How do I check my Lovable app for Supabase RLS bugs myself?

Do the manual test first — it's fast and genuinely reassuring. You need two test accounts on your own app.

**Manual test (15 minutes):** 1. Sign up or log in as User A. Create an order, post, message, or whatever your app tracks per user. Note its ID. 2. Log out. Sign up or log in as User B. 3. Open your app's API routes directly. If you fetch orders at `/api/orders/<id>`, try fetching User A's order ID while logged in as User B. 4. If User B gets User A's data, you have broken access control. 5. Repeat for every user-scoped table: orders, messages, posts, account info, files.

**Supabase-specific RLS audit:** Open Supabase dashboard → Authentication → Policies. For each table with user data, verify: - RLS is enabled (toggle is ON at the top) - At least one policy exists per operation (SELECT, INSERT, UPDATE, DELETE) - Every SELECT policy references `auth.uid()` or a JWT claim - No policy uses `using (true)` — that's equivalent to no policy - If multi-tenant, policy also scopes by tenant ID

**Common broken patterns in Lovable apps:** - RLS disabled entirely on a table (the generator sometimes skips it) - Policy exists but uses `using (true)` (all rows readable) - Only SELECT policy; INSERT/UPDATE/DELETE left open - Tenant/user scoping done in the API layer but NOT in the database policy (bypassable if the API route has an ID-swap bug)

**Automated:** Securie's free scan (launching this year) will run through every table in your Supabase project and every API route in your Lovable app, testing RLS both statically (reads the policies) and dynamically (tries cross-tenant reads). Join the list for a week-1 run — the plain-English report says 'orders table leaks between tenants' in human words, not SQL jargon.

People also ask