DEV Community

Cover image for Supabase Studio: AI Assistant and User Impersonation
Yuri for Supabase

Posted on • Updated on • Originally published at supabase.com

Supabase Studio: AI Assistant and User Impersonation

During the previous Launch Week we introduced text-to-sql in the SQL Editor within Supabase Studio. This was our first step towards a full AI Assistant.

Today, we're introducing the Supabase Assistant, an AI side-kick inside the dashboard, and a few new features that will take you from idea to production even faster.

Here's the birds-eye-view:

  • Row Level Security Policies: made easy with AI
  • Postgres Roles: Change the Studio's Postgres role
  • User Impersonation: visualize your security policies
  • Realtime Inspector: inspect and debug Realtime requests
  • Feature Previews: See what's hot off the press in Studio

Introducing the Supabase Assistant

We're excited to expand Studio's AI capabilities with our new Supabase Assistant.

Developers have been telling us that the text-to-sql feature inside the SQL Editor has dramatically increased their velocity (and their SQL abilities). AI is extremely powerful when combined with a schema-based database, like Postgres, because it can infer so much context from the schema and the database provides stricter guarantees with generated code. Our previous release solidified our belief that AI will be a key part of the future of database development.

Today, we're rolling out Assistant support in our Row Level Security editor and soon will expand to other places in Studio: the Table Editor, Postgres Functions, Serverless Functions, and more.

Let's jump in to Row Level Security first.

ai animation

Easy RLS Policies with AI

Of all the feature requests we get (and we get many!), an easier way to write Row Level Security Policies is one of the most frequent.

Row Level Security (RLS) is a Postgres feature that provides fine-grained access to your database. While RLS is powerful, writing Policies can be a chore. Today, we're releasing an AI-powered RLS Editor that makes it simple to write security policies.

The new RLS Editor brings SQL front-and-center. We want to give developers access to the full potential of Postgres, rather than abstracting it away. This editor is really two tools:

  1. A SQL Editor: if you know SQL really well, there's a new editor for you to quickly write your policies.
  2. An Assistant: if you're new to RLS and need some help, you can use the Assistant and chat your way through it.

example SQL editor

The Assistant has been tuned to produce SQL for Row Level Security, making it fast and easy to get your policies setup the way you need them.

We've explored various approaches and designs for the RLS Editor. This SQL-first approach, with assistance from AI, feels like the solution we've been seeking. The new RLS Editor can be enabled today via Feature Previews (more on that below). We'd love to hear your feedback.

Postgres Roles

You may have never thought about this, but Studio connects to your database just like any other Postgres client.

It uses the default Postgres role, postgres. The postgres role functions like your service role key, granting it admin privileges to your database. It has admin read and write privileges, and bypasses Row Level Security.

If you use our client libs, you'll be familiar with the anon and service_role API keys. These keys actually resolve into Postgres roles, also called anon and service_role. These keys are actually JWT tokens that contain the Postgres role:

{
  "role": "service_role", // the Postgres role
  "iss": "supabase"       // the issuer of the JWT
  "exp": 1445385600,      // the time the JWT will expire
}
Enter fullscreen mode Exit fullscreen mode

What if you could run the queries in Studio using the same Postgres roles you use in your applications? What if you could have the Studio pretend to use a different role than the default postgres role? Today, you can:

screenshot of dashboard

You can use the new Role dropdown to select a different Postgres role for your queries in Studio. This is a powerful tool for testing your Row Level Security policies and determining which data each role can access.

Let's build a Twitter/X clone to illustrate. In a Twitter clone, you:

  • have a tweets table with columns like user_id and content.
  • can set up Row Level Security so that only the author of a tweet can access and modify their own tweets.
  • can only see and edit the tweets you've authored.

When we query with the postgres role, we can see all the data. When we query with the anon no data is returned. This makes sense as we haven't yet created a policy to allow for anon access to this table.

The Role dropdown unlocks another handy capability: when combined with Supabase Auth it can even pretend to be a different user.

User Impersonation

Remember the API keys above? They can contain an additional field: sub. This is the user's ID. When you use the authenticated role, the sub field is the ID of the user who is logged in to your app:

{
  "sub": "348b-some-user-uuid", // the ID of the user
  "role": "authenticated",      // the Postgres role
  "iss": "supabase"             // the issuer of the JWT
  "exp": 1445385600,            // the time the JWT will expires
}
Enter fullscreen mode Exit fullscreen mode

We can impersonate a user in Studio by "minting" a JWT with their ID and then running the queries using that JWT.

Let's see it in action after we've written an RLS policy to allow users to view their own tweets. Here, we can choose the authenticated role, and select a specific user to see just their tweets. Here's all of our user's tweets:

Impersonation

The Table Editor is now impersonating our user.

You can impersonate any user in your project and see things exactly as they would. Any conditions in your RLS policies will be automatically reflected here in the table.

