# Tooling and Ecosystem Standards for Supabase

This document outlines the recommended tools, libraries, extensions, and best practices for developing applications with Supabase. Adhering to these standards will promote consistency, maintainability, performance, and security within your Supabase projects.

## 1. Core Development Tools

### 1.1 Supabase CLI

**Standard:** Use the Supabase CLI for local development, database migrations, and environment management.

* **Why:** The Supabase CLI provides a unified interface for interacting with your Supabase projects. It simplifies common tasks such as setting up a local development environment, managing database schema changes, and deploying your application.

**Do This:**

* Install the Supabase CLI: "npm install -g @supabase/cli" or "brew install supabase"

* Use "supabase init" to initialize a new Supabase project in your local directory.

* Use "supabase start" to start the local Supabase stack (Postgres, GoTrue, Storage, etc.).

* Use "supabase db diff" to generate migrations based on your local database changes.

* Use "supabase db push" to apply local migrations to your Supabase project.

* Use ".env" files to manage environment variables for local development.

**Don't Do This:**

* Manually manage database schemas without using migrations.

* Directly modify the remote database schema in production without first testing changes locally.

* Hardcode sensitive information (API keys, database passwords) in your application code.

**Example:**

Initialize a Supabase project and generate a migration:

"""bash

supabase init

supabase start

# Make changes to your local database schema

supabase db diff --schema public --name add_users_table # Name is important

supabase db push

"""

### 1.2 Supabase Studio

**Standard:** Use Supabase Studio for database exploration, data manipulation, and user authentication management.

* **Why:** Supabase Studio provides a user-friendly interface for interacting with your Supabase project. It allows you to easily browse your database schema, view and edit data, manage user accounts, and monitor your project's performance.

**Do This:**

* Access Supabase Studio through the Supabase dashboard.

* Use the Table Editor to view and modify data in your tables.

* Use the Authentication section to manage user accounts and configure authentication providers.

* Use the SQL Editor to run custom SQL queries against your database.

* Use the Storage section to manage files stored in Supabase Storage.

* Use the comprehensive logs to debug issues in real time.

**Don't Do This:**

* Store sensitive information in plain text in your database.

* Grant excessive permissions to users or roles.

* Expose your Supabase API keys or database credentials directly to clients.

### 1.3 Drizzle ORM

**Standard:** Utilize Drizzle ORM for type-safe database interactions, schema management, and complex queries.

* **Why:** Drizzle ORM provides a highly flexible and type-safe way to interact with your Supabase database. It allows you to define your database schema in code, generate migrations, and build complex queries with autocompletion and type checking. It integrates seamlessly with TypeScript and offers excellent performance.

**Do This:**

* Install Drizzle ORM and the Supabase Postgres driver: "npm install drizzle-orm @supabase/supabase-js pg"

* Define your database schema using Drizzle's schema builder.

* Use Drizzle's query builder to construct type-safe SQL queries.

* Generate migrations using Drizzle's migration tooling.

**Don't Do This:**

* Write raw SQL queries directly in your application code (except for very specific, performance-critical cases where ORM overhead is unacceptable).

* Ignore Drizzle's type checking and rely on runtime errors to catch database issues.

**Example:**

Define a table schema using Drizzle ORM:

"""typescript

import { pgTable, serial, text, timestamp } from 'drizzle-orm/pg-core';

export const users = pgTable('users', {

id: serial('id').primaryKey(),

name: text('name').notNull(),

email: text('email').notNull().unique(),

createdAt: timestamp('created_at').defaultNow(),

});

"""

Query data using Drizzle ORM:

"""typescript

import { drizzle } from 'drizzle-orm/postgres-js';

import postgres from 'postgres';

import { users } from './schema';

const connectionString = process.env.DATABASE_URL; // From .env

const client = postgres(connectionString);

const db = drizzle(client);

async function getUsers() {

const allUsers = await db.select().from(users);

console.log(allUsers);

return allUsers;

}

getUsers();

"""

### 1.4 PostgREST

**Standard:** Understand and leverage PostgREST's capabilities for building RESTful APIs directly from your PostgreSQL database. While Drizzle is preferred for more complex scenarios, PostgREST can be useful for simple CRUD operations.

