Row Level Security is currently disabled on the mood_entries table in Supabase.
This means any authenticated or unauthenticated request can read or write any user's data.
The app uses Clerk for authentication, not Supabase Auth, so auth.uid() is not available by default.
To properly secure the table we need to integrate Clerk's JWT with Supabase so that auth.uid() resolves to the Clerk user ID.
What needs to be done:
Enable RLS on mood_entries
Configure Supabase to accept Clerk-issued JWTs (via a custom JWT template in Clerk + Supabase JWT secret)
Create a Supabase client that passes the Clerk session token on each request
Add RLS policies for SELECT, INSERT, UPDATE, DELETE scoped to user_id = auth.uid()::text
Row Level Security is currently disabled on the mood_entries table in Supabase.
This means any authenticated or unauthenticated request can read or write any user's data.
The app uses Clerk for authentication, not Supabase Auth, so auth.uid() is not available by default.
To properly secure the table we need to integrate Clerk's JWT with Supabase so that auth.uid() resolves to the Clerk user ID.
What needs to be done:
Enable RLS on mood_entries
Configure Supabase to accept Clerk-issued JWTs (via a custom JWT template in Clerk + Supabase JWT secret)
Create a Supabase client that passes the Clerk session token on each request
Add RLS policies for SELECT, INSERT, UPDATE, DELETE scoped to user_id = auth.uid()::text