✨ Magic ✨

You can create RLS policies and test that they work exactly as you expect, right from the Studio.

The fun doesn't stop with the Table Editor. We've added Roles support to both the SQL Editor and GraphiQL as well. Let's repeat what we've done above by trying to select a list of our own tweets in the SQL Editor:

Impersonation

And in GraphiQL:

example

Combining this feature with the new RLS Editor, you're able to write and test RLS policies with real data in a matter of minutes. This makes the process of writing RLS policies many times faster and easier. If you've got feedback, we'd love to hear it.

Realtime Inspector

Supabase Realtime is great for building collaborative applications. You can receive database changes over websockets, store and synchronize data about user presence, and broadcast any data to clients via "channels".

Today we're releasing Realtime Inspector: an easy way to prototype, inspect, and debug Realtime directly in the Studio. You can use the Realtime Inspector to view messages being sent and received in channels. You can filter messages by type: presence, broadcast, and database changes.

Example realtime

And, of course, we've included the Roles dropdown here as well. You can view events by role and impersonate users just like the Table and SQL Editors.

If you use Realtime, you'll find the new inspector very handy. Please send along any feedback you've got.

Feature Previews

Today we're releasing Feature Previews, our tool for unveiling new features. We release beta features as Previews before making them generally available. You can see a list of features that are available for preview along with a screenshot and a brief description. Each feature includes a link to a Github Discussion for feedback.

We have a couple of goals with Feature Previews. We want to:

  • get features out to you faster
  • make it easier for you to give us feedback
  • shorten the iteration loop

The faster we can iterate with your feedback, the faster we can release features into general use.

While we consider these features to be beta releases, please know that we take your security, privacy and data integrity extremely seriously. Anything we release to Preview is tested with this in mind and is at a stage where we're looking for UX/UI feedback.

You can find our Feature Preview under the user avatar menu in the lower left:

example of screen

We currently have two features in preview:

  1. The new RLS Assistant that we looked at earlier:

RLS example

  1. And a revised API side panel:

API panel

We'll be actively keeping an eye on the Github Discussions and will be responding to your feedback.

Wrapping up

In this update, we've taken huge strides in enhancing your experience with Supabase.

  1. Row Level Security Policies: We've made it easier than ever to create Row Level Security policies with the help of our new Assistant. This feature dramatically simplifies the process of defining fine-grained access to your data.
  2. Postgres Roles and User Impersonation: Our new Roles selector allows you to visualize the impact of your security policies directly within the Studio. This lets you to see how different roles interact with your data, offering a powerful tool for testing access control.
  3. Realtime Inspector: With the Realtime Inspector, you can prototype, inspect, and debug Realtime messages. This tool will be very useful for those who use Supabase Realtime.
  4. Feature Previews: We've introduced Feature Previews to bring you new tools and features in the beta stage, making it easier for you to provide feedback and shape the development process.

These updates reflect our commitment to a SQL-first approach and a user-centric development. We look forward to your feedback as we continue to work hard making Supabase faster and easier for you to get your ideas out into the wild.

More Launch Week X

🚀 Learn more about Supabase

Top comments (14)

Collapse
 
fsansalvadore profile image
Francesco Sansalvadore

Supabase keeps getting better and better ❤️

Collapse
 
thorwebdev profile image
Thor 雷神

Love the demo video 🙌

Collapse
 
steve_val profile image
Steve_Val

Jon Meyers <3

Collapse
 
dshukertjr profile image
Tyler Shukert

I just played around with the user impersonation feature. It's so smooth and intuitive. I always wanted a debug feature to test out the RLS policy, but this feature went above and beyond what I was expecting.

Collapse
 
abc3 profile image
abc3 🇺🇦

It's impressive how the AI Assistant simplifies complex tasks like RLS Policies, making database management more intuitive. Also, the User Impersonation feature is a smart addition for testing and debugging. Keep up the great work!

Collapse
 
steve_val profile image
Steve_Val

yes! it's a life saver for debugging

Collapse
 
amyliumaiyi profile image
Amy Liu

The realtime inspector seems like it would be really useful.

Collapse
 
joshenlim profile image
Joshen Lim

The AI assistant will not just be super helpful in getting RLS policies out of the way but may potentially also serve as a learning companion for how to write policies! 💪Stoked about this one and how much further it can go

Collapse
 
egor_romanov profile image
egor romanov

user impersonation will simplify testing so much

Collapse
 
w3b6x9 profile image
Wen Bo Xie

Love that the Realtime Inspector is now built into Studio. Makes it super easy to test Realtime's features without setup.

Collapse
 
olirice profile image
Oliver Rice

nice! user impersonation is exactly what I need

Collapse
 
burmecia profile image
Bo Lu

I like the User Impersonation feature, it is a life saver for debugging.