* **Why:** PostgREST automatically generates a RESTful API from your database schema, allowing you to quickly expose your data to clients without writing custom server-side code.

**Do This:**

* Configure row-level security (RLS) policies to control access to your data.

* Use PostgREST's filtering and sorting capabilities to optimize data retrieval.

* Leverage PostgREST's OpenAPI specification for API documentation and client generation.

**Don't Do This:**

* Bypass RLS policies and expose sensitive data without proper authorization.

* Rely solely on PostgREST for complex business logic or data transformations.

* Overexpose the database schema structure.

**Example:**

Accessing users through PostgREST with necessary RLS policies ensures data security:

"""sql

-- Enable RLS on the users table

ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Create a policy to allow users to only see their own records

CREATE POLICY "Users can only see their own records" ON users

FOR SELECT

USING (auth.uid() = id);

-- Create a policy to allow users to update only their own records

CREATE POLICY "Users can update their own record" ON users

FOR UPDATE

USING (auth.uid() = id)

WITH CHECK (auth.uid() = id);

"""

## 2. Authentication and Authorization

### 2.1 Supabase Auth

**Standard:** Use Supabase Auth for user authentication and authorization.

* **Why:** Supabase Auth provides a secure and scalable authentication solution with built-in support for social providers, email/password authentication, and magic links.

**Do This:**

* Enable and configure the desired authentication providers in the Supabase dashboard.

* Use the Supabase client library ("@supabase/supabase-js") to handle user sign-up, sign-in, and sign-out.

* Implement proper error handling for authentication operations.

* Use Row Level Security (RLS) in conjunction with Auth to control access to data based on user roles and permissions.

**Don't Do This:**

* Store user passwords directly in your database.

* Implement custom authentication logic without leveraging Supabase Auth.

* Expose sensitive authentication tokens or secrets to clients.

**Example:**

Sign up a user using the Supabase client library and implementing error handling:

"""javascript

import { createClient } from '@supabase/supabase-js';

const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;

const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;

const supabase = createClient(supabaseUrl, supabaseKey);

async function signUpUser(email, password) {

try {

const { data, error } = await supabase.auth.signUp({

email: email,

password: password,

});

if (error) {

console.error('Error signing up:', error.message);

return { success: false, error: error.message };

}

console.log('Sign up successful:', data);

return { success: true, data: data };

} catch (err) {

console.error('Unexpected error during sign-up:', err);

return { success: false, error: 'An unexpected error occurred.' };

}

}

"""

### 2.2 Row Level Security (RLS)

**Standard:** Implement Row Level Security (RLS) to control access to data at the database level.

* **Why:** RLS allows you to define fine-grained access control policies that determine which users can access which rows of data. This is crucial for protecting sensitive information and ensuring data privacy. Combining Auth with RLS is a powerful combination.

**Do This:**

* Enable RLS on tables containing sensitive data.

* Define policies that restrict access based on user roles, permissions, or other criteria.

* Use the "auth.uid()" function to identify the currently authenticated user.

* Thoroughly test your RLS policies to ensure they are working as expected.

**Don't Do This:**

* Disable RLS on tables containing sensitive data.

* Grant excessive permissions to users or roles.

* Rely solely on application-level logic to enforce access control.

**Example:**

Granting "authenticated" role permission to "read" only.

"""sql

CREATE POLICY "Users can read their own profile data."

ON profiles

FOR SELECT

USING (auth.role() = 'authenticated' AND auth.uid() = user_id); -- where can user_id come from?

"""

## 3. Realtime Functionality

### 3.1 Supabase Realtime

**Standard:** Utilize Supabase Realtime for building real-time features such as live updates, chat applications, and collaborative editing.

