This is not a negative statement against Supabase, but heed my warning:
Do not build out your MVP on supabase. If you need to scale and want a MSP do it after the MVP. Detangling the lock in is not fun.
Everything offered by supabase is easily found elsewhere without the MSP lock in.
This isn't fair feedback. You have to be more specific about the "lock in". Supabase itself is just managed Postgres and can be self-hosted. The entire point is that everything they offer is open source and easily found elsewhere.
I can imagine they fall short in some aspects from that ideal and I would love to know your experience but even with your first sentence this is just a pretty damning write off.
Disclaimer: I'm NOT a Supabase employee, just a happy user.
People keep writing this, doesn't Supabase rely on spinning up additional services to leave, meaning you can't leave to another managed offering?
Off the top of my mind, PostgREST and go-true? https://github.com/supabase/auth
-
If you use Postgres you're "locked" into Postgres: a technology with a laundry list of providers.
If you leave Supabase, you'll lose the fully managed aspect of 99% of the Postgres providers out there, which confirms the pain the parent comment is describing.
this is no different than running, say, Rails on a managed service. You can take the service and you run it somewhere else: each individual service is wrapped into a docker image which should make it easy.
You can use as many or as few of the services as you want - its designed it that way:
https://supabase.com/docs/guides/getting-started/architectur...
This just sidesteps what I said?
Supabase is most attractive to those without the skills to run an unmanaged service
A bespoke solution, even if it's open, doesn't mean it's as portable as a very standard solution.
If you want portability, the parent comment was right: don't embed Supabase deeply into your application.
You're suggesting a hosted Postgres offering isn't "as portable" as a very standard solution?
This isn't DynamoDB here, this is about as standard as it gets. I'm failing to find the supposed lock-in being talked about here.
Is having your frontend hook directly into to your database without a backend a standard? I almost exclusively saw it in locked in BaaS platforms over the years (like Firebase)
I've barely even seen PostgREST offered managed: is even one managed Postgres provider with the right combination of PostgREST and go-true to let you move over today?
Edit: I also don't get why this is such a point of contention...
Since when is BaaS not just a trade off between initial velocity and later stage lock-in? The former is not worthless, but like most tools you should understand the tradeoffs involved
I'm guessing a "managed postgREST" would look like a docker container deployed to AWS App Runner or Google Cloud Run with the standard Postgres RDS hocked up to it.
let me have another run at it:
Supabase is just a Postgres platform, and you can use it like that so that you can migrate away to any one of those laundry list. We _also_ provide some tools which are nicely integrated but importantly: they are optional
No, not if you don't use those other services. If you _do_ decide to use another service, then yes, you need to spin it up to leave (or migrate to something else). Hence my comment: this is no different than running, say, Rails on a managed service.
Sorry, confused by the wording: what does 'spinning up' mean here?
Configure and begin running
Better step away from your keyboard then, until you start to use something and getting locked in.
Point is that if you need to be free, the barrier is lowER.
You can just take the Auth server, run it yourself with an AWS RDS instance for example, keep up with updates and be good to go.
Yes you get a good UI with Supabase, and even much of that can be hosted yourself.
I've used it for a couple uni/personal projects to get some experience, and firebase for the same. I'm concerned about getting locked in, what other providers do you recommend who can let me migrate more easily?
Supabase is one of the most portable platforms out there.
The whole stack is self-hostable and open source. All of the data are contained in Postgres. You're one pg_dump away from being able to switch to a different Postgres host. Or if you're switching to something else entirely, you can export the data to CSVs and take it anywhere. But we're confident you won't want to :)
disclaimer - Supabase employee
Not in my experience. The documentation and infra is just not there to make it easy to use an external postgres db.
we know of many, many companies using Supabase self-hosted or with an external database.
if you have any problems, feel free to reach out to me directly. We want this to be simple (and you can see that there are non-supabase commentors in this thread who are self-hosting, so it's not just lip service)
I self host a couple supabase instances.
That said it feels like every other week there's an update that breaks the self hosted compose, looking through the GitHub issue tracker shows a few issues where the suggestion is "oh yeah the latest X image doesn't work, regress the version to get it running"
I really like supabase, but stability on the self hosted images is my biggest gripe with it currently.
