news.ycombinator.com
Migrating from Supabase - Hacker News
Excerpt
Even though it looks like a great product initially, it has a lot or errors and bugs when you are trying to actually build something more robust than a toy app. Local development is a massive pain with random bugs. The response time of the database also varies all over the place. But the most important problem that we faced, was having so much of application logic in the database. … Expressivity was challenging, but was compounded by security being implicit. I couldn't look at any given spot in my code and confirm what data it's allowed to access - that depends on the privileges of the current DB connection. Once you mix in connections with cross-user privileges, that's a risky situation to try to secure. Imagine a 1-million-row table and a query with `WHERE x=y` that should result in about 100 rows. Postres will do RLS checks on the full 1 million rows before the WHERE clause is involved at all. … searchableguy on May 19, 2023 You should make the default editor read only and allow switching to write mode with a big warning. This would discourage people from writing SQL or using UI to modify in production. The dashboard has always screamed "use me to edit" and I have used supabase in the beginning and very recently too. Nothing has changed to discourage it so far. Maybe something like mode button which is present at top and you can click to switch between development and production mode? This would also change a couple more things which you do not want to touch in production by accident. If anything, I think the admin dashboard encouraging directly doing operations on the database is the biggest weakness of Supabase. I would much prefer being able to lock it down to purely CI-driven migrations. … I also had a tough time working w/ an app someone else built on Supabase. We kept bumping up against what felt like "I know feature X exists in postgres, but it's 'coming soon' in Supabase." IIRC the blocker was specific to the trigger/edge function behavior. However after reflecting more, I don't remember enough to make a detailed case. Perhaps the issue was with our use of the product.
Related Pain Points
Direct-to-database architecture doesn't scale to complex applications
8Supabase's pitch of connecting client-side SDKs directly to the database via RLS works for toy applications but becomes unmanageable with realistic schema complexity (20+ tables with intricate relationships). Developers must add backend servers anyway, negating the abstraction benefit.
Row-Level Security (RLS) causes severe query performance degradation
7When Row-Level Security is enabled in production, query execution plans degrade dramatically. Fast SELECT queries become slow with unexpected multi-table joins, and indexes become ineffective, turning a simple database operation into a performance nightmare.
Local to production deployment environment discrepancies
7Functions that work correctly in local development environments fail in production, exemplified by Axios errors occurring exclusively in deployed web applications, complicating debugging.
Supabase admin dashboard encourages unsafe production modifications
7The Supabase dashboard defaults to write-mode access and actively encourages direct SQL or UI-based modifications to production databases. This increases the risk of accidental destructive operations and undermines CI-driven migration practices.
Row-Level Security policies difficult to debug and manage
6Debugging RLS policies requires diving into the Supabase dashboard, making them disconnected from the main codebase. Complex policies are time-consuming to debug and misconfiguration can expose data.
Limited query expressivity compared to raw SQL
6Supabase client does not support raw SQL queries or advanced PostgreSQL features. Developers must work around these limitations by creating stored procedures or views, which places application logic in the database and requires leaving the editor to modify code stored in the GUI.