* **Why:** Supabase Realtime provides a scalable and reliable real-time messaging infrastructure based on WebSockets.

**Do This:**

* Use the Supabase client library to subscribe to database changes.

* Implement proper error handling for real-time events.

* Consider using channels to group related events and reduce network traffic.

**Don't Do This:**

* Expose sensitive data through real-time events without proper authorization.

* Overload the real-time server with excessive events.

**Example:**

Subscribing to changes on the "messages" table using Supabase Realtime:

"""javascript

import { createClient } from '@supabase/supabase-js';

const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;

const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;

const supabase = createClient(supabaseUrl, supabaseKey);

supabase

.channel('any')

.on(

'postgres_changes',

{ event: '*', schema: 'public', table: 'messages' },

(payload) => {

console.log('Change received!', payload);

// Update the UI with the new data.

}

)

.subscribe();

"""

## 4. Edge Functions

### 4.1 Supabase Edge Functions

**Standard:** Use Supabase Edge Functions for serverless functions that run close to your users.

* **Why:** Edge Functions allow you to execute code at the edge of the network, reducing latency and improving performance. They are ideal for tasks such as request routing, authentication, and data transformation.

**Do This:**

* Write Edge Functions using TypeScript or JavaScript.

* Use the Supabase CLI to deploy Edge Functions to the Supabase platform.

* Implement proper error handling and logging for Edge Functions.

**Don't Do This:**

* Perform long-running or computationally intensive tasks in Edge Functions.

* Store sensitive information directly in Edge Function code.

* Overuse Edge Functions, as each invocation incurs a cost.

**Example:**

A simple Edge Function that returns "Hello, World!":

"""typescript

// index.ts

Deno.serve((req) => {

return new Response("Hello, World!", {

headers: { "Content-Type": "text/plain" },

});

});

"""

Deploy the function using the Supabase CLI:

"""bash

supabase functions deploy hello-world

"""

## 5. Storage

### 5.1 Supabase Storage

**Standard:** Use Supabase Storage for storing and serving files, such as images, videos, and documents.

* **Why:** Supabase Storage provides a scalable and secure storage solution with built-in support for access control and transformations.

**Do This:**

* Use the Supabase client library to upload and download files.

* Configure access control policies to restrict access to files.

* Use image transformations to optimize images for different devices and screen sizes.

**Don't Do This:**

* Store sensitive information in Supabase Storage without proper encryption.

* Grant excessive permissions to users or roles.

* Expose your Supabase Storage API keys or credentials directly to clients.

**Example:**

Uploading a file to Supabase Storage using the Supabase client library:

"""javascript

import { createClient } from '@supabase/supabase-js';

import { v4 as uuidv4 } from 'uuid';

const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;

const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;

const supabase = createClient(supabaseUrl, supabaseKey);

async function uploadFile(file) {

const { data, error } = await supabase.storage

.from('avatars')

.upload("${uuidv4()}-${file.name}", file, {

cacheControl: '3600',

upsert: false

});

if (error) {

console.error('Error uploading file:', error);

return null;

}

console.log('File uploaded successfully:', data);

return data;

}

"""

## 6. Database Extensions

### 6.1 Recommended Extensions

**Standard:** Enable and use relevant PostgreSQL extensions to enhance your database functionality.

* **Why:** PostgreSQL extensions provide a wide range of features, such as full-text search, geospatial data types, and UUID generation.

**Do This:**

* Enable the "uuid-ossp" extension for generating UUIDs. "CREATE EXTENSION IF NOT EXISTS "uuid-ossp";"

* Enable the "pg_trgm" extension for fuzzy string matching. "CREATE EXTENSION IF NOT EXISTS pg_trgm;"

* Enable the "postgis" extension for geospatial data types and functions (if applicable). "CREATE EXTENSION IF NOT EXISTS postgis;"

* Consider other extensions based on your specific needs.

