データベース・RLS（Supabase / Postgres / 認可）の設計ガイド

The cause of 'I wrote Supabase RLS but in Next.js data comes back empty / everything is visible' is almost always how the client is created. Premised on the App Router, with official-compliant real code it explains @supabase/ssr's createBrowserClient/createServerClient, the cookie getAll/setAll, middleware's getUser/getClaims, the mechanism by which the JWT reaches auth.uid(), and why you must not use service_role on the client.

An implementation guide that designs Supabase Realtime authorization with RLS on the realtime.messages table. With official-compliant real code, it explains: enabling a private channel with private:true and setAuth, expressing 'only members of that room can send/receive' with realtime.topic() and the extension (broadcast/presence), the mechanism by which postgres_changes respects the target table's own RLS, JWT expiry and re-authentication, and the (select) wrap optimization.

A beginner's guide that carefully explains Supabase (PostgreSQL) row-level security (RLS) from zero to writing your first policy. With official-compliant real code: enable row level security, SELECT/INSERT/UPDATE/DELETE policies, USING/WITH CHECK, the two-layer model of GRANT and RLS, anon/authenticated/service_role, and the 5 traps beginners always fall into.

Supabase (PostgreSQL) row-level security (RLS) gets slow even written correctly. Fold per-row evaluation into an InitPlan with the (select) wrap of auth.uid(), index the policy columns, narrow roles with TO, rewrite JOINs into set references, and erase lookups with security definer functions and JWT claims — 6 optimizations compliant with the official benchmarks, explained with real code and an EXPLAIN ANALYZE measurement procedure.

An implementation guide to the official pattern for integrating RBAC into RLS with Supabase (PostgreSQL). With official-compliant real code, it explains: app_role/app_permission enums and user_roles/role_permissions tables, putting a role claim into the JWT with custom_access_token_hook, judging permission with a security-definer authorize() function, calling authorize() from RLS policies, token refresh after a role change, and the safe distinction between app_metadata and user_metadata.

Systematically debug the three big symptoms commonly hit with Supabase (PostgreSQL) row-level security (RLS) — 'SELECT returns empty,' 'INSERT rejected with new row violates row-level security policy,' 'RLS isn't working and data leaks' — with a cause-isolation flow and diagnostic SQL (pg_policies, relrowsecurity, auth.uid(), set local role). Official-compliant, a procedure to fix with evidence, not guesses.

An implementation guide that designs Supabase Storage access control with RLS policies on storage.objects. With official-compliant real code: no policy means no upload (default deny), the 'uid folder = only your files' pattern via bucket_id and storage.foldername(name), public/private buckets and signed URLs, defense in depth with file_size_limit/MIME restrictions, and safe upload from Next.js.

An implementation guide to handling pgvector type-safely from TypeScript / Next.js. With real code it explains Drizzle ORM's vector column and HNSW index schema definition, enabling the extension (manual migration since drizzle-kit doesn't generate it), a kNN query with cosineDistance, Zod boundary validation and embedding generation in a Server Action, SQL-injection safety, and an accessible search UI.

An implementation guide for operating Drizzle ORM (TypeScript) in production. Explained all in real code: type inference from schema-as-code ($inferSelect/$inferInsert), the SQL-like query builder and relational queries, drizzle-kit migrations, transactions, prepared statements, Edge compatibility, and how to choose between it and Prisma.

A data-isolation and authorization design guide for never leaking another tenant's data or PII in a B2B multi-tenant SaaS. We explain — in real code faithful to AWS official and OWASP — the silo/pool/bridge isolation strategies, BOLA/IDOR and ID-enumeration countermeasures, PII scoping with a two-tier schema, industry/role authorization consolidated into the router layer, and the tests/penetration that prove isolation.

A production design guide for pushing multi-tenant SaaS authorization down to the DB layer with zero trust using Supabase's row-level security (RLS). Explained with real code, in reusable, official-spec-compliant patterns: anon/authenticated/service_role, USING/WITH CHECK, tenant_id isolation, (select auth.uid()) performance optimization, and pgTAP tests.

A test strategy to trust Supabase/PostgreSQL Row-Level Security (RLS) in production. Switch request.jwt.claims with pgTAP to verify both allow and deny paths, plus the pitfalls of SECURITY DEFINER and search_path, an RLS-coverage CI gate, and migration safety (squawk)—all in real code. RLS isn't done when you write it; it becomes trustworthy in production only when you test it.

Multiple people scoring the same game at once from a stadium with bad reception — I pushed that consistency and its multi-layered authorization down into the DB with deterministic idempotency keys and PostgreSQL row-level security (RLS), instead of relying on WebSocket broadcasts or client-side gating. Explained with real code from a Supabase / Expo / Next.js monorepo.