SupabaseDB : With Authentication and Database

Security related issues:

• No good obfuscation. (API keys & url as raw) (on AppInventor & APK can be decompiled).
• Newbies: Don’t really get how RLS works. (User Auth & Roles & Schemes & Tables & Views).
• Newbies: Don’t really get how START works. (HOT & COLD).
• Supabase has a 'limited' free plan for Users Connected at Month: 50k MAU.
• SQL Injection & Sanitization of data pre CRUD on DB; Messages can be intercepted, modified, and sended to DB (MiM Atack), and then... Just CRUD???.
• It is not good to expose tables to direct CRUD operations; it is better to have well-defined logic for each option (GET, INSERT, MODIFY, DELETE, ETC.).

• When you create a QUERI from the client code (App), you are actually sending a string (sentence) in SQL or PL/PGSQL code, like; 'SELECT id, name FROM users WHERE active = true;'
• The client sends that string, the server parses it, validates (just the QUERI & not DATA) it, generates an execution plan, and only then runs it.
• You EXPOSE ID, TABLE_NAME, other PARAMETERS, SCHEMAS, etc. This facilitate RECON attacks by fingerprinting your DB
• Difficult to apply business rules or access restrictions if everything is done from the client side.
• Even with HTTPS, the payload is still a readable SQL || PL/PGSQL.
• Each QUERI sent as a string must be parsed and optimized by the engine on each execution. This consumes CPU and memory on the server.
• Raw QUERI do not reuse precompiled plans.
• QUERIs are usually longer, which affects mobile apps with unstable connections.
• When many clients send different QUERIs, the server cannot optimize globally. It becomes a bottleneck in high-concurrency scenarios.
• The client must know how to assemble correct queries. This increases the likelihood of errors.
• So... If QUERI needs to be modified for X reason:
  Instead of .jpg now it's .png || instead of ID now it's by GUID...

You must compile the app again, and if it's on the Play Store... Go through the update process.

• These are some of the most common and important problems of using QUERIs from the client. (App)

• RPC: The client does not build SQL || PL/PGSQL; it only calls functions with parameters.
• RPC: The logic is encapsulated → tables or internal structures are not exposed.
• RPC: RLS and roles can be applied directly to the function.
• RPC: Smaller attack surface: the client cannot execute arbitrary queries.
• RPC: Function execution plans can be cached. (START HOT vs COLD issue)
• RPC: Less traffic: only the function name + parameters are sent.
• RPC: Scalability: all clients call the same function → the DBA can optimize it (indexs).
• RPC: Logic is centralized → changes are made in the Supabase, not in client.
• VIEWS: They allow hiding sensitive columns and exposing only what is necessary.
• VIEWS: They can be combined with RLS to automatically filter rows.
• VIEWS: They act as an abstraction layer: the client never touches and even KNOW the tables || schemes, etc.
• VIEWS: They simplify complex queries → the engine can optimize better.
• VIEWS: Materialized Views allow caching heavy results (e.g., reports).
• VIEWS: They reduce the load on the client → it only queries the view as if it were a table.

So:

• Raw queries: if the logic changes (e.g., from ID to GUID), the app needs to be recompiled and redistributed.
• RPC: it is enough to modify the function in the database; clients continue calling it the same way.
• VIEWS: allow versioning of data exposure without breaking compatibility with client code.

Secure RPC over Views in Supabase + AppInventor

Instead of sending raw SQL queries from the client (which exposes table names, schema, and business logic), you can encapsulate everything inside a PostgreSQL function (RPC) that operates on a pre‑built, cached VIEW. This gives you three layers of protection and optimization:

VIEW:

• The VIEW hides the underlying tables and columns.
• It can be materialized (cached) to avoid “cold start” penalties and improve performance.
• It ensures the client never touches raw tables directly.

RPC (Function)

• The RPC receives sanitized parameters (dates, IDs, filters, etc.).
• It executes logic only against the VIEW, not the raw tables.
• Execution plans can be cached by PostgreSQL, so repeated calls are fast (“hot start”).

