNullException(nameof(req));
    }

  
    var model = new Profile
    {
        Id = Guid.Parse(supabase.Auth.CurrentUser!.Id!),
        FirstName = req.FirstName,
        LastName = req.LastName,
        Role = req.Role,
        Profession = req.Profession,
        Title = req.Title
    };

    var response = await supabase.From<Profile>().Insert(model);

}).RequireAuthorization();

[acupofjose]

Couple ideas:

• Does your RLS policy allow the provided token (user) to insert into the Profile table?
• Are you sure your token is being loaded in the request for the particular user? If you're not using the gotrue handler for session persistence, you'd need to set the session (using SetSession). If you are using the gotrue persistence handler, try calling LoadSession

If you're calling the swagger api with just the raw token, I'd assume either it's expired or that your headers are malformed. The way the C# library formats them can be found here which hopefully is some help to you!

[wgrs]

• Yes, the RLS policy allows users to insert into their own policy.
• Yes, the token must be loaded. I tested with Swagger and with Postman.
• No I am not using the session. I am just passing the access token. Could that be the issue?

Just to clarify, its my Web Api that is returning the 401, not supabase. SWAGGER <--> MYAPI <--> SUPABASE. When I debug my code, the pointer does not step into the endpoint. It just returns the 401, so the 401 is not coming from supabase.

The token was generated about 30 seconds before the call to the auth endpoint so it cant have expired. It last 360 seconds as far as I can see. Swagger doesnt malform its headers but I double checked by using a different client - Postman.

There are 3 RLS policies. Everyone can view. User can Update and Insert.

Should I take a different approach and have no auth on the web api endpoint and pass through the call to supabase platform and let the auth be done there? That seems shoddy to me. Very confusing. There are loads of examples for JS stuff but nothing for .Net. Need Milan Jovanovic to put together a tutorial using a .net web api with auth :-)

[acupofjose]

You’re right, could definitely use some more framework specific examples!

I'm not sure how helpful it would be, but the todo repo has authentication set up on it, just in the WASM context and not as an API endpoint.

[wgrs]

@acupofjose

I removed the RequireAuthentication from my api and let the call go through to supabase ( using swagger with the access token added). It failed RLS. No idea why.

Postgrest.Exceptions.PostgrestException: {"code":"42501","details":null,"hint":null,"message":"new row violates row-level security policy for table \"profiles\""}
   at Postgrest.Helpers.MakeRequest(ClientOptions clientOptions, HttpMethod method, String url, JsonSerializerSettings serializerSettings, Object data, Dictionary`2 headers, CancellationToken cancellationToken)
   at Postgrest.Helpers.MakeRequest[T](ClientOptions clientOptions, HttpMethod method, String url, JsonSerializerSettings serializerSettings, Object data, Dictionary`2 headers, Func`1 getHeaders, CancellationToken cancellationToken)
   at Program.<>c.<<<Main>$>b__0_6>d.MoveNext() in /home/greg/Dev/Projects/FSBO/src/FSBO.Api/Program.cs:line 113
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass102_2.<<HandleRequestBodyAndCompileRequestDelegateForJson>b__2>d.MoveNext()
--- End of stack trace from previous location ---
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

HEADERS

Accept: /
Host: localhost:7195
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.46
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Content-Type: application/json
Origin: https://localhost:7195
Referer: https://localhost:7195/index.html
Content-Length: 199
sec-ch-ua: "Chromium";v="118", "Microsoft Edge";v="118", "Not=A?Brand";v="99"
DNT: 1
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty

[acupofjose]

What’s the RLS policy on it?

Based on the error, the token is valid, it’s the RLS policy that’s not passing (probably the CREATE/INSERT policy)

[wgrs]

How can you see that the token is valid?

CREATE POLICY "Enable insert for users based on user_id" ON "public"."profiles"
AS PERMISSIVE FOR INSERT
TO public

WITH CHECK (true)

[wgrs]

@acupofjose

Got it working. Turns out I had set foreign key of the auth.user table as the primary key of the profiles table. Which its not, its a reference column. Duh.

But the my API is still throwing a 401

Thanks for the help.