**Don't Do This:**

* Enable unnecessary extensions, as they can increase database overhead.

* Use extensions without understanding their implications.

**Example:**

Using the "uuid-ossp" extension to generate a UUID:

"""sql

INSERT INTO users (id, name, email) VALUES (uuid_generate_v4(), 'John Doe', 'john.doe@example.com');

"""

## 7. Framework Integrations

### 7.1 Next.js

**Standard:** Use the official Supabase Next.js starter template and library ("@supabase/auth-helpers-nextjs") for building server-rendered and static websites with Supabase.

* **Why:** The Supabase Next.js integration simplifies authentication, data fetching, and real-time updates in Next.js applications.

**Do This:**

* Use the "withPageAuth" higher-order component to protect pages requiring authentication.

* Use the "useSupabaseClient" hook to access the Supabase client in your components.

* Use Server Side Rendering (SSR) or Static Site Generation (SSG) to pre-render your pages for improved performance and SEO.

**Don't Do This:**

* Implement custom authentication logic in your Next.js application.

* Expose your Supabase API keys or database credentials directly to clients.

Example for protecting pages with authentication:

"""javascript

// pages/profile.js

import { withPageAuth } from '@supabase/auth-helpers-nextjs';

import { useSupabaseClient } from '@supabase/auth-helpers-react';

import { useState, useEffect } from 'react';

function Profile() {

const supabase = useSupabaseClient();

const [profile, setProfile] = useState(null);

useEffect(() => {

async function fetchProfile() {

const { data, error } = await supabase

.from('profiles')

.select('*')

.eq('user_id', supabase.auth.user().id)

.single();

if (error) {

console.error('Error fetching profile:', error);

} else {

setProfile(data);

}

}

fetchProfile();

}, [supabase]);

if (!profile) {

return Loading...;

}

return (

Welcome, {profile.name}!

{/* Display user profile data */}

);

}

export const getServerSideProps = withPageAuth({ redirectTo: '/login' });

export default Profile;

"""

### 7.2 SvelteKit

**Standard:** Leverage "supabase-js" with SvelteKit for building reactive web applications integrated with Supabase.

* **Why:** SvelteKit provides a modern, performant framework for building web applications, and "supabase-js" allows seamless integration with Supabase's features.

**Do This:**

* Wrap "supabase-js" with Svelte stores to manage state reactively.

* Use server-side "load" functions within SvelteKit routes for secure data fetching.

* Implement SvelteKit hooks for authentication management.

**Don't Do This:**

* Expose Supabase credentials directly in client-side code.

* Perform database operations directly in components without using SvelteKit's loading and action mechanisms.

### 7.3 Other Frameworks

**Standard:** Use the official or community-maintained Supabase client libraries for other frameworks, such as React, Vue.js, and Angular.

* **Why:** Using the appropriate client library will simplify integration with Supabase's features and ensure compatibility with the latest APIs.

**Do This:**

* Follow the documentation and best practices for the chosen framework.

* Use dependency injection or other techniques to manage the Supabase client instance.

* Implement proper error handling and loading states in your components.

**Don't Do This:**

* Implement custom logic for interacting with the Supabase API without using a client library.

* Ignore the framework's conventions and best practices.

## 8. Dependency Management

### 8.1 Package Managers

**Standard:** Use npm, yarn, or pnpm for managing project dependencies.

* **Why:** Package managers simplify the process of installing, updating, and removing dependencies, ensuring consistency across different environments.

**Do This:**

* Use a "package.json" file to define your project's dependencies.

* Use "npm install", "yarn install", or "pnpm install" to install dependencies.

* Use semantic versioning (semver) to specify dependency versions.

* Use lockfiles ("package-lock.json", "yarn.lock", or "pnpm-lock.yaml") to ensure consistent dependency versions across different environments.

**Don't Do This:**

* Manually manage dependencies without using a package manager.

* Commit the "node_modules" directory to your Git repository.

