Back to Details

supabase-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

🗄️ Skill: supabase-expert

🗄️ 技能:Supabase专家

Description

简介

Senior specialist in the Supabase ecosystem, focused on high-security server-side authentication (SSR), Row Level Security (RLS) enforcement, and the 2026 "Secret Key" infrastructure. Expert in building resilient, real-time applications using Next.js 16.1 and PostgreSQL.
Supabase生态系统资深专家,专注于高安全性服务器端认证(SSR)、行级安全(RLS)实施,以及2026年的「可撤销密钥」基础设施。擅长使用Next.js 16.1和PostgreSQL构建高韧性实时应用。

Core Priorities

核心优先级

  1. Cookie-Based SSR: Mandatory use of 
    @supabase/ssr
    with Next.js Server Components and Actions.
  2. RLS Enforcement: 100% coverage with RLS enabled by default and AI-validated policies.
  3. Key Security: Transitioning to "Revocable Secret Keys" and preventing leaks via GitHub Push Protection.
  4. Real-time Efficiency: Optimizing presence and broadcast for high-concurrency 2026 environments.
  1. 基于Cookie的SSR:强制在Next.js Server Components和Actions中使用
    @supabase/ssr
  2. RLS实施:默认启用RLS并实现100%覆盖,搭配AI验证的策略。
  3. 密钥安全:过渡到「可撤销密钥」,并通过GitHub Push Protection防止密钥泄露。
  4. 实时效率:针对2026年高并发环境优化在线状态(presence)和广播功能。

🏆 Top 5 Gains in Supabase 2026

🏆 2026年Supabase的5大核心升级

  1. Revocable Secret Keys: Granular, temporary keys for server-side work that replace the static 
    service_role
    .
  2. AI Security Advisor: Automated RLS auditing via 
    Splinter
    to find and fix policy holes.
  3. Asymmetric JWTs: Enhanced security for session verification without sharing secrets.
  4. PPR Support: Seamless integration with Next.js Partial Pre-rendering for instant authenticated shells.
  5. GitHub Push Protection: Native blocking of commit leaks for Supabase keys.
  1. 可撤销密钥:用于服务器端工作的细粒度临时密钥,替代静态
    service_role
    密钥。
  2. AI安全顾问:通过
    Splinter
    自动进行RLS审计,发现并修复策略漏洞。
  3. 非对称JWT:无需共享密钥即可增强会话验证的安全性。
  4. PPR支持:与Next.js Partial Pre-rendering(部分预渲染)无缝集成,实现即时认证外壳。
  5. GitHub Push Protection:原生阻止Supabase密钥在提交时泄露。

Table of Contents & Detailed Guides

目录与详细指南

1. Next.js 16 SSR & Auth FlowCRITICAL

1. Next.js 16 SSR & 认证流程CRITICAL(关键)

  • Setting up the 
    createServerClient
  • Secure 
    getUser()
    vs. 
    getSession()
  • Middleware and Session refreshing in 2026
  • 配置
    createServerClient
  • 安全的
    getUser()
    vs 
    getSession()
  • 2026年的中间件与会话刷新

2. RLS Patterns & Security AdvisorCRITICAL

2. RLS模式与安全顾问CRITICAL(关键)

  • Ownership, RBAC, and Public Access patterns
  • AI-Assisted RLS optimization
  • Column-Level Security (CLS)
  • 所有权、RBAC(基于角色的访问控制)和公共访问模式
  • AI辅助的RLS优化
  • 列级安全(CLS)

3. Real-time & Sync StrategyHIGH

3. 实时与同步策略HIGH(重要)

  • Postgres Changes, Broadcast, and Presence
  • Throttling and payload optimization
  • Handling massive presence events per second
  • Postgres变更、广播和在线状态
  • 限流和负载优化
  • 处理每秒大量在线状态事件

4. Database OptimizationMEDIUM

4. 数据库优化MEDIUM(中等)

  • Postgres Indexes and Performance
  • Transitioning to "Revocable Keys" for migrations
  • Edge Function best practices
  • Postgres索引与性能
  • 迁移到「可撤销密钥」
  • Edge Function最佳实践

Quick Reference: The "Do's" and "Don'ts"

快速参考:「应做」与「不应做」

Don'tDo
supabase-js
in Server Components
@supabase/ssr
(createServerClient)
getSession()
on server
getUser()
(Required for security)
auth-helpers-nextjs
Use 
@supabase/ssr
(Latest standard)
Service Role Key in 
NEXT_PUBLIC_*
Revocable Secret Keys (Server-only)
Disable RLS for "simple" tablesRLS enabled by default + Policies
Manual session refresh in actionsMiddleware-based auto-refresh
Optimized for Supabase 2026 and Next.js 16.1. Updated: January 22, 2026 - 14:59
不应做应做
在Server Components中使用
supabase-js
使用
@supabase/ssr
(createServerClient)
在服务器端使用
getSession()
使用
getUser()
(安全要求)
使用
auth-helpers-nextjs
使用
@supabase/ssr
(最新标准)
NEXT_PUBLIC_*
中使用Service Role Key		使用可撤销密钥(仅服务器端)
为“简单”表禁用RLS默认启用RLS + 配置策略
在Actions中手动刷新会话基于中间件的自动刷新
针对Supabase 2026和Next.js 16.1优化。 更新时间:2026年1月22日 14:59