codewithtyler
•1 min read

The Art of RLS: Why AI Can't Replace You ​

Hey everyone! 👋 Today I want to talk about something I've been seeing a lot in our Discord community - developers struggling with Row Level Security (RLS) in Supabase, particularly when working with AI tools like Bolt. Let's dive into why this happens and how to approach it better.

Authentication 101 ​

Before we dive deep into RLS, let's understand a fundamental concept: authentication. In simple terms:

  • Authenticated Users: These are people who have logged into your app. Think about when you log into social media - you provide your email and password, and the app knows who you are. Once logged in, you can see your private messages, post updates, and access your personal information.

  • Unauthenticated Users: These are visitors who haven't logged in. Like when you visit a news website without an account - you can read public articles, but you can't access premium content or leave comments.

This distinction is crucial because RLS uses it to determine who can see or modify what data. It's like having a VIP pass at a concert - some areas are open to everyone, while others require that special badge.

The AI Trap ​

Here's a scenario I see regularly: A developer is building their app with Bolt's help, everything seems to be going great until suddenly... their data access isn't working as expected. The common response? "But Bolt wrote this policy for me, it should work!"

This is where we need to pause and have an important conversation about AI and critical thinking.

Understanding RLS: It's About Intent ​

Row Level Security isn't just about writing policies - it's about understanding the intent behind data access. Let's break this down with a real-world example:

Imagine you're building a social platform where users can share posts. When thinking about data access, you need to consider questions like:

For Authenticated Users ​

  • Can they edit their own posts?
  • Should they see private posts from their friends?
  • Can they access their own profile settings?

For Unauthenticated Users ​

  • Can they see public posts?
  • Should they see user profiles?
  • What information should be hidden?

Think of it like a museum:

  • The general public (unauthenticated) can view the main exhibits
  • Members (authenticated) get access to special exhibitions
  • Staff (authenticated with special roles) can access storage areas
  1. When should they see it?
    • Only when logged in?
    • Only during certain times?
    • Only with certain roles?

These aren't just technical questions - they're business logic decisions that require human understanding.

Where AI Falls Short ​

AI tools like Bolt are incredible at:

  • Writing syntax-correct policies
  • Implementing common patterns
  • Generating boilerplate code

But they struggle with:

  • Understanding your specific business rules
  • Knowing your application's security requirements
  • Anticipating edge cases unique to your app

The Right Way to Work with AI on RLS ​

Here's how to effectively use AI while maintaining security:

  1. Start with Intent

    • Before asking AI for help, clearly define what you want to protect
    • Write down who should have access and when
    • Document your security requirements

  2. Guide the AI

    • Don't just ask for "RLS policies"
    • Provide specific context about your access rules
    • Explain the relationships between your data

  3. Review Critically

    • Test every policy thoroughly
    • Consider edge cases
    • Verify against your security requirements

A Real Example ​

Let's say you're building a medical records system. Instead of asking Bolt:

"Create RLS policies for my patients table"

You should say:

"Create RLS policies for a patients table where:
1. Doctors can only see their assigned patients
2. Patients can only see their own records
3. Admins can see all records
4. Unauthenticated users can't see anything"

See the difference? The second prompt includes critical business logic that AI needs to understand.

Common Pitfalls to Avoid ​

  1. Blind Trust

    • Always double-check what AI suggests - just like you'd review a colleague's work
    • Test everything thoroughly before going live

  2. Incomplete Context

    • Be specific about who should see what in your app
    • Explain how different parts of your app connect (like how posts connect to users)

  3. Missing Edge Cases

    • AI might not consider all scenarios
    • Think through unusual situations and test for them

The Path Forward ​

Remember: AI is like having a helpful assistant, but you're still in charge of keeping your app secure. Here's what to do:

  1. Plan who should see what in your app
  2. Write down these rules in plain language
  3. Let AI help you turn these rules into code
  4. Test everything carefully
  5. Keep an eye on things once your app is live

Let's Discuss! ​

Have you encountered challenges with RLS in your projects? How do you balance AI assistance with security requirements? Share your experiences with me over on X!

P.S. If you're interested in learning more about effective AI usage in development, check out my other posts about What is Bolt? and Managing AI Memory.

Copyright © 2024 Tyler Hughes