Obfuscation / Darkness Layer

• The RPC name can be something meaningless like RTGTEG.
• Parameters can be named xyz, hgf, jkl, iuy.
• To anyone intercepting the request, it looks like gibberish. Only the server knows the mapping.
• The actual logic (filtering, sanitization, aggregation) lives inside the function, invisible to the client.

CREATE MATERIALIZED VIEW sales_summary AS
SELECT DATE_TRUNC('month', sale_date) AS month,
       SUM(amount) AS total
FROM sales
GROUP BY 1;

CREATE OR REPLACE FUNCTION RTGTEG(
    xyz DATE,   -- start date
    hgf DATE,   -- end date
    jkl TEXT,   -- optional filter (e.g., region)
    iuy INT     -- optional limit
) RETURNS TABLE (month DATE, total NUMERIC) AS $
BEGIN
  RETURN QUERY
  SELECT month, total
  FROM sales_summary
  WHERE month BETWEEN xyz AND hgf
    AND (jkl IS NULL OR region = jkl)
  ORDER BY month
  LIMIT COALESCE(iuy, 100);
END;
$ LANGUAGE plpgsql SECURITY DEFINER;

CREATE VIEW safe_orders AS
SELECT id, customer_id, product_id, quantity, created_at
FROM orders;

CREATE OR REPLACE FUNCTION QWERTY(
    abc INT,     -- customer_id
    def INT,     -- product_id
    ghi INT      -- quantity
) RETURNS VOID AS $
BEGIN
  -- Sanitize inputs
  IF abc IS NULL OR def IS NULL OR ghi <= 0 THEN
    RAISE EXCEPTION 'Invalid input parameters';
  END IF;

  -- Insert into the real table (not exposed to client)
  INSERT INTO orders (customer_id, product_id, quantity, created_at)
  VALUES (abc, def, ghi, NOW());
END;
$ LANGUAGE plpgsql SECURITY DEFINER;

supabase.rpc("QWERTY", { abc: 42, def: 7, ghi: 3 })

RPC vs Raw Queries (Code Perspective)

Raw Queries:

sql

-- Client sends this as a string
'SELECT id, name FROM users WHERE active = true;'

• Exposure: Table names, schema, and logic are visible in the client code.
• Security risk: Vulnerable to SQL injection if not sanitized.
• Performance hit: Every query string must be parsed and planned on each execution.
• Maintainability issue: If schema changes, every client app must be updated and redeployed.

RPC (Remote Procedure Call)

sql

-- Define once in PostgreSQL
CREATE OR REPLACE FUNCTION get_active_users()
RETURNS TABLE (id INT, name TEXT) AS $
BEGIN
  RETURN QUERY SELECT id, name FROM users WHERE active = true;
END;
$ LANGUAGE plpgsql SECURITY DEFINER;

-- Client only calls
supabase.rpc("get_active_users");

• Encapsulation: Logic lives in the database, not in the client.
• Security: No schema exposure, parameters are sanitized, RLS and roles apply directly.
• Performance: Execution plans can be cached → faster hot starts.
• Maintainability: Update the function once, all clients benefit immediately.

VIEWS (Complementary Layer)

sql

CREATE VIEW active_users AS
SELECT id, name FROM users WHERE active = true;

• Abstraction: Clients query a simplified surface, not raw tables.
• Security: Hide sensitive columns, combine with RLS.
• Performance: Materialized views cache heavy computations.

Why This Matters

• Raw queries are quick to prototype but fragile, insecure, and inefficient at scale.
• RPCs give you a hardened, centralized, and optimized entry point for all CRUD operations.
• VIEWS let you expose only what’s necessary, simplify client code, and leverage PostgreSQL’s optimizer.

Next Steps

If you want to build better, more secure, and high‑performance apps with AppInventor, Supabase, or any client platform:

• Dive into PostgreSQL functions, triggers, and views.

• Learn how Row Level Security (RLS) works in Supabase.

• Explore materialized views for caching and reporting.

• Practice designing RPCs that sanitize inputs and encapsulate business logic.

• The more you master PostgreSQL’s advanced features, the more your apps will stand out: lighter clients, stronger security, and better performance.