* Use wildcard version ranges for dependencies (e.g., "*" or "latest").

### 8.2 Supabase Client Library

**Standard:** Use the latest version of the "@supabase/supabase-js" client library.

* **Why:** The Supabase client library provides a convenient and type-safe way to interact with the Supabase API. Using the latest version ensures that you have access to the latest features and bug fixes.

**Do This:**

* Install the "@supabase/supabase-js" library using your package manager: "npm install @supabase/supabase-js" or "yarn add @supabase/supabase-js"

* Check for updates regularly and update the library when new versions are released.

* Refer to the Supabase documentation for the latest API changes and best practices.

## 9. Logging and Monitoring

### 9.1 Logging

**Standard:** Implement comprehensive logging throughout your application.

* **Why:** Logging provides valuable insights into your application's behavior, allowing you to identify and diagnose issues more easily.

**Do This:**

* Use a logging library such as "winston" or "pino" to write logs to a file or a logging service.

* Log important events, such as user sign-ins, database queries, and API requests.

* Include relevant context in your logs, such as user IDs, request IDs, and timestamps.

* Use different log levels (e.g., "debug", "info", "warn", "error") to indicate the severity of each log message.

**Don't Do This:**

* Log sensitive information, such as passwords or API keys.

* Write logs directly to the console in production.

* Ignore error conditions and fail to log important events.

### 9.2 Monitoring

**Standard:** Set up monitoring to track your application's performance and health.

* **Why:** Monitoring allows you to proactively identify and address issues before they impact your users.

**Do This:**

* Use a monitoring service such as Grafana, Prometheus, or Datadog to collect and visualize metrics.

* Monitor key metrics such as CPU usage, memory usage, database query times, and error rates.

* Set up alerts to notify you when certain thresholds are exceeded.

* Regularly review your monitoring dashboards.

**Don't Do This:**

* Ignore performance issues or error conditions.

* Fail to set up alerts for critical metrics.

* Rely solely on manual monitoring.

## 10. Code Formatting and Linting

### 10.1 Code Formatting

**Standard:** Use a code formatter such as Prettier to automatically format your code.

* **Why:** Code formatters ensure consistent code style across your project, improving readability and maintainability.

**Do This:**

* Install Prettier as a dev dependency: "npm install --save-dev prettier" or "yarn add --dev prettier"

* Configure Prettier to use your preferred code style settings.

* Run Prettier automatically on every commit using a Git hook.

**Configuration example (.prettierrc.js):**

"""javascript

module.exports = {

semi: true,

trailingComma: 'all',

singleQuote: true,

printWidth: 120,

tabWidth: 2,

};

"""

### 10.2 Linting

**Standard:** Use a linter such as ESLint to identify and fix code quality issues.

* **Why:** Linters help you catch potential bugs, enforce code style conventions, and improve the overall quality of your code.

**Do This:**

* Install ESLint as a dev dependency: "npm install --save-dev eslint" or "yarn add --dev eslint"

* Configure ESLint to use your preferred linting rules. Consider extending recommended configurations like "eslint:recommended" or specialized sets like those from Airbnb.

* Run ESLint automatically on every commit using a Git hook.

* Use TypeScript for type checking.

**Configuration example (.eslintrc.js):**

"""javascript

module.exports = {

env: {

browser: true,

es2021: true,

node: true,

},

extends: [

'eslint:recommended',

'plugin:@typescript-eslint/recommended',

'prettier', // Integrate with Prettier

],

parser: '@typescript-eslint/parser',

plugins: ['@typescript-eslint'],

rules: {

// Add or override rules as needed

'no-unused-vars': 'warn',

'no-console': 'warn'

},

};

"""

By adhering to these comprehensive tooling and ecosystem standards, your Supabase projects will benefit from improved maintainability, performance, security, and developer productivity. Remember that these are guidelines, and specific project needs may require slight adjustments. Regularly review and update these standards to reflect the latest best practices and Supabase updates.