Skip to main content

Supabase Pitfalls: Avoid These Common Mistakes for a Robust Backend

· 13 min read
Serhii Hrekov
Serhii Hrekov
software engineer, creator, artist, programmer, projects founder

Supabase Pitfalls: Avoid These Common Mistakes for a Robust Backend

Supabase offers a powerful open-source alternative to Firebase, built around PostgreSQL. Its ease of use makes it a favorite for rapid development, but this very convenience can lead developers down paths that introduce technical debt, performance bottlenecks, and security vulnerabilities. Understanding and avoiding these common pitfalls is crucial for building a robust and scalable application.

1. Neglecting Database Migrations and Relying Solely on the UI

Many developers start their Supabase journey by creating tables and managing their schema directly through the Supabase Studio UI. While excellent for prototyping, this approach becomes a major liability in a production environment. Manual schema changes are prone to human error, difficult to track, and nearly impossible to replicate consistently across development, staging, and production environments.

The Mistake:

  • Manually creating/altering tables in Supabase Studio.
  • No version control for database schema changes.

The Solution: Embrace the Supabase CLI for Migrations. The Supabase CLI allows you to manage your schema changes as version-controlled SQL migration files. This brings your database schema under source control, just like your application code.

Code Example: Creating and Applying Migrations

  1. Initialize your Supabase project locally (if you haven't already):

    supabase init

  2. Make changes to your database locally (e.g., via supabase start and a local client).

  3. Generate a migration from your local changes:

    supabase db diff -f add_users_table

    This creates a new SQL file (timestamp_add_users_table.sql) in your supabase/migrations folder.

  4. Apply migrations to your local or remote database:

    # Apply to local DB
    supabase db reset

    # Apply to remote DB
    supabase db push

    Always review the generated SQL file before pushing to production.

Why this is better: Version-controlled migrations ensure your database schema evolves predictably, can be rolled back if necessary, and allows team collaboration on schema changes.

2. Over-reliance on Row-Level Security (RLS) for All Business Logic

Row-Level Security (RLS) is one of PostgreSQL's most powerful features, and Supabase makes it incredibly accessible. It allows you to define policies that restrict data access at the row level based on user roles or arbitrary conditions. However, using RLS for all complex business logic can lead to performance issues and make your application harder to debug.

The Mistake:

  • Placing complex, multi-step business logic directly within RLS policies.
  • Using overly complex RLS policies that involve many subqueries.

The Solution: Use RLS as a final security layer; keep business logic in your application/Edge Functions. RLS should be a robust access control mechanism, not a replacement for application-level logic.

Code Example: Effective RLS vs. Business Logic

Bad RLS (Overly complex for RLS):

-- This RLS is too complex and should likely be handled by application logic
CREATE POLICY "user_can_update_their_complex_order" ON orders FOR UPDATE USING (
  auth.uid() = user_id AND (
    SELECT status FROM order_statuses WHERE id = orders.status_id
  ) IN ('pending', 'processing') AND (
    SELECT COUNT(*) FROM order_items WHERE order_id = orders.id AND product_id IN (
      SELECT id FROM products WHERE category = 'digital'
    )
  ) < 5
);

Good RLS (Focus on simple access control):

-- Allow users to view their own orders
CREATE POLICY "Users can view their own orders" ON orders FOR SELECT USING (auth.uid() = user_id);

-- Allow users to update their own orders if the status is 'pending'
CREATE POLICY "Users can update their own pending orders" ON orders FOR UPDATE USING (
  auth.uid() = user_id AND status = 'pending'
);

Complex order validation (e.g., checking product categories, item limits) should happen in your API layer (e.g., a Supabase Edge Function or a custom backend service) before the database transaction.

Why this is better: Simpler RLS policies execute faster. Business logic in application code is easier to test, debug, and scale.

3. Storing Everything in the public Schema

By default, all tables created in Supabase Studio land in the public schema. As your project grows, dumping everything into public can lead to a disorganized and difficult-to-manage database.

The Mistake:

  • All tables, views, and functions reside in the public schema.
  • Lack of logical separation for different data types (e.g., user data, billing, admin-only).

The Solution: Organize your database with custom schemas. PostgreSQL supports multiple schemas, allowing you to logically group related tables and functions, improving organization, security, and clarity.

Code Example: Using Custom Schemas

  1. Create a new schema (e.g., app_private for sensitive data):

    CREATE SCHEMA app_private;

    -- Grant usage to the authenticated role for procedures, but not direct table access
    GRANT USAGE ON SCHEMA app_private TO authenticated;

  2. Create tables within the new schema:

    CREATE TABLE app_private.user_sensitive_data (
      user_id uuid PRIMARY KEY REFERENCES public.users(id),
      ssn TEXT -- Example of sensitive data
    );

  3. Access data via a function (if needed) rather than direct table access for security:

    CREATE FUNCTION public.get_user_profile_data(user_id uuid)
    RETURNS SETOF public.users AS $$
      SELECT id, name, email FROM public.users WHERE id = user_id;
    $$ LANGUAGE sql STABLE SECURITY DEFINER;

Why this is better:

  • Organization: Better logical grouping of tables and functions.
  • Security: You can restrict direct access to schemas (like app_private) and only expose data through explicitly defined functions, preventing accidental exposure.
  • Clarity: Makes it easier for new team members to understand the database structure.