That does not track with anything I've ever seen out of using Supabase
If you target Postgres, just about any Postgres instance works the moment you enter a connection URL.
You can hop from one managed Postgres offering to another in 10 minutes and lose no functionality. Everything from auth to programming (and even RLS implemented in the query space) will work instantly: no additional software needed.
Are you claiming that's the case with Supabase and its JWT auth/RLS entanglement?
You can use supabase simply as a Postgres provider. Supabase is just postgres, and you can choose to use any tool we provide (or not)
I've so far found the most value in authentication, so thank you for a great self hostable product
supabase, directus and similar are just wrappers on top op postgres. I just spin up local postgres instance for personal project and see no reason to get vendor locked-in myself.
We're using Supabase for a client project and even three sprints in, we're severely hobbled by having to play with a couple of architectural choices forced on us with Supabase and Supabase Auth. Any of the time savings benefits have been wiped out already just fighting the choices and also the subtle differences between the local dev environment, implementing RLS without good tooling.
On an architectural level, it is also terrifying to have your database exposed to the public internet just hidden behind authentication and RLS policies (which are much harder to reason about for most developers, and for which there is very immature tooling, a recipe for disaster).
Plus the local dev experience leaves a lot to be desired. We spent days trying to get file uploads working only to find that the issue was with local Supabase, and we had to create a remote Supabase database just to upload files successfully. But then we can't "reset" the database to run migrations.
The product is definitely much less smooth to develop on and I've had to provide dozens of hours of free client consulting work to untangle my recommendation of Supabase (didn't feel right to charge them to fix a product choice that I recommended to them).
Right now I'm in a strong "never again" view on this set of technologies. At least not for a long time until the tooling improves.
But it seems like there are some happy customers. So would love to hear a counterpoint of how they overcame all the issues we've faced:
- how are your security teams ok with exposing your PG server to the internet, relying mainly on RLS? And RLS isn't turned on by default, so full tables are exposed to the public internet by default, behind a rather nice REST API.
- Reliance on RLS for a public service seems risky because RLS quickly gets harder to maintain as you have to get more complex policies in place without much tooling to help you.
- how about the fact that some of your most important code, the RLS policies code, is hard to unit test with today's tooling? And they recommend pgTAP, which, who knows how big this community is?
That combination seems highly risky to me.
Our best bet right now has been to just install prisma and implement more traditional filtering on top of RLS, and just not rely at all on client side connections to postgres. So in a nutshell, moving away from Supabase specific architecture to more traditional architecture. The real "It's just postgres"
Tooling is improving constantly and security really is at the top of mind for us. We've got some cool announcements this week that will keep reminding you if you're doing something sketchy!
An access-simulator where you can check if a user (or anon) has some type of access would be helpful.
we actually have this:
https://supabase.com/blog/studio-introducing-assistant#user-...
and you can expect to see another related launch this week with some more in-depth tooling:
https://github.com/supabase/splinter
Good to hear, thanks.
I really am trying to provide constructive criticism (even if my tone is not great because the pain I'm continuing to feel with the platform is still fresh).
I do think you guys are in a great position to actually improve all that tooling around RLS. Tools that can analyze your policies, that can visually map the recursive nature of policies that run, etc.
Kinda sounds like "client side connections to postgres" was the poor decision at root of your security concerns, not the choice of provider
Client side connections and RLS are the Supabase blessed path in the getting started docs
Don't go to production with what's in "getting started".
But that is the path that Supabase strongly recommends if you use their tech stack.
I fully agree that some of the issues (like poor RLS tooling) doesn't necessarily fall on Supabase's shoulders. But this is the path that Supabase strongly recommends.
So you kind of can't have it both ways and say "Supabase is just Postgres" but then say "this is not our problem, it's postgres", right?
I actually think Supabase is in a GREAT position to actually build some of this missing tooling. They're probably now the single largest beneficiary of more people using RLS.
So I do think they will tackle this problem, it is a smart team. I just think that because of these issues, as a cohesive platform, it definitely doesn't feel fully baked (or "generally available" status) yet.
What were the troubles you faced?
If it's postgres with easily available plugins, then where is the lock in?