I want to use supabase only for real-time updates of the PostgreSQL database.
Meaning that I don't want to allow anon/authenticated to read/update/insert/delete, but only want to push live changes using their Realtime feature.
Is this possible? (Setting the RLS to be extremely restrictive while still allowing broadcasting of new changes?)
this is perhaps a bit of an XY problem, still it would be nice if this were possible.
I want user requests to go through my server-side code first where I do a number of manipulations before completing their request using api XYZ/Supabase SERVICE_ROLE. They should not be able to query any part of the database client-side (even if they were allowed to receive that information realtime), not even for a read, ideally.
The reason for this is that I do need a real-time component that cannot be solved by using server-side code (cannot deploy SSE/WS on vercel...)
Right now I use https://authjs.dev/reference/adapter/supabase but I've already seen that blocking anon/authenticated from reading rows also (obviously) blocks him from receiving realtime updates.
Ideally I want something unidirectional and that can be restricted to just be unidrectional, something like Server-Sent events. Or websockets with no permission to write requests. Is this possible?