4. Ignoring the Supavisor Connection Pooler in Serverless Environments

Serverless functions (like Edge Functions or AWS Lambda) can spin up and down rapidly, creating and closing many database connections in a short amount of time. PostgreSQL has a limited number of concurrent connections it can handle, and hitting this limit will cause too many connections errors.

The Mistake:

  • Connecting directly to the primary database port (e.g., 5432) from serverless functions.
  • Experiencing too many connections errors under load.

The Solution: Utilize Supabase's built-in Connection Pooler (Supavisor). Supavisor is a lightweight, highly scalable connection pooler that sits between your application and your PostgreSQL database. It reuses existing database connections, reducing the load on your database.

Code Example: Connecting via the Connection Pooler

When connecting from your application, use the connection string that includes the pooler's port (often 6543) instead of the direct database port.

# Instead of:
# DATABASE_URL = "postgresql://postgres:password@db.xyz.supabase.co:5432/postgres"

# Use the pooler:
DATABASE_URL = "postgresql://postgres:password@db.xyz.supabase.co:6543/postgres"

# For SQLAlchemy/Asyncpg in Python (example)
# from sqlalchemy.ext.asyncio import create_async_engine
# engine = create_async_engine(DATABASE_URL)

# For Deno Edge Functions (example):
# const client = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
#   db: {
#     pool: {
#       connectionString: SUPABASE_DB_POOL_URL, // This URL uses port 6543
#     },
#   },
# });

Important: Ensure your connection string points to the correct port for the pooler, not the direct database port. Supabase typically provides this dedicated connection string in your project settings.

Why this is better:

  • Scalability: Handles a high volume of ephemeral connections from serverless functions.
  • Reliability: Prevents too many connections errors and improves application uptime.
  • Performance: Reduces the overhead of establishing new database connections.

5. Ignoring Supabase Auth Helpers in Client-Side Frameworks

Managing authentication sessions, refreshing tokens, and handling server-side rendering (SSR) or static site generation (SSG) with Supabase Auth can be complex if done manually. Developers often try to write their own token management logic, leading to subtle bugs and security risks.

The Mistake:

  • Manually handling JWT tokens, refresh tokens, and session storage in a client-side framework (e.g., Next.js, SvelteKit, React).
  • Inconsistent authentication states between client and server in SSR/SSG apps.

The Solution: Use @supabase/auth-helpers for your chosen framework. Supabase provides official Auth Helpers libraries for popular frameworks like Next.js, SvelteKit, React, and Vue. These libraries abstract away the complexities of auth, providing hooks and utilities for seamless integration.

Code Example: Using Supabase Auth Helpers (Next.js example)

  1. Install the helper:

    npm install @supabase/auth-helpers-nextjs @supabase/supabase-js

  2. Set up the Supabase client and session management:

    // utils/supabase/client.ts
    import { createClientComponentClient } from '@supabase/auth-helpers-nextjs'
    import { Database } from '@/types/supabase' // Your generated types

    export const supabase = createClientComponentClient<Database>()

    // utils/supabase/server.ts (for SSR/Server Components)
    import { createServerComponentClient } from '@supabase/auth-helpers-nextjs'
    import { cookies } from 'next/headers'
    import { Database } from '@/types/supabase'

    export const createServerSupabaseClient = () => {
      cookies().getAll() // This line is crucial for Next.js 13+ to ensure cookies are read
      return createServerComponentClient<Database>({
        cookies: () => cookies(),
      })
    }

  3. Use it in your components:

    // app/profile/page.tsx (example React/Next.js component)
    import { createServerSupabaseClient } from '@/utils/supabase/server'

    export default async function Profile() {
      const supabase = createServerSupabaseClient()
      const { data: { user } } = await supabase.auth.getUser()

      if (!user) {
        // Handle unauthenticated state
        return <div>Please log in.</div>
      }

      return <div>Welcome, {user.email}</div>
    }

Why this is better:

  • Security: Correctly handles JWT refreshing and session management.
  • Simplicity: Reduces boilerplate and complex auth logic in your application.
  • Consistency: Ensures consistent authentication state across client and server in SSR/SSG applications.

Conclusion

Supabase is an incredibly powerful platform, but like any sophisticated tool, it comes with best practices that, if ignored, can lead to headaches. By understanding these common mistakes-from embracing migrations and sensible RLS to leveraging connection pooling and auth helpers-you can build robust, scalable, and secure applications with Supabase. Remember, a little upfront planning goes a long way in avoiding future pain.