by yurisagalov on 5/10/22, 4:08 PM with 126 comments
by kiwicopple on 5/10/22, 5:44 PM
I want to give a big shout-out to the HN crowd. You have been instrumental in our growth - both from a traction perspective, but even more so for product development.
From our initial launch 2 years ago[0], where everyone told us we need auth, to our Auth[1], Storage[2], Functions[3], and GraphQL[4] launches. You are always giving great (and usually tough!) feedback which helps guide the team and product direction.
I will be around briefly to answer questions, then back tomorrow to cover anything unanswered (it's very late where I am!)
[0] https://news.ycombinator.com/item?id=23319901
[1] Auth: https://news.ycombinator.com/item?id=24072051
[2] Storage: https://news.ycombinator.com/item?id=26635184
[3] Functions: https://news.ycombinator.com/item?id=30868849
[4] GraphQL: https://news.ycombinator.com/item?id=30846006
by halotrope on 5/10/22, 7:59 PM
There are issues of course (slow dashboard, some inconsistencies in auth, shaky self-hosting story, a little bloated JS client libs) but in general they have a solid offering that is only getting better.
I can't stress enough how there is really nothing quite like it out there at the moment. I get that HN crowd is always very skeptical esp with the somewhat airy opensource/self-hosting story that seems a little deprioritized to handle the (probably insane) growth. The escape hatches might be a bit rusty a bit at the moment but compare that with Firebase and its a little inconvenient in SB vs a prison in FB.
I am quite optimistic about Supabase and I wish the team the best of success.
by ehathaway on 5/10/22, 5:41 PM
Even in light of the following critiques, I feel like its one of the simplest ways for an experienced developer to start a new project, and it's now my go to over spinning up a database, Firebase, ORMs, and other database abstractions.
My main critiques are:
- As others have said, default security is way too permissive. They should lock everything down by default. At some point, this is going to cause major problems for some company that decides to build off Supabase.
- Although they have row-level security, RBAC is completely missing. It's not hard to implement yourself through stored procedures and triggers (they have an example repo to copy from), but I don't see a lot of junior devs doing this.
- Stored procedures are more likely to be utilized in the Supabase paradigm, but I haven't felt like they have done much to address the inherent weakness and common critiques of using sprocs instead of application level functions.
- Escape hatches are missing in their fork of GoTrue (why did they fork it in the first place - now there are two competing versions?). It's still not clear to me how to add data to the JWT or get access to the JWT through their SDK.
- Slow dashboard with rendering problems. It doesn't render correctly on my Fedora laptop. And the slow speed becomes pretty annoying almost right away.
- I have experienced data loss when using their SQL editor. So now I copy all the SQL I write to a local file or just do everything through DBeaver.
- Lack of backups on the free tier. They should give this away for free up to a storage limit. Backups are a critical part of development and I don't have full trust in Supabase given that I've already experienced data loss through their UI.
- Misleading marketing. They make implicit claims all over the place on what they offer but then have disclaimers on their code bases about certain features not being production ready.
They clearly have work ahead of them, but I'm optimistic about the potential for Supabase and I look forward to the improvements!
by jfvinueza on 5/11/22, 12:54 AM
Have used Supabase in several applications; it's an amazing product. And what I'm the most grateful about it is that I came to it as a self-taught front end dev, and it taught me the beauty and power of the relational database itself. Trends and technologies will come and go, but the heart of a software project, as I understood it, will usually lie in its data model. I was intimidated by it, and then, after Supabase, I was not.
Now, I'm especially hyped on on the realtime capabilities showcased in multiplayer.dev: in a recent project we had to implement a chat service quite quickly, an although through supabase we already had an elixir server set up and working, it still revolves around postgres replication, which didn't really felt right and did imposed some limitations. This led us to use Centrifugal, a oss go microservice, which has worked great... but it felt a bit like a missed opportunity. I didn't found any Elixir based rt-as-a-service product, and it looks like you guys are in a great position to tackle that space. So there's that.
