Supabase Data Layer
1.0.0Dashboard + generated app access helpers and RLS patterns.
Supabase Data Access Layer
The dashboard now routes all database interactions through a Supabase-aware
data access layer. Server handlers no longer import prisma directly; instead
they call helpers from apps/dashboard/src/lib/data.
Required Environment Variables
| Variable | Description |
|---|---|
NEXT_PUBLIC_SUPABASE_URL | Supabase project URL (https://{project-ref}.supabase.co) |
NEXT_PUBLIC_SUPABASE_ANON_KEY | Client key used for RLS-scoped requests in the browser and server components |
SUPABASE_SERVICE_ROLE_KEY | Service-role key used for privileged mutations after membership checks |
NEXT_PUBLIC_DASHBOARD_URL | Origin used when generating Supabase auth redirect links |
Set the three Supabase secrets in both .env and your deployment provider.
The data layer performs authorization with the anon key first (respecting any
RLS policies) and falls back to the service-role client only for writes that
require elevated privileges.
Access Patterns
- Organization, secret, and API key endpoints call the data helpers under
apps/dashboard/src/lib/data. These helpers check membership/permissions and emit audit events centrally. - Supabase SSR helpers live under
apps/dashboard/src/lib/supabase. The new data layer utilities (getRlsClient,getServiceRoleClient) can be used by future helpers that need raw Supabase clients. - Audit logging is now centralized via
recordOrganizationAuditLogto ensure every privileged action leaves a trace.
Adding New Data Helpers
- Create a module in
apps/dashboard/src/lib/data. - Use the shared membership helpers to verify access before performing writes.
- Return friendly errors by throwing
Errorobjects with astatusCodeproperty; route handlers translate these into HTTP responses. - Update
apps/dashboard/src/lib/data/index.tsto export the helper. - Update
.env.exampleand this document if new secrets are required.