RBAC docs / example uniqueness

[mrjogo]

I'm modifying the RBAC example from https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac, and it seems like the assumption (in public.custom_access_token_hook and public.authorize) is that a user can only have one role at a time. However, the public.user_roles table has the constraint unique (user_id, role). Should that be unique(user_id) or am I misunderstanding something?

[GaryAustin1]

Supabase appears to have made that guide only allow one role per user. Both the claim not being an array and the table having a unique column with both role and id enforce that.

But it is just an example. You could certainly create an array for the role claim and change the constraint. But you would also then have to deal with RLS on the role treating it as an array of roles in your policies.

[mrjogo]

Doesn't the table having the uniqueness constraint with BOTH role and user_id mean an ID can have multiple roles? ie, this is valid user_roles data:

user_id | role
--------+----------
123     | admin
123     | moderator

[GaryAustin1]

You are correct the table could handle multiple roles and does not stop multiple roles per user being inserted. The role claim would need to be an array and not sure what else would need to change.