Supabase RLS Tenant Scope Configurator
Component Detail
Description
Infrastructure utility that injects the selected organization ID into the Supabase client configuration so all subsequent queries are automatically scoped by tenant-aware RLS policies. Called once after org selection to set a session-level custom claim (app.current_org_id) that Supabase row-level security policies read to filter data to the correct tenant.
supabase-rls-tenant-configurator
Summaries
The Supabase RLS Tenant Scope Configurator is the enforcement point for multi-tenant data isolation — it ensures that every database query made by the mobile app is automatically restricted to the data of the organization the user has selected. Without this component, a user switching between organizations could inadvertently access or modify another organization's records, posing a serious data privacy and regulatory compliance risk. By setting a session-level claim that Supabase's Row Level Security policies read, the business achieves strong tenant boundaries without per-query filtering logic scattered across the codebase, reducing audit surface and simplifying compliance demonstrations.
This is a medium-complexity infrastructure component that sits on the critical path for any feature accessing tenant-specific data. It must be completed and verified before any data-reading features begin integration testing, as incorrect scoping would silently return wrong or empty datasets during QA. Scheduling risk is moderate: RLS policy configuration in Supabase must be coordinated with the backend/database team, and the mobile component must be tested against a multi-tenant staging environment. Recommend allocating buffer time for RLS policy iteration.
The verifyTenantScopeApplied method should be part of a pre-flight check that blocks data queries until confirmed, which adds a small but important integration test surface.
applyTenantScope(orgId) sets the Postgres session variable app.current_org_id via a Supabase RPC call or client header injection (e.g., using the global headers map on the Supabase client). All subsequent PostgREST queries automatically include this header, and server-side RLS policies read current_setting('app.current_org_id') to filter rows. clearTenantScope() must be called during logout and org-switch flows before any new data is fetched. verifyTenantScopeApplied() performs a lightweight RPC ping to confirm the session variable is readable server-side — useful as a pre-condition assertion in integration tests.
getCurrentTenantScope() provides synchronous local state for debugging and UI guards without an async round-trip.
Responsibilities
- Set app.current_org_id session variable in Supabase client
- Verify RLS tenant scope is applied before allowing data queries
- Reset tenant scope on org switch or logout
- Expose current tenant scope state for debugging
Interfaces
applyTenantScope(String orgId) -> Future<void>
clearTenantScope() -> Future<void>
getCurrentTenantScope() -> String?
verifyTenantScopeApplied() -> Future<bool>
Related Data Entities (6)
Data entities managed by this component
Used Integrations (1)
External integrations and APIs this component relies on