Currently, in the native integration between FlutterFlow and Supabase, the JWT token generated for the authenticated user is not included in requests made using FlutterFlow's native triggers. This presents a significant problem, as it prevents us from working with RLS (Row-Level Security) policies effectively.
We are forced to work only with public tables or use RLS policies in "public" mode, which lacks the ability to implement customized security measures. The native requests include the Authorization header using the "Anon Key" configured in the FlutterFlow project, and there is no way to pass dynamic values to the request headers.
To overcome this limitation, we need to create custom request models such as curl-based APIs to include the user's JWT and leverage the claims data for RLS policies. This makes the use of the native integration between FlutterFlow and Supabase insecure and impractical for secure use cases.
Does anyone know of a solution using the native integration, or do we still need to rely on custom solutions?