Anyways, good luck and thanks again for your hard work!!
by dinvlad on 5/10/22, 10:31 PM
1) Auth tokens currently use symmetric signatures, which makes them less useful for zero-latency verification in runtimes like Cloudflare Workers, and also less interchangeable with other auth systems (although it is possible to interchange still by implementing a token minting endpoint ourselves, but that's extra effort and latency). This would also be really useful for integrations with Firebase Auth, which is ironically needed for interoperability with other Firebase products not yet in Supabase :-) It would be great if you switched to standard RS256 + .well-known OIDC endpoints..
2) Recently added built-in database-driven GraphQL module is ingenious, but would benefit greatly from Realtime capability (and I know that's hard!)
3) It's a bit unclear what the multi-zonal or multi-regional (!) story is for Postgres. This would be very useful not just for HA, but for globally-distributed (reduced latency!) scenarios, like the ones addressed by Fly.io Postgres, for example. I know, global ACID is hard and expensive, but if we could get closer to that (for example, similarly to Fly.io), that would be amazing! Right now, it's not clear what the latency story is for users accessing Supabase from half-across the world. If you could document that at least a bit (incl. which region(s) Supabase is deployed in so we could place our backends closer to those), that would be awesome!
Thanks so much, this is such an amazing and unique (!) product that really fills the void left over by Firebase, particularly due to the lack of major progress on Firestore in recent years.
by sk55 on 5/10/22, 4:55 PM
by MaxLeiter on 5/10/22, 6:39 PM
by housel on 5/10/22, 10:53 PM
by babl-yc on 5/10/22, 4:57 PM
From quick glance at the docs, it looks like they make progress towards the first but not sure about the latter: https://supabase.com/docs/guides/auth/row-level-security
by citilife on 5/10/22, 5:16 PM
Some glowing reviews there... lol
by kache_ on 5/10/22, 4:16 PM
by KaoruAoiShiho on 5/10/22, 6:10 PM
by wasd on 5/10/22, 9:55 PM
Let's say I have Customer 1 who owns Document 2, 3. Document will have a foreign key pointing to Customer. How do I ensure that Customer 1 can't access Document 1?
by bladegash on 5/10/22, 10:36 PM
I think the sentiment has been shared here by others, but I think authentication and authorization are going to be your biggest hurdles, yet biggest revenue drivers in the future (e,g., enterprises, startups, etc).
I’d honestly love to see you guys come up with a novel OIDC solution, maybe even using Keycloak as the model/goal (which also follows the trend of Supabase innovating on existing tech).
Excited to see where you all go from here and the sky is the limit!
by mathackernews on 5/11/22, 12:24 AM
When you first launched I recall seeing an advertisement for CEO position at Supabase which I thought was surprising for such an early stage startup. It looks like that never eventuated which I am pleased to see. I am curious about the backstory behind seeking an external CEO and then concluding not to?
by adamnemecek on 5/10/22, 5:48 PM
by _query on 5/10/22, 4:50 PM
by jordiburgos on 5/11/22, 2:15 PM
by Lyn_layerci on 5/10/22, 10:13 PM
by alberth on 5/10/22, 7:14 PM
I've read over the years how people get super upset at Amazon for taking an open source project, (sometimes) adding some code to it and then host and monetize it. The argument being that Amazon is monetizing on the backs of countless open source developers. Hence why the Common Clause has been added to a number of open source projects to prevent this from happening.
Supabase seems to be loved by HN (haven't tried it yet but looks interesting).
Isn't Supabase just a wrapper around the open source Postgres database (which is BSD licensed)?
by ushakov on 5/10/22, 5:29 PM
i deleted my account immediately after receiving a spam e-mail
this practice is illegal in EU
by bgorman on 5/10/22, 4:45 PM
For a product whose whole purpose is to enable developers to move faster, the product misses the mark completely. If I were CEO I would shift all resources to fixing the UI and SDK.
I would guess out of all the people who have signed up, less than 1% have actually made a “working” frontend.