Currently, our API route can be used by anyone navigating to its endpoint. To ensure that this function can only be executed by our application, we need to create a special secret value.
In this video, we generate a special key to secure our API route. This value must be provided as a query parameter on the request to our endpoint, or an error response will be sent back.
To confirm this is working correctly, we use the Thunder Client extension. When the API_ROUTE_SECRET
is not provided we receive a 401 response. When the correct value is attached our serverless function executes, creating a stripe customer and updating our profile
table in Supabase.
Quick question - I am able to "auth" in gihub, like you show - but the session/user is NOT being logged into the profile table. Always empty. Maybe know why?
Very strange! This may be related to an issue someone asked about on the triggers lesson. Can you try deleting the postgres function from the "Use Postgres Functions to Implement Database Logic with Supabase" lesson and stepping through its creation again with the video - you may need to also delete the trigger that calls this function. Make sure you set the "Type of security" to "Security Definer". Failing this you could try doing it with pure SQL - similar to this solution: https://github.com/supabase/supabase/issues/563#issuecomment-772954907
Lastly, if it is still being weird, can you send me your project ref (part of your Supabase URL) and I can look into it 👍